Recently, the White House and numerous states such as Connecticut have begun to focus on cybersecurity threats and specifically what government and business must do to stay protected.
In a rare bipartisan move, a bill was introduced on June 19 to create a council that would have responsibility for evaluating supply-chain risks that could impact national security.
In other words, the state of U.S. cybersecurity is so bad, our government has actually come together to try to solve it.
The problem is growing as the number of devices is expanding. Automakers are beginning to deal with attacks which are coming to vehicles via OTA or over-the-air updates. Hackers are also able to hack a car by using the key app on the owner’s phone.
Yet business owners are busy and even multibillion-dollar publicly traded companies are being hacked at record rates. In one recent case, ransomware cost a company over a million dollars.
Yet, the biggest threat for companies is employee negligence or mistakes.
According to CNBC:
In 2017, data breaches cost companies an average of $3.6 million globally, according to a separate report from the Ponemon Institute.
For smaller businesses especially, that price tag could wipe out the entire firm. For a company of any size, a data breach can also cheapen a company's brand and negatively impact their ability to do work, according to Shred-it.
Many companies don’t have solid policies in place and do not perform training to create a cybersecurity culture within their organization.
In order to get the business leader or boss to understand the need to focus on cybersecurity, Knowledge, fear, and a little bit of manipulation are required according to Info Security Magazine.
The article continues:
Is your security initiative something that can help increase revenue? Do you have customers who are asking to see xyz security things as part of the service or an audit? Does not having it mean that customers or business partners may not renew business?
If so, this is now a revenue risk. Don’t focus purely on risk reduction. If this issue supports revenue, or enables the company to protect revenue, then demonstrate this to your stakeholders. This will usually be the C-level sales person and your chief financial officer.
With them and the COO on board in advance, you immediately have three supporters whose business challenge you are attached to before you even pitch to the executive.
The same approach works for others as well. Can you reduce costs by outsourcing some security solutions? Or is the board strategically looking to outsource? Knowing the strategy means you build your security initiatives to be aligned with the board’s business strategy.
Taking this approach means that simply by understanding those key drivers, you will easily overcome board hurdles without throwing lots of doom and gloom about security vulnerabilities at them.
You’ll be talking their language. Most C-suite executives will switch off if you just throw scary vulnerability stats at them. They know the business isn’t secure, (or if they don't, they should). What they want to know is that you can respond well to security challenges and support the board metrics – revenue, cost and risk.
When you can show you’re giving a return against these metrics, you are most likely to win discretionary budget. They're not just investing in cybersecurity, they’re investing in the business.
According to Larry Szebeni, COO of Apex Technology Services, to minimize the risk of a data breach, companies should specifically do all of the following, right away:
1. Cybersecurity training should be performed every six months. It should ideally be live and interactive. Human error is one of the greatest risks to customer data.
2. Auditing and documentation must be performed regularly to ensure systems are secure. This should be done by personnel who don't run the day-to-day operations.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing (pen testing) shows if systems can easily be reached and breached. Here is a case where such a test might have saved the reputation of two companies. Annual or more frequent pen testing is optimal.
5. An action plan to follow if a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched its response in what is being called a PR catastrophe.
There has been a tremendous increase in cybersecurity incidents. In addition to individual hackers and organized crime syndicates, terrorist groups like ISIS and nation-states like Iran, Russia and North Korea are targeting U.S. corporations and government agencies.
No company can be complacent about protecting customer data and remain in business as the threat is becoming greater, cybersecurity insurance rates are growing and government fines are increasing. The longer an organization waits to deal with these issues, the more peril they will likely be in.
Add to that this new patchwork of global regulations which are often in conflict and you realize that a breach will have massive technology and business downtime costs, a potential loss of customers, reputational damage and now, potentially spiraling legal costs to handle disclosure and compliance.
To ensure your organization is as secure as possible, consider the following APEX Connecticut cybersecurity training program included in its comprehensive cybersecurity solution which is the equivalent of the cybersecurity kit mentioned in the Connecticut Cybersecurity Action Plan.
For more information contact Apex Technology Services at 203-295-5050