Your Greatest Threat?
Underestimating Your Vulnerability
It is a risk no business owner or senior executive wants to think about.
Unfortunately, regardless of the industry or sector in which you participate, virtually nothing can paralyze or sink your business or organization faster than underestimating the impact of your cyber-security vulnerabilities.
The Scope of the Challenge
- A recent study indicated that 20 percent of all businesses and organizations suffer at least one cyber attack each year.
- Approximately 80 percent of these attacks target small and mid-sized organizations, which typically have the least comprehensive and effective cyber-security systems and protocols in place.
- Another recent study, this one by a leading anti-virus and cyber-security company, found that in 2020, global losses from cyber crime reached nearly $1 trillion (That is trillion with a "T") – this represented a 50 percent increase over the levels observed as recently as 2018.
- Despite that marked increase, that study also found that organizations of all sizes across the world spent about $145 billion on cyber-crime prevention measures, and despite this scale of investment, of the more than 1,500 organizations that were surveyed as part of the firm's analysis, only four percent indicated that they had not been negatively impacted by a cyber attack during the 2019 to 2020 timeframe.
Of all businesses
EXPERIENCE AT LEAST ONE CYBER ATTACK EACH YEAR
Of all cyber attacks
TARGET SMALL AND
FROM CYBER CRIME
The Nature of the Risk
The greatest and most crippling types of cyber threats your organization faces are from malware, spyware and ransomware. These are malicious viruses and software programs that allow hackers to sabotage or conduct clandestine surveillance of your company's systems, data and communications – or in the case of ransomware, even adapt and re-configure those systems without your knowledge so as to capture your data and remotely gain control over your network's functioning.
Access to your system occurs when a hacker penetrates your internal or cloud-based networks through a hardware or software breach. Another source of these incursions involves hackers capitalizing on security protocol failures by your employees. These can include oversights as simple as employees overlooking the need to change their passwords periodically and their accessing your network from remote locations using insecure internet connections.
The end result can be the cyber criminal crippling your network, stealing company or organizational funds, and, or compromising the sensitive information of your clients, customers, patients, benefactors, partners and employees. Again, in the case of ransomware, the outcome can be equally if not more disconcerting – your network can be seized and your data held hostage pending payment of a significant ransom (In recent years, the average ransom paid per ransomware incident by small and mid-sized companies ranged from $200,000 to more than $400,000).
The Cost of Insufficient Vigilance
Without a doubt, the cost of a cyber security breach can add up financially. However, that is not the only negative impact. Your organization's capacity to function can be severely compromised, the result being a significant loss of productivity as well as the loss of new business and new growth opportunities.
Another casualty of a major cyber attack can be your brand and reputation. This is a consequence of those you serve losing confidence in your organization's competence. In fact, research shows that organizations that suffer data breaches – especially those that directly expose their clients, customers, patients and benefactors to significant cyber risk – ultimately lose significant measures of trust and goodwill with those constituencies. Over time, this translates into the diminution or loss of trust and goodwill with those relationships – and this happens regardless of how well or how responsibly an organization handles the breach and moves to protect the interests of those with which it works.
The Origins of the Threat
While many hackers directly target companies to identify systems and protocol vulnerabilities – often using techniques like email "phishing" campaigns that are designed to fool your employees into yielding critical technical and financial information that can provide network access – another major way in which such criminal activity is facilitated is through the "Dark Web."
On the "Dark Web," cyber criminals, many based in Russia, Ukraine, Germany, China, North Korea and the Middle East, sell, trade and share key data that can be used to compromise your systems. This data can include everything from your employees' company email addresses and usernames to their social security and company credit card numbers. Even your company's tax identification numbers, your IT security protocols, and critical banking data, including your bank account numbers, might be found on the Dark Web.
So what is the "Dark Web"
The Dark Web is not a single place or location on the internet. It is a series of sophisticated, layered networks that leverage the architecture of the worldwide web. To access these networks, one needs specific types of software and even specialized systems and system configurations. In addition, each network, sub-network and its access points are password protected. These passwords are issued by criminals who only allow entry to those interested in "doing business" (buying and selling the type of data referenced above). To receive password access to one or more of these Dark Web networks, one must demonstrate status as a viable hacker or cyber criminal. This is to ensure that representatives from the global law enforcement community do not have access.
