October is Cybersecurity Awareness Month.
For centuries, people and businesses have been protecting information they didn’t want others to have. Whether they kept it in a safe, hid it in the walls of buildings or protected it with some kind of code or cipher, the idea of keeping personal information secure is not new.
For as long as people have been trying to keep information secure, there have been others that try to gain access to that information. If you search for “first information security breach” in your browser, the results would lead you to believe that it was credit card information that was stolen in 2005. Or maybe it was when Tommy Tutone gave us Jenny’s phone number (867-5309) in 1981? I’ll give you a minute to finish singing that in your head…
The scope of risk has vastly increased.
The amount of information being stored digitally has increased exponentially in the last 20+ years, with businesses storing terabytes of data. In addition, information has become more valuable, because it can be instantly disseminated across the world, and with the introduction of the dark web, stolen information is a profit center for hackers.
There are more attack surfaces than ever before.
Your only fear is no longer that someone is going to rob your physical location, but now you must be concerned that your computer systems are getting hacked, your users are getting socially engineered, your identity being stolen, and your Internet of Things (IoT) connected devices getting compromised.
The requirements for individuals and businesses have increased significantly.
There are data privacy and/or breach notification laws in all 50 states, there are industry and government compliances, and more often businesses are including data security requirements in their vendor contracts. The penalties (monetary, reputational and contractual) for not meeting these obligations are becoming more severe.
While there are many types of threats, here are some of the most common:
Social engineering – This is the most popular way for a business to be compromised. Your employees, team members, staff and users are your #1 attack surface. They are your Bugs Bunny to the hackers’ Elmer Fudd. This happens through a phishing email, a phishing phone call (also called vishing), or through in-person manipulation. There is a 91% chance that if your information is compromised, it will have started as an email link that someone shouldn’t have clicked, or a document they shouldn’t have opened.
Ransomware – This popular technique relies on an employee clicking on an email link or downloading a file that looks legitimate but is not (phishing). Once that link is clicked, or the file is downloaded, the hackers will render all data on the system useless (through encryption) and demand a payment to provide you the decryption key so that you can have your files and access back. If you choose not to pay, your system will need to be rebuilt and restored from a back-up in order for you to continue working.
System compromise – This could manifest in a variety of ways from compromising your email system and sending phishing emails through your account, to taking control of your servers and most things in between. We have seen, first hand, the compromise of email systems, exfiltration of data, the redirection of invoice payments, the interception of critical documents and the loss of servers, data and money that can occur when your system is impacted by unauthorized access.
Knowledge is power when it comes to Cybersecurity. Here are some ways that you can work to protect your business.
Make sure that you know what data you have. Understanding the data that you are storing is a critical component of preventing a compromise of that data. This may seem like a fairly obvious statement, however there are often situations where information is being stored when or where it shouldn’t be, which prevents you from protecting it.
Understand what compliance requirements you must adhere to. These compliances could be state data privacy laws that protect resident information, federal laws such as HIPAA or contractual obligations included with vendor or client contracts. While there are dozens of compliance frameworks that you may need to adhere to, here are some common compliances that may apply to your business.
HIPAA – protects Personal Health Information (PHI).
RSA 359-C:20 – breach notification for New Hampshire resident data.
MA 201 CMR 17 – protects Massachusetts resident data.
NIST 800-171A – protects information that is part of the Department of Defense Supply Chain, often listed as DFARS in government or DoD contracts.
Contractual compliances with clients or vendors.
Have a plan for how you will respond in the event of an incident. Do you know what you would do if your organization experienced an incident? This could come in the form of a lost or stolen laptop, compromised credentials, ransomware, social engineering, system compromise, inadvertent exposure of data (emailing confidential information to the wrong person), etc.
For these situations, do you have a plan for how to respond to and address them? Do you have a plan for rebuilding, or recovering your system should critical data be lost? Do your employees know what to do in these situations? No one likes to think or plan for the worst, but in order to mitigate your own risk, it’s critical that you have a plan to respond before you have an issue. Trying to figure out how to address an incident when you are in the middle of one, is like trying to plan for a blizzard two hours after it starts.
This may be a lot to think about, but every step you take to identify and understand the risk to your organization, is a positive step forward. Celebrate Cybersecurity Awareness Month today by planning for and protecting your future success. The more you know, the better you are able to protect your business and its interests.