Over the past three decades, cybercrime has evolved from, ‘I don’t think this will happen to me,’ to, ‘I can’t believe anyone would fall for it,’ to back page mentions, to headline news.
For many of us in the over-40 crowd, exposure to cybercrime first came in the form of unbelievable Nigerian prince emails. Another wave arrived as DoS (denial of service) attacks, which occasionally caused minor web access issues but weren’t seen as a significant threat to most people.
Cybercrime awareness ticked up sharply last year when America experienced the high-profile Colonial Pipeline ransomware attack. Now, American infrastructure is exposed and vulnerable to risk. A new awareness that cybercrime can impact daily living is a game-changer for many.
Today, there is an escalating clear and present danger from sophisticated cyber exploits orchestrated by organized crime and adversarial governmental agencies. This poses a significant business risk for almost every organization, and many are vastly unprepared. It is no longer a matter of if you will be a victim; instead, it’s when.
Business Risk
Today all significant businesses in all industries depend on technology and data systems. Recent shifts to cloud-based environments, interoperability, data sharing, and the use of multiple apps to conduct daily business, impose an inherent risk of cybersecurity issues such as active threats, data theft, data loss and ransomware demands.
The risk has been compounded by the pandemic, exposing vulnerabilities associated with migration to remote working environments.
Last year, cybercrime became more expensive. Data breach costs increased from $3.86M in 2020 to $4.24M in 2021 per organization breached. COVID-19 had a negative impact too; the average cost of a breach was $1.07M higher when remote work was a root factor, compared to when it wasn’t.
When attacks involve healthcare, the result may not just be financial, but could result in loss of life.
This has already happened. Last September, a female patient died when ransomware disrupted emergency care at Dusseldorf University Hospital in Germany.
Are cybercriminals only targeting large businesses? Certainly not. According to cybersecurity expert Leia Shilobod, “Don’t kid yourself. Smaller businesses are low-hanging fruit because they don’t believe they are a target, and therefore have very loose or no security systems and protocols in place and hackers know this.” In a recent poll of small to medium-sized businesses, more than 75% have security issues, making them vulnerable to hackers, monetary loss, and a blackeye to goodwill.
Government Risk
Cyberespionage, cyberterrorism and cyberwarfare are different types of threats involving attacks against governmental institutions and contractors. Over the years, the concept of attacking via computer has migrated from fictional movie fodder to a highly credible threat today. A decade ago, Leon Panetta, then U.S. Secretary of Defense, said, “a cyber-attack perpetrated by nation-states or violent extremist groups could be as destructive as the terrorist attack of 9/11.”
Such attacks have become more common in the last two years, prompting the U.S. government to mandate enhanced compliance and security practices to remediate key known vulnerabilities.
Whether targeting businesses or governments, cyberattacks represent a clear and present danger to our economy and national security. It will get worse, as evidenced by sophisticated, well-orchestrated 2021 attacks against iconic targets like Acer, JBS Foods, Kaseya, CNA Financial, Facebook, Instagram, and LinkedIn, each defined by sheer chutzpah. Successful attacks of the future will lead to many millions of dollars of economic destruction and can cripple daily life for large swaths of people. Some estimates peg the cost of cybercrime to be in the trillions of dollars by 2025.
Cybercrime and Cyberthreat Prevention
While cybercriminals quickly pounce on security lapses, many businesses, especially healthcare institutions and governmental organizations, have been slow to implement best-of-breed risk mitigation strategies and techniques. Organizations seldom prioritize cybersecurity as much as day-to-day business interests, and while borderline understandable, inaction is a mistake analogous to playing high stakes roulette with a loaded gun. No one believes that disaster will happen to them until it happens, and then it’s too late.
Cyber hygiene is a daunting, never-ending project. Establishing a proper security posture requires resources you may not have in your budget. But you have no choice. For long-term success in either a business or governmental environment, organizations must implement a comprehensive, effective cybersecurity plan. Think of it this way: cybersecurity is like air; we all need a lungful at frequent, regular intervals.
