How to Protect Your Business from Cyber Security Attacks
Stories of advanced cyber threats coming from China, groups like Anonymous, RAM scraping of “Point of Sale” machines at retailers such as Target, and other rogue “hactivists” have splashed across the news in the last six months. Coupled with the NSA leaks, this last year is one of realization; that no one, not government, enterprise, or individual, is immune to cyber threats.
Not that this is original news. It’s no secret that the U.S. has been under cyber-attack for years (nor is it one that the U.S. engages in its own overseas cyber operations).
For companies, this arguable advent of a new, even scarier era of enterprise cyber security threats presents more challenges than ever to repel external assaults on IP, financials and other key IP or commercial data. Despite this, many organizations still lack a fundamental understanding of how to effectively protect themselves from these new threats.
No one is immune. Cyber-attacks threaten organizations daily, and if you’re company is not vigilant it may be besieged by any number of IT attacks, costing time, revenue or loss of trust by your stakeholders. Securing and managing this data is critical for any business and is a fiduciary responsibility for CFOs, CEOs and Boards.
With that said, let’s take a look at some ways you can protect yourself.
1. Conduct a Security and Self Risk Assessment
The CIO, IT and key operational executives should conduct an assessment to determine what to protect, what protection already exists and where the gaps are. If you have not started this assessment you can bet your board will be grilling your C-level executives for not already addressing this risk. For most, this means developing a plan to protect your intellectual property and critical data, such as key process know-how, computer code that’s part of a product or offering, operational information (volumetric info, revenue, product availability, financial earnings, etc.), and even client data. The information that could damage you most, should it get in the hands of competitors or other malicious parties.
Once you’ve identified these “crown jewels”, identify the tools you need to protect this information. If you’re a Coca-Cola perhaps it’s a secret bunker with a disconnected server that sits in a retina-scan-protected room that only Tom Cruise could break into. But if you’re not a Coca-Cola and don’t have the budget to fund such an endeavor, put together an RFP for the best security technology you can afford, and remember what the 80/20 rule would say: protect your most important data with 80% of your money.
2. Policy Review and Employee Education
Smartphones are not going anywhere, so you better have a BYOD (Bring Your Own Device) policy in place. This is especially the case given the age of the “Millennials” who tend to give less credence to cyber security threats and certainly are more likely to be accessing social media while working.
And if you don’t think social media can be used as a weapon to infiltrate IT networks, take a look at what occurred earlier this year, when two researchers hacked a government network, received confidential VPN credentials and got a fake person a government job, all with a few clicks and a Facebook account.
In short, it is imperative that HR is involved in developing policies that educate employees on cyber security risks, even including things that should be common sense, such as using social media, opening suspicious emails or connecting to public Wi-Fi on a company device.
3. Penetration Testing & Vulnerability Scanning
Developing policies and procedures and identifying your security threats is imperative, but perhaps even more imperative is attempting to break your own system in order to truly understand your vulnerabilities.
A fairly straightforward, yet effective internal measure of vulnerability is to conduct an internal phishing campaign against your own employees. This is what Rackspace does; and, in doing so, witnessed results indicating that their cyber awareness training programs had had a positive impact, with less employees falling for the phishing attack after receiving education on the subject. Work this into your own training programs and track the results.
Given the severity of phishing attacks, such as stolen license plate numbers, SSN and banking accounting info, companies must take all the steps they can to protect their employees’ information. Choose the route of complacency and you could end up facing class action lawsuits.
In addition to internal testing, bring in a third party to provide an objective assessment of infrastructure, policies, security and access. Engage with a qualified security expert, whether an ERP vendor or a professional services firm, to review security around applications, infrastructure and policies.
Cyber-attacks can happen in a matter of minutes, exposing you to theft of HR information, IP or earnings data. Regardless of what is stolen, the result is essentially the same: you lose money, time, resources and potentially your entire business.
With these attacks getting harder and harder to detect, it is becoming more and more prudent to develop a walled system that prevents a security breach. But as we’ve witnessed, even the best systems at the biggest companies get hacked. So you also need to understand how to deal with a breach, not if, but when it happens to your company.
In a future post we’ll discuss just that, and learn more about how to develop a disaster response and recovery plan that can help minimize any damage sustained.
– Software Delivered as Promised. No Surprises.