<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=573132769549581&amp;ev=PageView&amp;noscript=1">

Executive Guide to Cyber Security

Essential Information for Managing Business Risk

A California hospital pays $17,000 ransom to regain control of its network and data. The credit rating agency Equifax has a data breach that exposes the personal information of more than 150 million people. Global accounting firm Deloitte (despite being named “one of the best cyber security consultancies in the world) gave up access to its email system when a hacker was able to get one password from one administrator. Cybercrimes involving big companies are increasingly in the news headlines, but you don’t have to be a big company to be the victim of a cyber attack.

Get the Guide

Short on time? Download a PDF version to read later.


Conceptual image of micro circuit. Security concept

You Are a Target

According to Verizon’s 2018 Data Breach Investigations Report, small businesses were the victims of 58% of the data breaches that were reported in 2017; 24% were healthcare organizations. These statistics include only confirmed breaches. There are most certainly more incidents, such as the one below, that were not reported.

Despite being informed about the risks involved with outdated firewalls and hardware that is no longer supported by the manufacturer, one company opted to take a chance. They delayed updating their equipment and software. This created holes in their network where potential hackers could enter. Sure enough, cyber criminals found the vulnerabilities and the business was infected by a cryptovirus that took down their network for two days.

 

Your data is more valuable than you realize.

Can you operate without your network and data?

How long could you operate your company without access to your data and systems? Probably not long if you are like most businesses and you depend on technology for operations. What would you be willing to pay if you were locked out of your computer system as the result of a cyber attack? If you have a backup, is it tested and is it sufficient to get you up and running again?

 

Your data has value

In addition to its daily use for operations, many organizations don’t recognize the value of the data they collect and store. If you have any of the following, you have something that cyber criminals want:

  • Personal Identifiable Information - from your employee and customer records
  • Trade secrets and Intellectual Property -- your customers’ or your own
  • Bank account and payment information -- to directly access your accounts
  • Account credentials -- access to your network as well as your accounts such as email, software services, and vendors

Hacker Blind Spot

Cyber Security is an Executive Blind Spot

Many executives are making decisions that increase their security risk. When this happens, they unknowingly increase their overall business risk like the companies in the following stories.

One company had a mandate from the C-level to reduce IT costs. In his effort to execute on this initiative, the IT manager proposed eliminating services related to backups and patching, which the executives approved. These actions made the company not only more vulnerable to an attack, but made it harder to recover from one should it happen. And it did happen. The network was hit with an encryption virus which resulted in lost data and a system outage that lasted for 10 days.

Another California manufacturing company was out of production for three days as the result of a data breach. We don’t know whether or not this manufacturing company still paid the 40 - 50 workers while were idle, but clearly the impact rippled down through their whole organization. Upper management no doubt saw the impact of the downtime and remediation needed because of the attack in their financial reports in the following months.

What executives don't know about cyber security can increase their company's overall business risk.

 

The Impact of Cyber Crime

Your whole business, and not just the information you gather and store, is at risk for theft, kidnapping or corruption by cyber criminals. Some businesses ultimately fail as a result of a cyber attack. The cost of being a victim includes:

  • Temporary or permanent loss of your data
  • Hours or days of lost business
  • Work to restore your network and data
  • Updates for systems and security to prevent another attack
  • Damaged reputation

The most serious fallout from an attack is a damaged reputation. It’s hard to maintain vital relationships when customers, vendors, employees and the community lose their trust in you. Some businesses never completely recover after a cyber attack.

 

Manage Cyber Risk to Manage Overall Business Risk

Executives who are concerned with managing overall business risk, must be involved with managing cyber risk. Often the best way to get a handle on managing cyber risk is to go through the process of creating a security policy. This process is a way to align business processes with the need to protect the company from cyber risk. We’ll talk more about creating a security policy later in this article. It will make a lot more sense if you have a foundation of knowledge about cyber crime tactics and the basics of cyber security.

shutterstock_356278754

Cyber Crime Tactics

The availability of the tools of the cyber crime trade has made it easy for anyone to become a cyber criminal. Just as new software platforms have put sophisticated capabilities into the hands of small businesses, the same types of technologies are available to would-be cyber criminals, too. You don’t have to be a software programmer when you can just buy a subscription to a malware software application on the internet and start making money from it right away.

 

The same types of technologies that have revolutionized the business world have also made cyber crime easy.

