Every news cycle seems to bring another story of a ransomware attack. Assaults on businesses are on the rise, and the statistics back it up. Since COVID-19 began in 2020, cybercrime has increased 600%, and it is estimated that there is a cyberattack every 11 seconds around the world. The increase in employees working from home has only intensified this threat in the eyes of many IT experts, with more than 80% reporting that remote workers are a ticking time bomb for corporations. As part of a broader effort by the National Cyber Security Alliance and the U.S. Department of Homeland Security (DHS) to help Americans stay safer and more secure online, October has been designated Cybersecurity Awareness Month .
Cybersecurity begins with being prepared, something too many companies are not proactive about, according to Technologent’s Chief Information Security Officer Jon Mendoza.
“It starts with an understanding of the current state of your environment and, specifically, your security posture,” he said.
Bringing in a third party to conduct a security audit of a company’s IT system is a good place to start because this can recognize potential security gaps. Simulating an attack offers the opportunity for a company to gauge its response to different scenarios, discover how the various parts of an organization would be affected, and determine how they could respond. This type of drill would examine the impact on a company’s customers, their ability to generate revenue, and how quickly they could recover from a cybersecurity attack.
Mendoza cautions that simply focusing on technology is not enough. Any drills must factor in an organization’s people.
“When you’re looking at the other aspects of what makes an organization vulnerable, reducing risk is of critical importance,” he said. “But, understanding what those risks are is also important.”
The risks will vary from organization to organization and from sector to sector.
Addressing the human factor is critical and must focus on training and raising security awareness. Too many companies have fallen short in these areas despite having spent a lot of money on technology and security controls. However, they have not paid enough attention to how the end user is being trained. In terms of raising awareness, organizations cannot continue to do things as they have in the past. Cybersecurity threats are evolving, and the approach companies take must also change and adapt accordingly.
Too many companies, their CEOs, and their employees don’t view cybersecurity as their problem and instead deem it an issue for their IT departments. Case in point — intellectual property is at least as valuable as any other company asset — everyone needs to be trained to protect it to ensure the survival of their organizations. Multifactor authentication and security awareness training both play a pivotal role in not only protecting intellectual property but also in teaching employees what their role is in security.
Ransomware, one of the most obvious aspects of cybersecurity that has been dominating the news, most often infiltrates a company via email. It has been estimated that one in every 6,000 emails contain something suspicious that could be ransomware, and more than 90% of phishing emails contain ransomware. While emails have historically been the entry point for those using ransomware, the threat is evolving with more attacks coming via mobile phones, and users are more likely to be distracted when using them and click on a link without vetting it thoroughly.
The recent Colonial Pipeline breach offers an object lesson for handling a ransomware attack. One of the main pillars of good cybersecurity is having a good inventory of physical assets and all digital or cloud technology assets. David Martinez, security practice director for Technologent, explained how the Colonial Pipeline was compromised due to poor endpoint protection deployment.
“For half of the ransom they paid, Colonial Pipeline could get a phenomenal endpoint protection solution,” he said. “Prevention is a way more cost-effective means of handling cybersecurity.”
A cyberattack not only costs a company money, it also costs them in terms of their reputation, public trust, and social disruption — aspects of a company’s value that are challenging to quantify. In terms of the customer, the public’s awareness of the business and the nature of the business affect how the customer interaction comes into play for the financial loss and loss of trust the business may experience. The law covers not only the levy of fees and fines, it also involves public safety. The reaction in this area will also depend on the type of business involved. Finally, governance evaluates the sensitivity and criticality of the data that was breached. Criticality is the impact on business operations or the public at large; sensitivity is the nature of the data.
From the end user to the CEO and from software to third-party evaluators, all parties must give their full participation. Cybercriminals may continue to find new ways of attack, but companies can be prepared — the key is information, awareness of possible gaps in their IT security, and taking proactive measures to protect themselves.
“The silver lining in all these things happening in the news is that it has really put a spotlight on the problem,” Mendoza said. “Historically, most organizations have not necessarily funded their security programs appropriately, but that is changing.”