Threats evolve and so should you.
What’s on the horizon for the cyber threat landscape? Let’s put it this way: Attacks are increasing, the threats are constantly changing, and no one is immune to a data breach. (One timely example of this is the ‘wannacry’ virus which hit 100,000 organizations in 150 countries just last week.) However, you are not powerless.
Taking a hard look at your company’s cyber security practices is crucial. As you do that, keep in mind that complacency is just as dangerous as the cyber threats themselves. Being alert to cyber trends like the following will hopefully get you motivated to update and strengthen your organization’s cyber security—starting now rather than later.
Don’t take it personally: The attraction of smaller targets
The high-profile data hacks that grab the headlines—think Sony, Target, and the Democratic National Committee—can lull small and mid-sized businesses into believing they’re not a significant enough entity to be a target. But that would be a mistake. Cyber breaches continue to increase for small and mid-sized companies despite their lower volume of data. Why? Because their cyber security is likely to be less robust and that means the potential return on investment for hackers is higher.
It’s also important to understand that hackers generally don’t work from a predetermined “list” of targets. They’re simply looking to gain money from whomever they can, and they do this by first using nefarious applications that can scan regions based on, say, area or ZIP codes for potentially vulnerable entities. In other words, it’s a largely impersonal operation. Your company’s low profile or small size does not protect it.
Ransomware will find new platforms to invade
Chances are good you’ve heard of CryptoLocker or other ransomware that can invade your system via a seemingly innocuous hyperlink or attachment in an email. This kind of malware then goes to work by restricting access to your networks, files, etc., and then demands a payment—a ransom—to allow access again. Although it’s true that ransomware attacks increased 50 percent in 2016, there is a countervailing trend: improved redundancy practices.
Organizations are backing up their critical data more frequently thanks in large part to cloud providers, who continue to help minimize the ransomware threat by delivering efficient, inexpensive solutions for real-time or near-real-time data backup. This does not, however, signal the demise of ransomware.
Cybersecurity experts anticipate a coming new wave of ransomware that targets the supercomputers almost all of us are walking around with—smartphones. The lesson here is twofold: Review your company’s data redundancy practices and extend your vigilance and security to company mobile devices.
More cloud customers doesn’t necessarily mean more security for you
As the preceding point suggests, using cloud services definitely has its benefits. Not surprisingly, the number of organizations—both private and public—that are migrating to cloud computing capabilities will continue to grow.
Large cloud providers such as Amazon Web Services and Microsoft Azure are likely more secure than the systems that individual organizations can build internally. However, the essence of the protection is for the cloud providers’ underlying infrastructures, not necessarily for the applications that their customers put into the cloud. Don’t become complacent and think that the cloud = security. Applications stored in the cloud still have many access points within an internal organization’s network. Cybercriminals look first for access—it doesn’t matter to them where the data is stored, only the path to get it.
Companies must make cybersecurity a company-wide issue
Having staff sign-off on a cybersecurity IT policy in your employee handbook isn’t enough. Cybersecurity must be a transparent, company-wide expectation. In fact, top-level management needs to be even more cyber-savvy than other employees because they typically have higher access to sensitive information and are more likely to be accessing it on an unsecured network.
Training for your entire organization should be conducted at least annually and should include information about the latest relevant threats as well as the overall cybersecurity environment. It should also include simulated phishing exercises and alerts about social engineering tactics.
Also, develop an IT strategy for handling security-related red flags. Employees need to be able to send suspicious activity or emails to an internal resource so they can be addressed in real time.
Cybercriminals have the upper hand; they need to be successful just once to wreak havoc with your data. The best way to combat this is to initiate thorough, effective company-wide cybersecurity training.
Read more M3’s cyber insights.