Social Engineering

First on our list of cyber criminal tactics is the use of persuasion and manipulation to get people to do an action such as click a link, open an email attachment, download a program, or give out information (such as credit card numbers, bank credentials), or grant access to other accounts. Many of the following cyber crime tactics are combined with social engineering.

 

Malware

Generally speaking, malware is any piece of software that is intended to do harm. Malware is delivered in many ways including clicking links, opening attachments, downloading software and just by browsing the internet. The following is a sample of commonly used malware.

Exploit Kits

This is one way that cyber criminals get access to your device. You unknowingly encounter this threat as you are browsing the web or interacting with fake online ads. These kits look into your machine to find a backdoor through a piece of outdated software.

Viruses

Viruses get their name from their ability to spread from computer to computer. They can corrupt your files, send out spam to your email contacts, take over your machine and steal your login credentials by recording the keys you press for a username and password.

Ransomware

Ransomware can be delivered in different ways, but once it gets to your computer, network or mobile device, the result is the same. You are locked out and a ransom is required to get back in. Paying the ransom does not always guarantee release of your data and device.

Trojan Horses

This type of malware masquerades as a familiar program, or makes the user believe that they need it, so they inadvertently make a click that initiates its installation. Trojans carry other malware such as keyloggers that can gain access to your accounts by recording the keys as you type in your username and password.

 

Email and Phishing

Phishing involves sending out emails that look like they are from a trusted person or organization with the purpose of getting the recipient to click on a link or open an attachment that will unload malware. Some phishing schemes ask the recipient to transfer money or give the sender access to other financial resources. The source of the email can appear to be from an organization or a specific person that you know.

 

Phone Call Cyber Attacks

The goal of this irritating tactic is to get a person to either give up information or to persuade the person on the line into taking an action that will give the hacker access to their computer or network. Phone scams can be very targeted with their attack, possessing information about the recipient that leads them to believe that they can be trusted.

 

Unlocked Doors

Cyber criminals don’t just operate online, they can walk through your front door. Maintaining the security of your office space includes limiting access to your server room, locking workstations when not in use and never leaving post-its or other notes with login credentials where someone could easily pick them up. While you might envision intruders sneaking their way into your facility, you should not discount potential threats from people who have a reason to be there whether they’re visiting or are one of your employees.

Security concept Lock on digital screen, illustration

Cyber Security Basics

As you get ready to call it a night, the last thing you do before you head to bed is lock the doors, turn on the electronic alarm system, and give your German shepherd a pat on the head as he snoozes in his bed. Now imagine that someone wants to break in. They ll have to find a way to disable your alarm, get through the locked door and maneuver past Fido in order to gain access to your valuables. With these three layers of security, two act as barriers (locks and the dog), and two can detect intrusion (alarm and the dog).

An attacker could certainly find ways to circumvent all three of your security layers, but getting in and out for his mission will be more difficult and take longer than if he had to deal with only locked doors. The concept is similar in a technology environment where the layers of security are designed to detect and thwart attacks before they do any damage.

The best way to protect your business from a cyber attack is with a layered defense.

 

Data and Device Visibility

Knowing all the places where your data lives and what is connected to your network is foundational to your security practices. If IT can’t see it, IT can’t protect it.

 

Software Updates and Patch Management

One of the easiest security layers to manage is keeping software and operating systems updated. It might seem like a cost savings to keep using the old software you’re familiar with, but they may contain vulnerabilities. These vulnerabilities act like unlocked back doors that can be used to get access to your device so that a second program can deliver damaging malware. It’s a good idea to install any patches that are released. They often contain updates specifically for security.

 

Firewall

Firewalls act as the locked doors to your network and devices. Firewalls can be installed at the network and workstation levels, as well as on other devices that are connected to your network. The firewall acts as a gatekeeper, deciding which traffic to allow in and out, and which to block.

 

Anti-Virus and Anti-Malware Protection

The terms anti-virus and anti-malware are sometimes used interchangeably, but they do not mean the same thing. Viruses are a type of malware, but malware isn’t always a virus. The purpose of these software applications is to detect, block and remove malicious software.

 

Email Security

Staff will not need to decide is an email message is legitimate or not if there is a filter blocking messages that are likely spam. Because attachments and links can lead to a malware infection, email security should be combined with anti-malware and web protection layers.