Once a hacker or cyber-criminal gains entry to your organization's internal or cloud-based network, perhaps by using information obtained on the Dark Web, a compromise or ransomware data abduction can be easily and quickly initiated.
Among the initiatives your company's IT department or IT consultancy may be able to undertake to enhance your cyber-security posture is a Dark Web analysis. This often can be accomplished by IT professionals you engage leveraging contacts they may have who have access to the Dark Web, which allows them to learn exactly what kinds of information about your organization can be found on its layered networks. When this kind of analysis can be undertaken, business owners and senior executives who lack knowledge or expertise in information technology are almost always shocked and dumbfounded to see the types of sensitive, proprietary and accurate information about their organizations that is available on the Dark Web.
The Challenge of Providing Protection
Unfortunately, even when a firm or organization has a competent internal IT team to manage its cyber-security needs, or has engaged a well-regarded external IT consultancy, the level of protection that is being provided is often wholly inadequate.
In many cases, an organization's IT professionals and external consultants cannot do an effective job of explaining and demonstrating the degree of cyber risk that may exist. There are a variety of reasons for this – but one is quite common. This is that IT teams are often managed and directed with a tactical rather than strategic orientation. In short, they tend to operate in a vacuum, keeping the organization's systems running and maintained, but not having a seat at the table when important, organization-wide decisions are being made. As a result, the IT team often lacks the access and voice necessary to fully educate and inform senior leadership about the true nature of the cyber risk that is being carried. A further complicating factor is that many senior executives, especially those with little IT knowledge or experience, are frequently lulled into a false sense of security about their organization's potential to be victimized by cyber criminals because of their own ignorance.
A Game Plan for Managing Cyber Risk
Fortunately, about 96 percent of all cyber attacks are preventable – and there are four steps an organization can take to harden itself against cyber crime – the ultimate goal being to employ a rigorous, robust and multi-layered defensive strategy.
OF ALL CYBER CRIMES ARE PREVENTABLE
Step 1: Acknowledge and Understand the Threats
As was explained earlier, cyber-security experts are often perplexed by the degree to which business owners and senior managers of smaller and mid-sized organizations under-estimate, or are ignorant about, the nature and scope of the cyber threats they face.
Many organizations believe that simply by employing anti-virus software they have mitigated their cyber risk. However, while viruses like malware can cause network damage and data loss – resulting in significant loss of productivity, the larger threat most organizations face stems from data compromise and, or capture, and anti-virus software will rarely prevent such incursions.
This means the first step in developing a comprehensive cyber-security defense is understanding the scope and scale of your vulnerabilities. This can be accomplished by engaging a qualified IT consultancy to conduct an objective and comprehensive, "deep dive" security analysis on your systems and IT protocols. This should include the use of "live-fire" incursion scenarios that are designed to mimic those hackers and cyber criminals are likely to employ when attacking your organization.
As also was explained earlier, another step in the process is conducting a Dark Web analysis of your firm to establish the types of sensitive information about your organization that are available to cyber criminals. Once these analyses have been completed and the conclusions have been synthesized for reporting to ownership and, or senior management, it is very important to quantify the nature of the risks that are being carried – and specifically their potential financial, operational and reputational costs. Understanding these costs is necessary because it is often the only way to convince key decision makers to take the actions that are needed to address the cyber risks they face. From a management perspective, it also creates unmistakable strategic linkage between your IT function and your broader operations – thus elevating and demonstrating the importance of ensuring that your internal and, or external IT team has a seat at the table when issues of organizational direction and prioritization are being debated and addressed.
Step 2: Formulate the Cyber-Security Strategy and Plan
Once your cybercrime vulnerabilities have been identified, the next step is devising an "inside-out" strategy for managing and mitigating them. This requires carefully and thoughtfully prioritizing your vulnerabilities based on their potential for causing organizational disruption or loss.
The ultimate goal of any cyber strategy is to build layers of protection, or barricades, that make it increasingly difficult for hackers to penetrate and exploit critical data and network functionalities. For instance, if one of your primary cybercrime business vulnerabilities is the challenges that could ensue if hackers penetrated your systems and gained access to sensitive financial information you maintain on your client and customer relationships.