Desmond Tutu once said, there is only one way to eat an elephant: a bite at a time. Improving your overall security posture won’t happen overnight, but your IT professionals must embrace urgency because waiting for tomorrow represents an unacceptable risk.
Operational Security Risk Exposure for Organizations
To reduce cybersecurity risk, every organization needs its IT department to assess overall systems security and search for:
- Inadequate vulnerability management
- Compliance gaps in standard operating protocols, procedures, and policies
- Lack of adequate data protection with network devices and/or endpoints to mitigate data loss
- Exposure from email and web downloads through phishing exploits inadequate risk mitigation plans.
Nine Suggestions for Defending Your Organization against Cybercrime or Cyberwarfare
1. Adhere to compliance guidelines for your industry: Following a broad set of compliance standards helps mitigate the risk that could be incurred by employees, vendors, processes, or technology. These guidelines hold organizations accountable, and it is vital to adhere to compliance guidelines. If there are no mandated compliance guidelines for your industry, your best option is to implement Center for Internet Security (CIS) Controls. The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
2. Monitor 24/7/365 to proactively detect and protect against cyberthreats: Since you can’t predict when and where breaches will occur, your attack surface and those of your third-party vendors need continuous monitoring. It is no longer sufficient to run vulnerability scans annually or even quarterly. Your organization needs to continuously monitor system vulnerabilities and employee, contractor, and vendor behavior.
3. Use automated tools to identify potential threats: As the COVID-19 pandemic continues to impact how and where people work, your IT processes, technology and staff must use automated tools to detect misconfigured software and open ports, identify the vulnerabilities that need immediate patching, and quickly remediate all high-risk threats.
4. Minimize human error: People make mistakes. They click on links and download files they shouldn’t. No matter how many steps an organization takes to mitigate risk, employees need continual education to reduce the likelihood of an incident occurring by accident or oversight. People need to be made aware of security controls in place and be trained to operate safely within the current threat landscape.
5. Minimize transfer of data: As employees work from home, the perceived need to transfer CUI (controlled unclassified information) or PHI (protected health information) data from person-to-person and device-to-device increases. Personal devices and unsecure networks may expose your sensitive data to hackers. Use software specifically designed to determine where data resides on system endpoints and track it when in motion between devices.
6. Monitor the Dark Web: Compromised proprietary data can be financially and reputationally damaging. Saving sensitive information on unsecured devices, transmitting data over unsecured internet connections, and sharing data with non-compliant vendors can result in data breaches. Constantly monitor the Dark Web to detect your data for sale and immediately undertake appropriate remediation steps when identified. Software that monitors where your data lies will lower the risk of data exfiltration.
7. Use strong passwords: As simple as it may seem, using strong passwords is a foundation of good cyber hygiene. Studies show that 62% of internal data breaches are caused by compromised credentials. Mandate regular password changes and train your employees never to write them down or share them with others.
8. Conduct regular security audits: Put measures in place to review and assess your company’s security posture. Ensure that your current security, compliance, and integrity systems are working effectively to identify and remediate vulnerabilities. Regular audits and scans will give you peace of mind knowing your company’s data is safe.
9. Encrypt your data: Never send sensitive data unencrypted. Additionally, to protect against hackers, the data you store in databases and on servers also needs to be encrypted.
The need for effective cybersecurity is clear. The threat is present. The danger of cybercrime, cyberthreats and exploits is real. Businesses and government organizations simply cannot afford a lapse in vigilance. Organizations, their leaders, board of directors, and trusted advisors must achieve sustained and measurable cyber-resilience programs to actively address cyberattacks.
When searching for IT solutions, prioritize technology that is simple to implement and significantly reduces your attack surface, minimizing repetitive laborious tasks, enabling you to establish replicable processes that can be easily deployed within your organization. Succeed in this, and you just may discover the elephant is neither as large, nor as intimidating, as previously thought.
