Protecting operations and data against cyberattacks

Organizations today are recognizing that within their infrastructures, where precious data is contained, they are viewed as a target and have become increasingly more attractive to cybercriminals. Should bad actors gain access to sensitive personal data, the results can be operationally catastrophic to a business.

No company is immune to a cyberattack, and the criminals behind them have only gotten more advanced and sophisticated in their strategies. All organizations must understand their data is at risk and follow appropriate measures to ensure its protection — including proactively taking steps to prepare for an incident.

The Necessity of Communication and Training

According to the IBM Cyber Security Intelligence Index Report, 95% of cybersecurity breaches are primarily caused by human error. Unfortunately, inconsistent staff training and limited resources have resulted in organizations becoming prime targets of cyberattacks, causing them to be taken advantage of by those who seek to destroy or profit off of their sensitive data. Human error is often an organization’s greatest vulnerability, and it can lead to dangerous exposure for the public sector and private organizations. Sadly, one of the most common methods of compromise remains reused passwords that get exposed through data leaks and login information that are obtained through social engineering.

The good news is that these potential security weaknesses can be addressed easily through education and company password change policies. It is the responsibility of all organizations to properly train their staff on the fundamentals of good password hygiene, and the methods of social engineering hackers most commonly use. While there may already be some measure of cybersecurity within an organization, all should periodically be reassessed and updated as the risk of state-based attacks is increasing, as are the associated costs of a compromise.

From the internal workings of an organization, one of the first ways to begin security initiatives is to understand the goals of both information technology (IT) teams and company executives so that key departments stay connected and in constant communication. There must be clear security goals within both, and the plan of implementation should be enforced by top leadership and other C-level members. The creation and fulfillment of effective security programs allow for employees at multiple levels to embed the desire to protect their assets early on before an attack occurs.

This can be achieved through regular training sessions prioritizing cyber awareness and promoting new ways for employees to help prevent, detect, and address digital threats. Training all employees, privileged users, administrators, and executives may vary in depth depending on access privileges. Personalization and larger-scale training within the organization ensure that employees at all levels are exposed to new protocols.

The key first steps include distinguishing specific types of social engineering cyber-attacks such as phishing and more targeted potential malware behavior. Once this is learned, reporting security threats along with the protocol that follows must be reinforced as a priority until it becomes second nature to all. Education in this form helps drive efficiency and avoid the chaos that could ripple through the workforce should they not be prepared when an attack occurs.

Cultivating Protection as a Culture

While many organizations discuss and plan to implement cybersecurity within their organizations, gaps are far too common. For cybersecurity to be truly effective, it must become incorporated into organizations’ values, forming its presence in the overall culture.

Communication is the first step in bridging this gap, including transparency, and normalizing discussions of challenges, errors, or misconceptions without the fear of judgment. With an open communication line and clear objectives from top leadership, there can be more opportunities for learning and essential operation employees to grow.

Secondly, once employees are properly trained, they can perform security duties and form healthy habits toward data protection. These initiatives can create and nurture a culture of cybersecurity that allows for the personal growth of every member of an organization toward secure operational behaviors.

Technology may be the foundation of cybersecurity, yet it can only function at its height if the members of an organization tap into their own potential of human intelligence and awareness. Empowerment via tools to assess potential data risks allows them to grow as professionals and protect the operational functions of their organization.

This focus on building foundational security measures takes power away from cybercriminals that are so accustomed to the manipulation of many for their own potential gain and puts it back into the professionals of today.

Robert Nawy is CEO of IPKeys Cyber Partners, provider of OT/IT intelligence platform that addresses cybersecurity, data, and critical infrastructure protection challenges. Nawy is a founding member and on the Board of Directors of the Advanced Energy Management Alliance (AEMA) and is an active Board Member of the Open Automated Demand Response (OpenADR) Alliance.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.