In this case, the primary goal would have to be insulating that information by identifying all of the methods and avenues that could be utilized to access it internally, externally and otherwise without your authorization. Among other things, this could include limiting the number of employees from within the organization who have access to the information; employing multi-factor authentication before that access can be initiated; and, establishing internal guidelines that strictly govern the locations and methods from which that information can be accessed (For instance, only from company locations or over secure Virtual Private Networks maintained and secured by the company).
This is what is meant by employing an "inside-out" strategy. In short, sound cyber security entails keeping key data and access to it within the core of your security strategy and then building concentric security layers (fortifications) around it using a variety of software and hardware applications as well as operational and functional protocols.
Step 3: Choose and Implement the Cyber-Security Tools and Protocols
Depending on the nature of your business, or the focus of your organization, the cyber-security platform you put in place to manage your cyber risks can vary dramatically. However, the range of options to be considered should include all of the following.
- Integrated System Security: As was referenced earlier, the foundation of your cyber-security strategy should be a comprehensive, "deep dive" assessment of your vulnerabilities and your readiness to repel incursions and attacks. In addition to a routine review of your network capabilities and organizational protocols, this assessment should include "real time" hacker incursion simulations and a quantification of the costs and consequences that could be associated with a significant cyber attack.
- Password Protocols: Again, stealing and utilizing employee passwords to penetrate your internal or cloud-based networks is one of the common ways in which skilled hackers ply their trade. As result, it is important to have organizational requirements in place for employees to change their passwords on a scheduled basis – and always doing so while using highly secure methods. It also is important to ensure that employees can only establish and use passwords that meet extremely high "strength" standards – meaning they are difficult for hackers to guess or re-produce.
- Spam Email: Phishing email campaigns that seek to fool or trick employees, clients, customers, patients or benefactors into disclosing sensitive information, like Social Security numbers, employee ID numbers and even different types of corporate banking account information and network usernames and passwords, are among the most common methods cyber criminals employ to initiate security breaches. Utilizing sophisticated filtering software to identify, isolate and quarantine spam, and establishing company procedures for handling potential phishing emails, are therefore extremely important measures for any company or organization to take when seeking to strengthen its security posture.
- Cyber Attack Awareness: Employees' understanding and awareness of the potential nature of the cyber attacks to which an organization might be subjected, and the manner in which hackers may seek to manipulate them to obtain the information they need to penetrate an organization's internal or cloud-based networks, is one of the most important ways to secure a company's systems and data. Consequently, another important part of any cyber-security strategy is educating and informing employees about the threat of cyber crime and the roles they can play in preventing it.
- Software and Hardware Updates: Ensuring that your firm has the processes and procedures in place to ensure that hardware and software updates, both at a network and individual user level, are triggered on an automatic and consistent basis is an important part of an effective cyber-security strategy. This is because such updates are often precipitated by the companies that provide the software and hardware after they learn their products may be vulnerable to new and evolving cyber threats.
- Multi-Factor Authentication: One of the most effective ways of barricading your company's key data to prevent incursion or abduction is utilizing multi-factor authentication. This entails employing a layered set of protocols, beyond the use of simple usernames and passwords, to ensure that access to your systems and data is secure. Among other techniques, multi-factor authentication can include emailing or texting security codes to your users and requiring that these codes be submitted to a portal before network access is provided. Such techniques can be used to enhance the security of internal networks, cloud-based networks and even your organization's employee portal, its social media and web platforms, and any third-party networks to which you connect – like those maintained by your bank or insurer.
- Dark Web Analysis: As was referenced earlier, a "Dark Web" analysis is an important step in determining the degree to which cyber criminals have access to the type of sensitive information they need to penetrate and exploit your organization.
- Virus, Malware Protection: Preventing your systems from being compromised by viruses and malware is important because these malicious software programs can curtail organizational productivity and facilitate malicious and unwanted access to your systems and data in the future. Initially, these programs may remain latent and undetected, but when activated at a later time, they can create breaches that cyber criminals can exploit to steal data and hold your organization hostage. The best way to prevent such occurrences is to have a robust and integrated suite of anti-virus and malware software installed on your networks and all of the individual devices your employees use to access your networks.
