Your cybersecurity strategy has been established and now you feel confident that your organization’s data is protected. While you should be applauded for developing a cybersecurity strategy, you should never rest on your laurels. Cybersecurity requires your constant and full attention.
The following are five reasons you should focus on improving your cybersecurity strategy:
1: Your organization’s personal data is valuable.
2: Recovering from a cyberattack is expensive.
3: Your organization’s reputation is at stake.
4: Cyberattacks are on the rise.
5: Your greatest security risk requires constant coaching.
1: Your organization’s personal data is valuable.
The level of sensitivity may vary, but all organizations have personal information that they need to protect. Just consider the following three ways in which personal information can travel within your organization:
- Employees collect information from individuals doing business with your organization.
- Individuals and organizations transfer and or communicate information to your organization.
- Employees and third-party organizations access information from within or outside your organization.
In just those three methods of transmission, multiple people have interacted with data. Should all the hands that touch your sensitive data have access to it? If you don’t know the answer to that question, it’s a good idea to inventory all the data assets in your organization and determine who requires access to the most sensitive information. Creating an inventory of your data will also help you understand the level of protection you need to implement. Effective recordkeeping and evaluation are important in this area because the information can change and the people who require access to it can also change.
2: Recovering from a cyberattack is expensive.
According to a report published by Ponemon Institute, the average cost of a data breach in 2020 was just under $4 million. Gartner Inc., an advisory firm, predicts that the worldwide cost of security will balloon to $170 billion in just a few years. What if your organization suffers a cyberattack and it is more devastating than the average? The costs are even higher.
Consider the costs associated with the following five historical data breaches:
-
- Epsilon – This company suffered an attack in 2011 that involved the personal information for 75 of its clients. The costs to recover from the incident were in excess of $4 billion.
- Veterans Administration – Unencrypted data of more than a quarter of a billion records was sitting on a laptop and external drive and stolen from this respected government agency. The VA reportedly was out of up to $500 million to recover from the incident.
- Target – More than 150 million shoppers of this top retailer received the sad news just before the 2013 Thanksgiving holiday that a hacker “compromised the retailer’s credit card readers” and their card numbers were stolen. The company spent $162 million to recover from the incident.
- Capital One – A previous employer of this large financial institution illegally accessed a cloud-based server and stole the personal information of more than 100 million customers. The initial estimate of the data breach was $150 million. The eventual number was closer to three times the number of customers that were impacted–$300 million.
- Yahoo – Considered by many as the largest data breach ever, this web services provider first announced in 2013 that 1 billion customer accounts had been compromised. In October 2017, just after it sold itself to Verizon, the company changed the estimate to being closer to three billion records. In April 2019, their settlement with individuals of the compromised accounts was $117.5 million.
3: Your organization’s reputation is at stake.
In addition to being expensive, suffering a data breach or other cyberattack can impact how other organizations or individuals feel about your organization. According to a survey conducted by Security.org of 1,000 people (including 300 victims of data breaches), 67.3% of the respondents had less trust in a company if they had a data breach, and 21.6% would not share their personal information with such companies.
Of course, cyberattacks are not 100% preventable. However, the organizations and individuals that you work with expect you to perform an acceptable level of due diligence to mitigate your risk. An investigation often follows a data breach, especially one that impacts a large number of people or organizations. Once an organization suffers a security breach their reputation is damaged and it while possible, it is difficult to recover from.
Consider the following companies that struggled after a data breach:
- Capital One – Shortly after they suffered the large data breach mentioned above, the stock of this large financial institution decreased in value.
- FlexMagic Consulting – This small firm operated their business successfully for 34 years, had an A+ rating with the Better Business Bureau (BBB), and reported $2 million in annual revenue. They experienced just one data breach, but the effects of it forced the company to close their doors forever.
- LabCorp – In 2018, this large clinical laboratory suffered a ransomware attack that compromised millions of patient records. In 2019, the laboratory learned that 7.7 million of its patient records were accessed by unauthorized individuals via their collection agency, American Medical collection Agency (AMCA), for eight months. In 2020, a website misconfiguration by the laboratory led to 10,000 company documents being exposed. In addition to their stock losing value, LabCorp is the subject of multiple lawsuits by patients impacted by the multiple data breaches.
4: Cyberattacks are on the rise.
One constant about cyber threats is that they are increasing. There are many reasons for the increase. One of the most common is that cyber threats are closely tied to major shifts in technology. Advancements in technology provide convenience but also new opportunities of exploitation for cyber criminals.
Cyberattacks are also on the rise because of a series of special events. The 2020 presidential election was a major event with such increased cyber activity that the director of the National Counterintelligence and Security Center (NCSC) issued a press release warning Americans about international threats. Most recently, the Federal Bureau of Investigation (FBI) reported an increase in cyberattacks due to the COVID-19 global pandemic. Healthcare organizations have been targeted for vaccine information, video communication (increased during this time of social distancing) is being hacked, and social engineering attacks abound amid the news of government stimulus checks, COVID-19 vaccinations, and unemployment benefits.
The following are three additional reasons cyberattacks are increasing:
- IT departments are understaffed and can’t keep up with cybersecurity demands.
- A new digital currency (bitcoin) is available to exploit or use as ransom payment.
- Cyber criminals want fame and compete to orchestrate the largest attack.
5: Your greatest security risk requires constant coaching.
It’s a common belief that the weakest link of a cybersecurity strategy are employees. A great example is a report by Trend Micro that uncovered that nearly 100% of the cyber threats based on the COVID-19 pandemic were spam or phishing threats. Human error is difficult to improve and probably one of the most important reasons you should focus on improving your cybersecurity strategy.
Training employees about phishing and other types of social engineering cyberattack methods is the obviously the best method of increasing employee awareness. However, you should focus the training on the weak areas of your employees’ behavior. The HubSpot Your Guide to Employee Phishing Scams document includes a suggestion of simulating phishing attacks to both train employees about them and test their awareness. You can easily carry out the simulations on a regular basis and adjust your cybersecurity strategy as needed.
Next Steps
Effective cybersecurity requires a dynamic process for protecting your organization’s data against the sophisticated and increasing threats of cyber criminals who are constantly changing their tactics. When should you review your cybersecurity strategy? That depends on your organization. If your organization operates within an industry, such as financial institutions, with security compliance requirements, those standards will mandate the intervals in which updates are required.
If there are no mandates or regulations for your organization to contend with, consider improving your cybersecurity strategy on a regular interval your security team determines proactive or when there are major changes in your organization or industry, there is an increase in a type of cyber threat that is a weakness for your organization, or there is a shift in technology or information that impacts your organization.
Here are five steps you can take to improve your cybersecurity strategy:
- Review the objectives from the last iteration of your strategy.
- Evaluate the current protection of your sensitive data.
- Evaluate employees’ security awareness.
- Update the cybersecurity strategy based on your findings.
- Obtain approval from key roles in the organization.
- Repeat steps 1 to 5 on a regular basis or during specific shifts that impact your business.
If your security team is struggling to develop a comprehensive cybersecurity strategy, the security consultants at BACS can provide assistance. We understand that every organization is unique in its cybersecurity needs. We conduct in-depth assessments of IT infrastructures to learn the scope of an organization’s security needs. We can then work with you to develop an effective strategy for your organization.