Typically, a company’s CEO is more concerned with profits, brand, shareholders and future opportunities than they are about tactical day-to-day operational issues like cyber security. Yet according to AT&T’s annual report, more than 90% of attacks they log are preventable! Since few things can destroy a company’s reputation faster than a data breach, and the vast majority of cyber security attacks are preventable, it is imperative that the C-Suite takes the necessary steps to understand and minimize their risk profile.First, let’s break down cyber security into some major components, Attacks and Defenses.
Attacks
These come in many forms, and it seems there is daily news about something new. But fundamentally, they fall into one of two buckets. They are either technology-enabled such as a software bug that allows inappropriate access to your data, or they are socially-enabled such as spear phishing. AT&T’s findings show most of these are preventable because they are repeats of known vulnerabilities for which a fix exists, or just variants of them. Three major categories of internal technology-enabled threats are;
- Malware – code designed to do something “mal” or bad for the benefit of the originator, at your expense. This could be anything from data theft to operational disruption.
- Ransomware – designed to extract a ransom for either the release of your data or the removal of incriminating / illegal data put on your system by the originator.
- Advanced Persistent Threats (or APTs) – designed to infiltrate your systems, remain undetected for extended periods of time, and locate then compromise critical data by theft or destruction.
The most common external threat is the Distributed Denial of Service (or DDoS) attack. These are designed to basically shut you down for legitimate business by flooding and overwhelming your systems so your customers cannot use your services. While sometimes done just to harm the target company, DDoS has also seen an increase in ransom threats as well.
Defenses
Again, these are generally either technology-enabled or socially-enabled. A great deal of attention and money is, and must be, spent on technology-enabled defenses such as firewalls, log monitoring, email filtering and anti-virus software. The goal of technological defenses is to stop attacks on the outside, or at least detect their existence quickly.
Yet repeatedly, we find that the socially-enabled defenses represent a huge exposure. Spear phishing and other social engineering techniques are difficult enough, but with the rapid advancements in mobile and cloud, people are being duped into risky actions on a daily basis, often just because of ignorance about the new technology.
Education and Awareness – the new “normal”
A harsh reality in the marketplace boils down to this – people, while they may be our most valuable asset, they are also our most vulnerable resources in many cases. You no doubt have a formal “safe computing” awareness training program, and likely require all employees to take a refresher and certify at least annually that they are aware of the guidelines. This is a great first step, but with the constant barrage of attacks and ever changing threat landscape, this traditional approach is no longer sufficient. Annual reviews and refreshers raise awareness at a point in time, but that effectiveness gradually subsides over the year. You need your employees to be constantly vigilant in the fight against cyber threats, and your education program must be constantly adjusting to the changes in the threat landscape.
The latest methodologies for cyber security training take a different approach from the former “one-and-done” model. Newer research shows that advanced learning techniques are more effective to develop long-term behavior changes. These methods are even more effective when combined with a program that examines and tracks qualitative results. Too much is at risk to remain with the status quo. After all, a simple click on a link in an email or an ad on a web page is all it takes to open the door to a devastating cyber attack against your company.