- Web Gateway: Ensuring that the methods your employees utilize to access the web are safe and secure, and otherwise mitigating internet and email threats before they infect your organization, are essential for ensuring system security. Evaluating these methods and imposing security protocols on them is therefore a key consideration for any organization.
- SIEM/Log Management: Tracking and logging all network activity and consistently monitoring potential security-related events is another way to neutralize advanced cyber threats and to meet legal and compliance requirements – like maintaining the confidentiality of customer, client or patient information. This requires employing a systems overlay that enables an organization to know how and when its network is being accessed and used and by whom.
- Mobile and Remote Device Protection: One particularly important, but often overlooked, security vulnerability that organizations need to manage is the degree to which employees' mobile devices have robust security. Again, this includes any device that will be used to access the organization's networks, including employees' smart phones, tablets, laptops and remote work stations.
- Encryption: Encryption of data that is originating from, or being accessed through, an organization's network is important for ensuring that it travels safely to and from its intended destinations. Deploying encryption software adds another key layer of protection to your network and critical data.
- Firewall Protection: The ultimate barricade for your systems and data is your firewall. It is therefore extremely important to ensure the strength and impenetrability of your firewall infrastructure – as well as its overall capacity to thwart new types of threats from cyber attackers.
- Data Warehousing and Backup: Finally, if your firewall is your first line of defense against cybercrime, where and how you hold your data and how you ensure that it is backed up is equally important because these are the keys to ensuring your ability to quickly and efficiently resume functionality following a cyber attack. In the case of a ransomware attack, these measures may be particularly important because if your back up is properly configured, you may be able to avoid paying the ransom altogether. Regardless of whether your systems and data are internal or in the cloud, the security of your data, your ability to store and back it up offsite, and your ability to do this with great regularity and optimal frequency is an important consideration to be addressed in the context of any cyber security strategy.
According to IT-sector research, the average cyber attack on a small to mid-sized business results in downtime equivalent to at least three and a half days. In most cases, the total cost of implementing an effective cyber security strategy is less than the value of that lost productivity. Furthermore, that estimate of cost neither accounts for the damage a breach can do to an organization's reputation and brand, in general, or to the stability and longevity of the relationships it maintains with customers, clients, patients and benefactors. Likewise, in the case of a ransomware attack, it does not include the cost of the ransom that inevitably must be paid in order to regain access and control over one's systems and data. By some estimates, and depending on the nature of the breach and the type of company or organization that has been victimized, the average ransom paid by small and mid-sized companies to ransomware perpetrators ranges from a low of $200,000 per incident to more than $400,000.
In short, implementing an integrated cyber-security strategy is a highly cost-effective alternative and one any business owner or senior executive should make a high priority.
RESULTS IN DOWNTIME EQUAL TO AT LEAST
3 1/2 DAYS
Step 4: The Process of Staying Abreast of Cyber-Security Threats
The final step in the process of instituting a rigorous and robust cyber-security strategy is keeping it up to date. This requires an ability to monitor developments in cyber-related criminal activity as well as the options and techniques being developed and employed to blunt or mitigate them. This is yet another reason to ensure that your IT team, whether they be internal, external or a combination of both, are well represented when strategic discussions about the priorities and direction of your organization are taking pace.
“A strong IT team will, as a matter of course, remain vigilant in tracking new types of cybercrime and the approaches that are being utilized to combat them. Organizations that do a good job of protecting themselves from cyber exploitation inevitably also make the process of collecting, analyzing and using this kind of market intelligence a core responsibility of their IT teams. They also empower those teams to provide ownership and senior management with the threat analyses they need to make informed decisions about how to protect their systems and data on a go-forward basis."
Mike Sullivan, Cyber-Security Specialist, ACS Services, Inc.
In closing, the most important advice one can offer an organization about managing cyber risk is that the greatest threat is underestimating your vulnerability. When it comes to managing cybercrime, knowledge is power and being proactive about anticipating, quantifying and preparing to respond to threats is the best way to wield it.
Mike Sullivan is a cyber-security expert who provides counsel and advice to ACS' clients on that topic and who also provides them with a broad range of virtual CIO (Chief Information Officer) services.