Cybersecurity threats are on the rise with each passing year, bringing higher levels of incidents that threaten businesses of all sizes. Whether you’re the smallest “mom and pop” business or are among the largest international corporations or nonprofits, no organization is 100% safe from cyber attacks. And, the "but nobody wants my data" mindset is no longer an acceptable excuse not to address this.
For most organizations, it's often a battle to find the right balance between security and convenience. After all, users want to maximize their ability to "just work", whereas IT staff want to maximize cybersecurity by locking down systems or restricting access as much as possible. These conflicting agendas mean that many organizations are trying to figure out how to balance opposing goals while addressing both. However, if businesses make their security too lax in favor of convenience, it can lead to devastating results.
Because of this, WAY too many data breaches have occurred that could have been prevented. Keep in mind, most of these breaches could have been prevented simply by keeping up with security patching, following other rudimentary cybersecurity recommendations, and having basic cyber protections in place (like two-factor authentication for example).
For a genuinely cringe-worthy example of how an industry leader could have avoided a major catastrophe (but didn’t), look no further than Yahoo. The infamous web giant was hacked a few years back in an attack that left a reported 3 billion accounts exposed. Within ten months, the company was hacked again, revealing the private information and email addresses of as many as 500 million people through the use of a spear-phishing attack.
This second attack provided the hacker with access to Yahoo’s account management tool and user database, which contained crucial information such as password challenge questions and answers, phone numbers, names, and more.
All of this occurred because a Yahoo employee clicked on an email!!!
Security doesn’t have to be an “all or nothing” proposition. It just needs to be taken seriously by the people all across your organization — from the top on down — and then acted on accordingly. At the same time, to adhere to regulatory requirements there are times where security does have to trump convenience.
Governing Bodies You Should Know
In the world of cybersecurity, there are several governing bodies that you should be familiar with:
- Center for Internet Security (CIS)
- Cloud Security Alliance (CSA)
- National Institute of Standards and Technology (NIST)
- National Cyber Security Alliance
- SANS Institute
- U.S. Computer Emergency Readiness Team (US-CERT)
These organizations are responsible for outlining cybersecurity standards, guidelines, and best practices that help organizations to minimize the number of successful attacks against them. Essentially, their standards, such as CIS’s Controls and Benchmarks or NIST’s Framework, should be the backbone of your cybersecurity strategy.
Cyber Protections to Put in Place to Increase IT Security
Every organization should have a cybersecurity strategy in place. However, implementing one of these strategies doesn’t mean you have to break the bank. Working with your in-house IT staff or an IT Service Provider, your organization can begin to implement some common-sense practices, policies, and procedures that improve your cybersecurity stance while also being cost-effective.
1. Secure Your Network
Securing your network doesn’t have to be an exercise in futility. There are things you can do to harden your organization’s cybersecurity defenses, including:
- Implementing Employee Use Policies and Settings
- Limiting Access to Authorized Users
- Implementing a Multi-Layer Security Approach
- secure firewall(s)
- internet threat protection
- end point protection
- intrusion protection services
- Securing Work From Home Environments
- Securing Cloud as well as On-Premise Technology
- Performing Recurring Penetration Testing
- Completing a Technology Audit or Assessment
2. Build a Human Firewall Team
As someone with more than 30 years of experience in IT security and IT services, unfortunately I've seen too much of what amounts to cyber-ignorance exhibited by clients’ employees when it comes to cybersecurity awareness and best practices.
By dedicating the time and resources to teaching employees at all levels — everyone from the CEO down to the office assistant — you can increase your organization’s cybersecurity posture you can teach them how to identify and respond to a variety of threats. It's up to you to build a "Cyber-Aware" Culture.
Cyber threats come in several different formats. External threats can manifest in many ways, including:
- Business Email Compromise (BEC).Insider Threats (your own employees)
However, external threats are not the only concerns for organizations. According to an article by the Harvard Business Review, the role that insiders play in the vulnerability of all corporations is significant and growing: “IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.”
Although cybersecurity training can’t prevent people from intentionally doing bad things, other cyber protections can be put in place to help mitigate those insider threats, such as limiting user access. However, the unintentional threat that inside users pose can be addressed through cybersecurity awareness training.
Human error is one of the biggest entry points for hackers, and employees often compromise their organizations’ computers (and their networks as a result) without even realizing it.
An effective and balanced approach to cybersecurity helps your company prevent as well as detect security events and intrusions (as well as quickly recover from such events) while also giving your staff the ability to simply get their jobs done. While this is never easy, it certainly is doable.
With more and more attacks occurring, it's become more and more apparent that the efforts to secure our systems has to continue to increase. There are a number of preventative measures that can be added that, while impacting convenience, are a small price to pay for the added level of protection. Like arming your security alarm before leaving your house is an added burden, I think we'd all agree that the level of inconvenience this act adds is well worth the protection gained. Similarly, the "hassle" of two factor authentication at first becomes the norm after a while and the extra second or two to login is well worth it.
Some additional blogs of interest:
- 8 Ways to Protect Your Business From Ransomware
- What To Do If Someone Hacks Your Email Account
- Surprising Password Guidelines from NIST You Should Know
- What is the Dark Web and Why Does It Matter?
- What Your Network Security Health Says About You
How has your organization balanced security with convenience? Have you decided NOT to add a level of protection because you thought it was too much to ask of your users? Share your thoughts with us about this topic in the Comments section below or send me an email to discuss it more in-depth.