All Posts By

jaco grobbelaar

data protection - IT security services

TECH TALK: 3 Steps to Developing an Effective Cybersecurity Strategy

By | Data Protection, Security

Has the task of developing an effective cybersecurity strategy landed on your To-Do list? As the average worldwide cost of a data breach is estimated as $3.92 million (from The Cost of a Data Breach Report for by Ponemon Institute), it’s an important responsibility for all organizations that manage digital data. A cybersecurity strategy can be defined as a set of policies that outline your organization’s plan for mitigating the cyber risks to its assets. The key then to creating an effective strategy is aligning the plan to the specific needs of your organization. You can scour the Internet for a model to use for your organization’s strategy, but know that for it to be effective, you’re going to have to make it very personal to your organization. How do you do that?

Here are three basic steps:

1: Define Your Threats

2: Inventory Your Assets

3: Outline Your Protection Measures

 

1: Define Your Threats

The first step of developing a successful cybersecurity strategy is to identify the threats to your organization. If you’re not sure what the threats are, consider the general threats to all businesses, threats common to your industry, and the threats that are currently gaining momentum.

  • General Cyber Threats to Your Business

The technology company Cisco acknowledges the following six types of cyberattacks:

Malware

Malware, formally known as malicious software, refers to a group of computer software that cybercriminals design to gain access to a system and cause havoc, usually in the form of damaging or disabling the system. The most common types of malware are adware, ransomware, viruses, worms, and spyware.

Phishing

Cybercriminals use phishing attacks to obtain sensitive data such as social security numbers, credit card numbers, and passwords. This type of attack occurs via email or any other means of digital communication.

Man-in-the-Middle (MitM)

Just as it sounds, a MitM attack occurs when a cybercriminal gets in the middle of an exchange of data between two parties, such as a computer and a server, for the purpose of performing malicious acts.

Denial-of-service

One of the most dangerous types of threats to businesses is a distributed denial-of-service attack. A cybercriminal commits this threat by gaining access to a system, often by exploiting a vulnerability, with the goal is to overload it to the point of blocking people (your employees and/or customers) from accessing the system.

SQL injection

A SQL injection attack refers to malicious SQL code that is created to access and cause havoc to a vulnerable SQL database.

Zero-day exploit

A zero-day exploit is a cyber threat that is designed to exploit a vulnerability that has not yet been discovered and patched by the designer.

DNS tunneling

The domain name system (DNS) protocol is a legitimate method of exchanging data across the Internet. Cybercriminals can manipulate the DNS protocol to create a path or “tunnel” for infiltrating a network and exposing sensitive data.

 

  • Threats to Your Industry

You should also consider cyber threats that are specific to your organization’s industry. The following are common industries and the threats that they often face.

Financial

Organizations that handle financial transactions are big targets for cyber criminals. Insight, a cyber intelligence company, reported findings of  that malware attacks in 2019 were targeted more often in a specific area—financial institutions (25.7 percent). Malware isn’t the only threat to these organizations. According to a report by technology consulting firm Mindsight, the top three cyber threats to the financial industry are web application attacks, DDoS attacks, and backdoors and supply-chain attacks.

Healthcare

Healthcare companies are a common target for cyber criminals because of the large amounts of personal data they manage. The Fact Sheet of the Cybersecurity Act of 2015 lists the following as common threats to healthcare organizations: Ransonware, email phishing attacks, loss or theft of equipment or data, internal, accidental or intentional data loss, and attacks against connected medical devices that may affect patient safety are common threats to these industries.

Government

The IT systems of governmental organizations, federal agencies in particular, are responsible for managing critical infrastructures and are often targeted by cyber criminals. According to the U.S. Government Accountability Office, the Department of Homeland Security received more than 35,000 security incidents reports from federal executive branch civilian agencies in 2017. Of those incidents, the largest number (31%) were from an unidentified source. The remaining incidents were from improper usage (22%), email/phishing (21%), loss or theft of equipment (12%), web-based attack (11%), multiple attack vectors (2%), and attrition, external/removable media, and physical cause made up 1%.

Manufacturing

The infrastructures that are critical to keeping countries moving smoothly require manufacturing operations. Cyber criminals know this and have been increasing their threats on this industry. According to a study by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) nearly 40% of the surveyed manufacturing companies were affected by cyber incidents in the prior 12 months, and 38% of those impacted indicated cyber breaches resulted in damages of $1 million or less.