 

System and Data Backup

If something happens to take your computer system down, you’ll need a backup of your systems and data to get up and running again. The method for determining the frequency of your backups and the amount of data that is included in each one depends on your business and your ability to tolerate downtime.

shutterstock_129614792 (1)

Your Weakest Link: People

A southern California manufacturing company was the target for a cyber attack that turned one of their own clients into a victim. The cyber criminals gained access to the email of a salesperson and the bad guys were successful in using the hacked email to request money from one of the manufacturing company’s clients. The email looked legitimate, but the result was that they unknowingly wired $25,000 to the criminals.

This incident could have been avoided if there had been security policies in place that provided guidelines for using strong passwords and basic training about opening attachments in suspicious emails. The client who lost the money could also have provided better protection for themselves if they had given their staff proper training on how to spot and respond to fraudulent messages, as well as having internal controls for how payments are processed.

All staff should receive proper cyber security training to learn how to recognize potential attacks and know how to respond.

 

Everyone is Responsible for Cyber Security

Keeping your company safe from cyber risks is everyone’s job, not just the IT department. As employees go about their daily duties, they need to be aware of how their interactions with co-workers, vendors, customers and others impact your overall business risk. Some situations they might be exposed to include:

  • Requests to give vendors access to your network
  • Handling and storing of confidential information
  • Using personal file sharing services for business purposes
  • Requests for transferring money
  • Using personal mobile devices for business

 

Cyber Security Awareness Training

Teaching employees to be vigilant about protecting company data and systems is not a one-and-done deal. Ongoing training is the best way to help employees develop good cyber security habits and to recognize potential attacks. Training should include best practices for:

  • Password management
  • Social engineering
  • Email phishing techniques
  • Phone phishing techniques
  • Physical security
  • Internal permissions to software modules
  • Company security policy

The most effective cyber security awareness training programs are not only ongoing, they present material in different ways such as videos, simulations, infographics, discussion and incentives so that employees understand and retain the information.

Proficient young male employee with eyeglasses and checkered shirt, explaining a business analysis displayed on the monitor of a desktop PC to his female colleague, in the interior of a modern office-1

Creating a Security Policy

It is management’s responsibility, with collaboration from IT and other departments, to create a security policy. The policy is a written document that answers three main questions:

  1. What assets are to be protected?
  2. What will we do to protect the assets?
  3. What will we do if we encounter a data breach?

 

Taking the time to create a security policy is an important step in creating a culture that understands that everyone is responsible for security.

Security Policy Sets Expectations

Cyber security policies and training lay the foundation for developing a culture of security. Employees can only be accountable for security if they are informed and trained, so the purpose of your security policy is to communicate to employees the reason why protecting company data is important and to set expectations for behavior and accountability. To be effective, policies need to be enforced, which means that employee actions need to be monitored.

 

Getting Started on Your Security Policy

You probably have some elements of your security policy already in place if you have some of the following policies and procedures established:

  • Acceptable Use
  • Approved Software List
  • Hire/Fire Policy
  • Private/Public Administrative Policy
  • IT Administrative Policy
  • Physical Access Policy
  • Mobile Device Policy
  • Remote Access Policy
  • Wireless Network Policy
  • Domain Records Policy
  • Adult/Offensive Materials Policy
  • Legal Sign On Policy
  • Password Policy
  • Cyber Security Awareness Training

 

Regulatory Compliance

Meeting regulatory requirements for data security is not optional for businesses in many industries. HIPAA, HITECH, PCI-DSS, ITAR, ISO, NIST, and GDPR -- You know what these letters mean if they apply to you. Compliance, however, isn’t enough to protect you from a data breach. The famous Target data breach in 2013 happened even though the company had been certified as meeting PCI requirements for handling credit card data.

Usually, a robust security policy will cover all of the bases for regulatory compliance for information security. Working with a skilled IT services and management company is often the best way to maintain compliance as well as protect your company from the risks of cyber crime.

Business people meeting for budget definition

Uncover Your Security Gaps

It’s your job to be informed about the risks that your business faces so that you can make good decisions about how to allocate resources for their management. Thinking about cyber security, however, can be overwhelming. It might seem like you need to be an IT expert in order to put together the pieces of an effective defense.

 

Get a Cyber Security and Risk Assessment

Knowing where you need to go with cyber security is much easier when you have a clear picture of where you are right now. A cyber security and risk assessment gives you new understanding about your vulnerability, provides recommendations for improvement, and helps you close the gaps that are exposing your business to unnecessary risk.

New call-to-action