Creating a culture of cybersecurity means bringing awareness, providing training, and instilling … [+]
Creating a strong cybersecurity infrastructure is becoming a top priority for businesses around the world. Since shifting to remote work, cybersecurity attacks have drastically increased costing businesses millions of dollars. An IBM 2020 report found that it takes a company an average of 280 days to identify an attack and contain it. This causes companies to experience disruption, limited operational ability, reputational damage, and legal consequences.
Most companies believe they’re not at risk because they don’t view their data as valuable. Thus, they overlook the importance of having cybersecurity measures in place. This ends up costing them more than what they would’ve spent if they proactively invested in a cybersecurity preventative plan.
As witnessed with the recent Kronos ransomware attack, one of the largest payroll providers, it can take weeks or months to restore services. Ransomware attacks are one of the most common and expensive threats an organization faces costing businesses on average $4.44 million. This is because attacks not only impact the targeted company but everyone who uses their service or is connected to their database. Kronos admitted they’re unsure when they’ll be able to restore services for its customers. As such, they’re urging their customers to look for other payroll providers. Consequently, thousands of companies are struggling to pay their workers due to not being able to access their Kronos HR software. Thus, they’re forced to estimate employee hours and resort to manual time-tracking methods.
Here are four ways companies can strengthen their cybersecurity measures to prevent an attack.
Create A Backup Plan To Diversify Sensitive Information
The majority of companies have moved from storing their data on-premise to implementing private cloud storage solutions. Due to the rapid adoption of remote work, more companies are migrating their data to the cloud. While cloud services are a cheaper and more efficient alternative to storing data, companies need to ensure they have security measures in place with encryption protocols. Doing so makes hacking a laborious task that deters malicious actors from accessing company data. The goal of malicious actors is to gain access to confidential and sensitive data that allows them to commit fraud, identity theft, or demand ransoms in exchange for returning the data, to name a few.
MORE FOR YOU
Some types of data that hackers are particularly interested in are:
- Personally Identifiable Information (PII) such as salary data, social security numbers, birth dates, information relating to employee’s dependents, employee records, and more
- Client/Customer details such as credit card information
- Confidential business information such as credit card information, passwords, programs, using the company’s system to attack other computers, financial information, and more
Attacks can occur in the form of:
- Phishing
- Ransomware
- Malware (viruses, Trojans, spyware)
- Denial of Service Attack (DOS)
Eden Cheng, co-founder of PeopleFinderFree, emphasized, “diversification is essential when it comes to data storage. Supplemental data backups help to protect businesses should anything happen to primary data sources.” She explained, “this involves keeping at least three copies of data, with two being stored on separate media formats like an immutable storage bucket as well as cloud storage servers. The third copy is either stored off-site/off-line using hard drives, or by simply using a different cloud-storage vendor. This ensures that business operations continue to flow uninterrupted, while also removing the risk of sabotage that could destroy all of your backups.”
Prioritize And Increase Cybersecurity Efforts
A common misconception companies have is that cybercrimes are only committed by external actors. However, data shows that 64% of cyberattacks come from internal sources. This is due to unauthorized individuals having access to privileged information, not being trained on how to recognize phishing attempts, a poor or nonexistent culture of cybersecurity, and cybercrimes not being taken seriously.
An effective cybersecurity plan isn’t the sole responsibility of the IT department. It’s the collective effort of everyone. Everyone, regardless of position or title, plays a key role in keeping the organization and confidential client information safe. The more secure and proactive companies are in preparing for an attack, the better they’ll be able to handle it. In an ideal world, a company wouldn’t face attacks, but cybercrime has increased drastically since the start of the pandemic and will only continue to rise as technologies evolve.
Here are things a company should consider when creating their cybersecurity infrastructure:
- An Incident Response Team that includes team players such as IT, legal counsel, HR, and a communications director, to name a few
- A preventative plan that includes a process on how to approach an attack rather than scrambling last minute to respond only costs companies more time
- Establish a communication plan to notify those impacted, what happened and what the company is doing to mitigate the attack. Those that should be notified include the board, clients, employees, and vendors.
- Reference NIST as they build their cybersecurity infrastructure
- Invest in a cybersecurity insurance policy
- Hire a cybersecurity expert to conduct a thorough audit of all systems, identify weaknesses and gaps, and make recommendations. They’ll also be able to categorize systems based on their level of risk.
- Ensure there’s a backup plan in place rather than fully relying on third-party vendors
Evaluate Their Vendors And Third-Parties
As Kronos demonstrated, third-party vendors are susceptible to vulnerabilities. For this reason, companies should do their due diligence to ensure the vendors they work with have strong data privacy and security measures in place as well as a cybersecurity infrastructure. They can do this by first identifying all of the vendors they work with, learning what cybersecurity measures those vendors currently have in place and setting up a plan to evaluate and assess vendors frequently.
When hiring a cybersecurity expert, companies should do their due diligence to verify that the individual they intend to hire is indeed qualified through certifications and experience. The worst thing a company can do is hire the cheapest cybersecurity professional without considering their reputation or credentials.
Build A Culture Of Cybersecurity
Creating a culture of cybersecurity is a deliberate and intentional approach where every worker is aware of their responsibility in keeping the company secure. This is more than implementing policies. It’s ensuring each employee is doing their part to prevent breaches, leaks, and attacks by training and educating workers on how to report threats and attacks, and keep equipment and devices secure.
Lockheed Martin does an incredible job at creating a culture of cybersecurity through the implementation of its “Red Team.” The purpose of the Red Team is to conduct cybersecurity assessments. This is done by simulating attacks against employees to see how they respond and to test the effectiveness of the company’s network security. Employees who click unrecognized email attachments or links sent by the disguised red team member will be redirected to cybersecurity training to refresh their knowledge on how to protect data.