The National Institute of Standards and Technology (NIST) identifies the following threats to manufacturing: Identity theft, phishing, spear phishing, spam, and compromised webpages

 

  • Trending Threats

As the world changes, we see old cyber threats improve and new ones emerge. Sometimes, we see threats increase on the radar of cyber intelligence trackers because of specific events. In 2020, for example, the COVID-19 global pandemic was associated with the following three significant cyber attacks, as reported by MonsterCloud:

Corporate ransomware attacks

Large corporations are often the target of ransomware attacks. During the COVID-19 pandemic, cyber criminals have been threatening doxware (extortionware), which is a type of ransomware that involves a cyber criminal threatening to sell or publish sensitive data.

Research and vaccines

As companies are in the midst of developing a vaccine for COVID-19, cybercriminals are increasing their attacks to obtain information to sell to other companies and governments wanting it.

Social engineering (Twitter)

In the summer of 2020, a teenage hacker managed to scam high-profile Twitter users out of more than $100,000. He was arrested, but not before obtaining $100,000 from his victims.

An additional threat that many companies neglect to acknowledge is within their organization. In the article “The Biggest Cybersecurity Threats Are Inside Your Company” , insider threats account for 60% of all threats to an organization.

2: Inventory Your Assets

Once you understand the threats to your organization, you should then understand your assets that could be threatened. The plan you develop will be effective only if you understand the assets you need to protect. The best way to learn this information is to perform an inventory. The National Initiative For Cybersecurity Career and Studies (NICCS) defines an asset as “A person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.”

Here are a few examples of common assets within an organization:

  • Data that flows through your organization. This includes personal data (sensitive data about employees, vendors, and third-party companies and the work data the organization obtains or produces.
  • Physical assets or endpoints that employees use connect to your organization’s network.
  • Network that employees connect to.
  • Infrastructure resources such as databases and servers that store your data.
  • Software that employees use in the company (note the identifying information as well as dates).

A simple spreadsheet is a good way to manage the assets, but it shouldn’t be a laundry list of your assets. You should include details that help you determine the critical value of the asset. This includes adding information about its intended use, how it is accessed, by whom is it accessed, and an assessment of its value. You should devise a system for noting those assets that are critical to the business.

3: Outline Your Protection Measures

Once you understand the threats to your organization and the most critical assets you need to protect from those threats, you are ready to specify how your organization plans to protect its assets from cyber threats.

The following are examples of types of cybersecurity protection methods referenced in an effective cybersecurity strategy:

  • Training to develop cybersecurity awareness among all employees.
  • Security policies for every type of asset (examples listed below):
    • Perimeter security such as network security includes firewall and anti-virus protection, and encryption
    • Endpoint security that protects the systems that connect to your network
    • Application security methods such as sandboxing and encryption
    • Password security that requires employees to use strong passwords
    • Email security measures such as multi-factor authentication and email security gateway protection
    • Remote access security measures such as virtual private networks (VPNs) and end-to-end encryption
  • Insurance that protects your organization from liability should you suffer a cyber attack

Next Steps

The information presented above will help you develop your cybersecurity strategy. Keep in mind that your cybersecurity strategy is not a document that you develop and forget about. It should be a dynamic document that you revisit often to ensure it is up to date.

Seeking the assistance of a cybersecurity expert is a good plan of action to ensure that your cybersecurity strategy addresses all the needs of your organization. BACS is an IT services company that partners with organizations to help them solidify effective security strategies that are based on in-depth analysis.

Cybercrime Can Damage Your Business During and After a Security Breach

Five Significant Ways Cybercrime Can Damage Your Business During and After a Security Breach

By | Security

It Won’t Happen To Me

If you think the size of your business keeps it safe from being a target of cybercrime, think again. Twenty percent of small businesses were victims of cybercrime in the last year with that number only including reported cases, according to The National Cyber Security Alliance. Because most small business owners are afraid to report security breaches, it’s safe to assume that the number is much, much higher. Why do cybercriminals target small businesses? Precisely because believing that cybercrime won’t happen to you makes you easy prey with zero protections in place or grossly inadequate ones.

There are 82,000 new malware threats released every single day, with half of the cyber-attacks aimed at small businesses. You don’t hear about it because the news wants to report on more massive breaches. Plus, many violations are kept quiet by the company for fear of attracting bad publicity, fines, lawsuits, and even for fear of embarrassment.

Adding to this, “it won’t happen to me” mindset is the fact that owners of small businesses also think that because their businesses are indeed small, the consequences of a security breach will also be minor.

Here are five significant ways cybercrime can damage your business during and after a security breach, regardless of the size of your business.

 

  1. A Damaged Reputation

When your clients discover that cybercriminals hacked your data, do you think they will rally around you, or have sympathy for your situation? What if your clients are patients worried about their very personal data? What if you manage their financial information? Will they understand that you could have been more responsible, but instead, you didn’t believe it could happen to you or you didn’t want to spend the money? Will they understand that you could have done better, but you decided to take the risk instead?

