Last year was a bad year for cybercrime. In the UK alone, there were more than 5.1 million incidences of online fraud and 2.5 million cybercrime offenses. And one of the primary victims of all this crime is businesses.
Protecting your business against cybercrime has never been a more pertinent issue. Your company could be the next target for criminals. Right now there are multiple channels through which cybercriminals are targeting businesses. First of all, there are social engineers. These are the people who dream up schemes as a way to get valuable information from people. They’re creative types, and hard to predict. Then there are the hackers. These people don’t bother coming up with some elaborate con scheme. They look for exploits in your business IT system that they can leverage to gain access to your data. Finally, there are the programmers. These guys are in the business of writing viruses to bring down company servers and systems.
Because the threat from cybercriminals has never been greater, companies are looking for ways to protect themselves. According to the Wall Street Journal, big business is investing billions into the effort. If you’re responsible for a security budget, here’s where to spend your money.
Setup A Phishing Experiment
Phishing is a popular way for criminals to gain access to sensitive company information. Phishing is very much like any other con trick. It seeks to convince people that it is a legitimate communication. And then it builds up enough trust for them to start giving out sensitive information. Clearly, this is dangerous for companies that care about the integrity of their data.
One of the biggest entry points for sensitive information is your business’s employees. This is something that JP Morgan recognized after had a data breach earlier this year.
JP Morgan decided to respond with a phishing attempt all of its own. It sent out a quarter of a million fake phishing emails to its employees to see what they would do. To its surprise, the firm found that employees opened a phishing email about 20 percent of the time. The company declined to say how many employees responded to the emails. But it was a severe enough demonstration of security failures that the company took immediate action.
After the experiment, employees were banned from using their work emails for personal use. And the company decided to invest a further $500 million into its online security apparatus. The phishing experiment revealed that the company was vulnerable through its employees. It served as a call-to-action to the board of directors and got security to the top of the agenda.
Many companies have employees who use social media. Professional social media sites should be about networking and growing businesses. But they’re also a big target for hackers. The problem is that many employees don’t realize just how much information they give out. Information comes out in dribs and drabs, not all at once. So it can be deceiving. And yet, all this information can quite easily be collected by hackers and pieced together. Hackers with a fuller set of information can then use this to their advantage to hack company IT systems.
Employee errors are no small part of the business cyber security picture. Recently the Association of Corporate Counsel found that almost a third of data breaches are the fault of workers. And it’s usually because staff simply don’t know how what they’re doing affects security. Often it’s the simple and innocent things that have the biggest detrimental impact. For instance, employees who send sensitive information on home networks without the same level of security. Or employees who access client data and then take those data home with them. (This recently happened to Morgan Stanley).
Training, therefore, helps employees see some of the non-obvious ways their behavior impacts security.
Once you’ve convinced the board security is an issue and trained your staff, what’s next? To bolster your existing systems, of course. But should you go about doing that? Every business is different. And, therefore, every business has different security needs. Some companies only need protection for their back-end systems: they don’t collect customer data. Others need vaulted servers to protect mission-critical data.
Here’s where the value of technology consulting becomes obvious. For any business to have an effective security strategy, it needs expertise. Understanding the company’s strengths and weaknesses is imperative if the company is going to be viable.
The first thing to discuss with a consultant is the type of threats your business is likely to face. If your business is high profile or controversial, you’ll likely face a threat from botnets. The idea behind botnets is to drain your company of processing power. Here your web server is pinged from multiple locations millions of times a second. As a result, it starts to lose performance. And in extreme circumstances, it can be brought down.
These denial-of-service attacks are designed to prevent your business from carrying out its operations. They can also harvest capacity from your IT resources, bringing down your productivity. And so they mustn’t be allowed to run their course. Proactive maintenance of systems by a third party is an excellent way to prevent attacks from getting out of control.
If your business has valuable data, hackers might try to use trojan horses. The idea here is to gain backdoor access to your business systems. Hackers will try to harvest your email lists, erase your data or get customer information. Here again, consultants can help you to identify the problem and point you in the direction of how to deal with it.
Focus On Improving Security In Non-Computer Devices
The latest frontier in the battle between companies and criminals is the internet of things. It’s not just computers anymore that are subject to hacking. According to the Cybersecurity Market Report, it’s things too. There are now whole sub-markets that are connected to traditional IT infrastructure. Things like smart and the industrial internet are new technologies. But they aren’t adequately protected by existing ecosystems. Hence, there’s now a significant risk that businesses in these sectors will suffer catastrophic breaches.
Companies need to spend more on making sure that smart devices are as secure as the rest of their network. Criminals will exploit any weakness in your smart device network.
Hire Ethical Hackers
Investor’s Business Daily recently reported cybersecurity spending would balloon over the next half-decade. It’s expected to top $1 trillion between 2017 and 2021. Driving that trend, they propose, will be a rise in businesses hiring hackers to test their own systems. These freelance hackers will be put to work, testing whether companies can withstand an attack.
But the focus is, again, going to be on the internet of things. Industry tracker, Cybersecurity Ventures, predicts double-digit growth in the sector going forward. It also predicts that protecting the IoT will, ironically, fall to hackers.
The good news is that educational institutions have been training people to hack for years now. And there’s a large pool of ethical hackers for businesses to choose from. Hackers can be hired to do all sorts of things to help your company. But the most common use is for highlighting data protection issues. Hackers are usually assigned the task of breaching company data. Along the way, they help to expose weaknesses in company defenses. And these shortcomings can then be targeted for improvement. Most of the time, weaknesses are on the employee end of the spectrum. But sometimes you’ll find fault with password encryption and server access.
Redesign Cyber Security Systems
Lastly, it’s time for a reality check. Companies are spending more money than ever on protecting themselves from cybercrime. And yet the average loss following a breach has risen to $7 million. That suggests that the industry is doing something wrong when it comes to spending their money. According to PwC’s cybercrime report, 47 percent of companies are putting money into new technologies. But far fewer companies are thinking about their cyber security strategies. The effect of this is that companies are putting their money into technologies that probably aren’t helping them. Too few companies are stepping back and assessing the risk that they face, and how those risks have changed.
So here’s how to spend your money. First, generate a risk-based cybersecurity framework that’s adaptable. Seek professional advice if you need to. Make sure that your company knows the specific risks that affect the sector. And find out what are the latest tactics being used by cybercriminals.
Second, share knowledge with other companies about the state of your cyber security. Only 15 percent of enterprises told PwC that knowledge sharing was a priority for them. And so it’s clear that many businesses aren’t leveraging existing relationships.
Finally, involve all stakeholders in discussions of cyber security threats. Partners, outside experts, and the board should all contribute to the process. Including everybody in your strategy helps you to avoid wasting money and resources.