No organization can be truly secure if it doesn’t have a culture of cybersecurity.
Companies that get breached can be shut down by attackers. They can be extorted. They can be fined. They can be shunned by the media and then by existing and future customers. If they have cyberinsurance, they can see their rates skyrocket. They can further be marked as targets for future attacks. They can also have their workplace disrupted so productivity is destroyed.
Just one piece of software called NotPetya was responsible for over $10B of losses just based on public disclosures from companies who were hit. Companies could have protected themselves against it had they taken the proper precautions.
The fines for hiding breaches are beginning to get serious as well. Yahoo! hid their major data breach for a period of nearly two years. As a result they lost $1B in value when they were acquired by Verizon and the news emerged. Today they were fined an additional $35M by the SEC. More fines may be forthcoming.
Cybersecurity breaches are costing global business hundreds of billions of dollars per year. Some of this money funds organized crime, nation-states and terrorist organizations like ISIS. If you pay the ransom and it goes to an organization like ISIS, there could even be potential liability on your part. We asked the FBI about this but still haven’t heard back from them. But obviously you want to err on the side of caution and not be in a position where you need to pay.
Jeremy Swinfen-Green writes a great piece for the Global Cybersecurity Alliance discussing how a company needs to go about protecting itself.
Part of what they need to do is determine what needs protecting and what they need to protect against. This is a more simplistic way of explaining the complex ideas in cybersecurity white papers from FINRA, NIST and the FCC.
In our experience, cybersecurity training is crucial to ensure workers are aware of the ways they can be inadvertently responsible for major data loss or company systems being shut down. In our informal surveys, 30-50% of workers said they would pick up a memory stick marked important by their home or office and plug it into their computer to see what was on it.
Generally, this is all that’s needed to get onto the computer, the network, steal the data and install ransomware that locks down all the computers or deletes all the information on the computers and servers.
This is simply one attack vector… There are hundreds of ways to get into your corporate systems.
What needs to happen is a cybersecurity culture needs to be created in every organization. Frequent cybersecurity training is a great way to achieve this.
Companies also need to audit and document their systems from an outside organization, have a penetration test regularly performed and anomaly detection needs to be run continuously. A backup appliance for business continuity needs to be running with duplicate copies on-premise and in the cloud.
The worst thing we have come across in order is companies who do no backups, just one day's worth of backups, companies that backup just to a local hard drive and ones using a low-budget backup service that only keeps data in the cloud and doesn’t immediately ship the entire data set via hard disk when needed. As a result, it can take one or more weeks to download a large archive.
During such a week, workers potentially aren’t able to work at all.
It is getting very difficult to protect against the hackers around the world looking to steal data and shut your company down. It is truly something you can’t wing. Even the best internal teams can forget something. There should always be an outside organization double-checking your systems to ensure they are secure.
The goal is to ensure the second set of eyes who spots a hole in your systems, works with you to fix your systems instead of stealing your data and selling it on the dark web.
Global regulations are also on their way. GPDR is coming online in one week as we recently covered. The fines for leaking data can be in the tens of millions of dollars. Insurance alone isn’t the answer. Many companies are amending their policies and hoping that’s all they need to do. Rest assured, those breached are going to be in very serious trouble if they can’t show they have taken extraordinary measures to be secure.
This is the time to take stock of the situation that all business is in. We are all vulnerable and need experts to help shore up our systems to protect them from threats which grow by the day.
The ROI you will achieve is greater profitability from not having a breach take place in your organization. Buying the alarm system after the break-in still makes sense but it makes a lot more sense to do it before the initial incident.
To ensure an organization is safe – even if they have internal IT, they need to hire an experienced MSP or MSSP like Apex Technology Services. The company acts as an outsourced CISO and has experience helping numerous financial companies including the Fortune 200.
FINRA, NIST and the FCC put out white papers all the time about how to protect yourself. In our experience, most companies do not read these documents – their internal IT teams don’t take them seriously. This is a huge mistake and likely part of the reason there are so many breaches. Be sure you pick a partner with knowledge and experience in industry best practices.