News of cybercrime will travel fast on social media, and your clients will demand answers. Will your explanations pacify them? Even though there aren’t protection measures with a 100% guarantee, your clients expect you to put in place as many as are adequate for your type of business. If they find out you don’t, their trust in you will start to erode, damaging your reputation and leading to loss of business over the long-term.

 

  1. Government Fines, Legal Fees, and Lawsuits

Did you know that breach-notification statutes remain one of the most active areas of the law? Data breaches and data privacy are areas of legislation where many senators continue to lobby for “massive and mandatory” rules and fines. If you expose client data to cybercriminals, the courts will not be in your favor. This situation does not only apply only to big corporations: any small business that collects customer information also has the essential obligation to its customers to tell them if they experience a breach. The District of Columbia and forty-seven states have their data breach laws – and they are getting tighter as we speak.

If you’re in financial services or health care, you have additional notification requirements under the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Health Insurance Portability and Accountability Act (HIPAA). Among other things, HIPAA stipulates that if a health care business experiences a breach involving more than 500 customers, it must notify a prominent media outlet about the incident. SEC and FINRA also require financial services businesses to contact them about breaches, as well as any state regulatory bodies.

You must ensure you are compliant, and that you remain so.

 

  1. Never-Ending Costs

One breach, one ransomware attack, one rogue employee you didn’t protect yourself against, can create hours of extra work for your already maxed-out staff. Add the cost of downtime due to business interruption and the cost of backlogged work. Then you have the loss of sales plus forensics costs to determine what kind of hack attack occurred and what part of your network and data got compromised. And don’t forget the emergency IT costs to restore you to normal if that’s even possible.

In some cases, you will even pay the ransom with zero guarantees you will get back your data. Add legal fees and the cost of legal counsel to help you respond to your clients and the media. You will disrupt cash flow and blow budgets. You will even be required to provide one year of credit-monitoring services to consumers affected by a data breach in some states.

Research conducted by the Ponemon Institute states that the average cost of a data breach is $225 per record compromised. This figure factors in downtime, lost revenue, recovery costs, fines, legal fees, etc. Do the math for your company. How many client records? How many employees? Multiply that number by $225, and you’ll start to get a sense of how much cybercrime can cost your business.

 

  1. Bank Fraud

If cybercriminals access your bank account and steal funds, your bank will not be held responsible for replacing such funds. Verne Harnish, CEO of Gazelles, Inc., and author of the best-selling book The Rockefeller Habits, found out the hard way.

Hackers accessed his computer and intercepted e-mails between him and his assistant. They used this access to instruct the assistant to wire $400,000 worth of funds to three different accounts. Because Harnish was at the time funding several real estate and investment ventures, this kind of instruction was not unusual to the assistant. With assurances from the hackers posing as Harnish, the assistant made the transfers. And, Harnish didn’t notice because the hackers deleted his daily bank alerts. Harnish never recovered that money, and the bank was not responsible for his loss.

Do you think that no one in your staff is capable of making a single mistake or have a single lapse in judgment?

 

  1. Infecting Your Clients Through You

Locking your data or stealing money from you are not the only motivations for hackers. Some want to use your server, website, or profile to spread viruses and compromise other computers. They can use you to relay spam, run malware, build web pages, or promote their religious or political ideals.

 

Which Protections Should You Have In Place Now?

Now that you understand the possible damages to your business from cybercrime, we recommend you have protections in place to significantly reduce the chances of these types of security breaches happening and to minimize the severity and impact if they do occur.

You should also know there is no way we, or anyone else, can 100% guarantee you won’t get compromised. You can only put smart protections in place to reduce the chances, to protect data, and to demonstrate to your employees, clients, and the lawyers that you were responsible and not careless.

We recommend all small businesses have the following protections in place ASAP.

  • QBRs Or Quarterly Business Reviews And Security Risk Assessments
  • Proactive Monitoring, Patching, and Security Updates
  • Relevant Insurance Policies Review
  • Data Breach And Cyber-Attack Response Plan
  • Ransomware Backup And Disaster Recovery Plan
  • Mobile And Remote Device Security Policy
  • More Aggressive Password Protocols
  • Advanced Endpoint Security
  • Multi-Factor Authentication
  • Web-Filtering Protection
  • Cyber Security Awareness Training
  • Protections For Sending/Receiving Confidential Information Via E-mail
  • Secure Remote Access Protocols
  • Dark Web/Deep Web ID Monitoring

Our preemptive Cyber Security Risk Assessment will give you the answers you want, and the certainty you need.