A lot of businesses are still not focusing on their cybersecurity posture. Unfortunately, today’s threat landscape is continuously evolving, and companies shouldn’t make it an afterthought. Long gone are the days that installing and configuring a firewall is enough to protect the company’s data and network. Today, the Information Technology (IT) and Information Security (IS) departments need to worry about application security, vulnerability management, human error, etc.
Who are the victims
out of the 53,000 incidents and 2,216 confirmed data breaches, 58% of victims are categorized as small businesses
One possible reason why businesses, especially small businesses, are not focusing on cybersecurity is that they believe they’re not the target of cybercriminals. This assumption is far from the truth. Cybercriminals are casting a wide net for whom they target. Small and medium-sized businesses (SMB) are not immune to cyberattacks. In fact, out of the 53,000 incidents and 2,216 confirmed data breaches, 58% of the victims are categorized as small businesses1.
Cost of an attack
small businesses estimated average cost for security incidents in the last 12 months to be $34,604
Another possible reason why small businesses aren’t focusing on improving their cybersecurity is the lack of budget. Allocating a limited resource to cybersecurity is a challenge, but it’s vital to keep in mind the cost to the business as a result of a cyberattack. According to Hiscox, an insurance provider, small businesses estimated average cost for security incidents in the last 12 months to be $34,604. For companies, with more than 1,000 employees, the average was $1.05 million annually2. Keep in mind that these numbers are just for direct costs. There are indirect costs as well, such as losing customers, brand reputation, etc.
Improving your cybersecurity
While the data presented is frightening, luckily, there are ways for businesses to improve their cybersecurity. Here are some of the things that companies should do to strengthen their cybersecurity.
Identify and classify your data
Identifying the types of data that your company process, store, and transmit is the key to knowing what to protect. These types of data could be one or more of the following: Personally Identifiable Information (PII), Protected Health Information (PHI), intellectual property (IP), etc.
The next step after data identification is data classification. It is the process of categorizing types of data based on the level of sensitivity, value, and criticality to your company. This step is key to how much resources businesses should invest.
Let’s use the military since their data classification is a great example. They have five levels of data classification: top secret, secret, confidential, sensitive but unclassified, and unclassified. Depending on the data, the disclosure may or may not pose a threat to national security. Applying a similar concept to your company will help in prioritizing what to protect.
Manage hardware and software assets
Doing an inventory of authorized hardware and software assets is another necessary step in improving your company’s cybersecurity. Having a complete list of both assets enables IT or IS to track and prevent unauthorized hardware and software connecting or executing on the network.
Actively managing assets also makes it easier to plan for replacing aging hardware. It also makes it easier to track what software needs an update or upgrade, which is crucial in thwarting cyber attacks.
Security awareness training
There is a saying that a chain is only as strong as its weakest link. In cybersecurity, when security controls are strong, then oftentimes the weakest link in the chain is human.
1,712 security incidents and confirmed data breaches that resulted from phishing and pretexting
There were 1,712 security incidents and confirmed data breaches that resulted from phishing and pretexting1. While this is a small percentage, it is still a problem that companies must address. Social engineering attacks, such as phishing and pretexting, could be lessened with proper security awareness training.
The training program must also cover other types of social engineering attacks, physical, password, computer security, malware, etc. All employees must take the training and make it part of your onboarding process. A well-designed program must be interactive and should be relevant to their day-to-day functions and personal lives.
Protect your data and IT infrastructure
There are a lot of ways of protecting your data and IT infrastructure. This topic could be a series of blog posts, so we’re only going to touch on a few of them.
cybercriminals used malware for 30% of the incidents and confirmed breaches
Cybercriminals used malware for 30% of the incidents and confirm breaches1. That said, companies must invest in endpoint security. Gartner splits endpoint security into two markets: Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). To quickly summarize the difference between the two, EPP is preventive and mostly signature-based, while the EDR is preventive and forensic.
The current buzzwords in endpoint security (technically, in other industries as well) are machine learning (ML) and artificial intelligence (AI). While machine learning in the endpoint security space can help, it is only as good as what it knows. It requires a massive amount of data to be able to distinguish if a specific behavior is malicious or not. That said, don’t just pick a vendor that has machine learning baked into their product. Machine learning alone doesn’t catch malware.
There are still a lot of networks out there that only protect the perimeter. Unfortunately, the perimeter defense is an old way of doing things. This type of network protection is often called hard outside, soft inside. Think of the Trojan Horse story (from the Trojan War), once the enemies were inside, they were able to wreak havoc because security was focused on protecting the perimeter. Today’s approach is Zero Trust Architecture, where you take the never trust, always verify approach.
The WannaCry ransomware, which affected over 200,000 computers, is a perfect example of a malware that exposed the network security weaknesses of companies. Once the malware was inside, it was able to infect other computers on the network. Sure, the malware also exposed the vulnerability management practices of companies.
Businesses need to protect their data. One of the ways they can do this by backing up their valuable data. Without data backup, companies could suffer from data loss because of hardware failure, file deletion, malware, etc.
Some of the businesses that were infected by WannaCry paid ransom money to get their data back. If they had a good data backup strategy, then they wouldn’t have had to pay for the ransom and could’ve recovered quickly.
Multi-factor authentication (MFA)
Out of 55,216 incidents and breaches, there were a total of 823 where cybercriminals used stolen credentials1. While it is a small percentage, it is still happening and must be addressed.
|Related: What is multi-factor authentication?|
Cybercriminals use multiple methods on how to acquire credentials. One of which is by a phishing campaign. While security awareness training will help, there will still be people falling for it. To mitigate stolen credentials, enabling multifactor authentication (MFA) to all applications and systems is the key.
Every week, if not every day, software vulnerabilities are discovered. Some discoveries are responsibly reported to the vendor, but some are used for zero-day attacks. Periodically scanning for vulnerabilities will reveal security risks and should be addressed timely before it results in an actual compromise.
Keeping up to date software is another vital piece in improving your cybersecurity. Not applying the latest update to the software that runs on your network is essentially inviting cybercriminals to breach your company. The cybercriminals are still successfully exploiting known software vulnerabilities. In fact, the Equifax hack that happened in May 2017 was due to an unpatched software that was running on their public-facing server3.
Having preventive controls are great, but we have to keep in mind that nothing is 100% secure. That said, your company’s cybersecurity solutions should include monitoring to detect and respond to security threats, incidents, and breaches.
Often times, it only takes minutes (or less) for cybercriminals to compromise a system. Unfortunately, 68% of breaches took months or longer to discover. In many cases, it’s not even the company itself that discovered the breach1. Don’t let your company be one of them.
There’s no silver bullet in cybersecurity, and no products and solutions are going to give you 100% protection. The only things that companies can do are to reduce the attack surface, mitigate security risks, educate employees about cybersecurity, and be able to detect and respond quickly to security threats, incidents, and breaches.
NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.
You might also like to read
1 Verizon 2018 Data Breach Investigation Report
2 Hiscox Small Business Cyber Risk Report
3 Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach