The average company today has an ineffective security posture, and this ineffectiveness is illustrated in many ways. The average cost of a cybersecurity breach is $4.5 million, with losses potentially affecting privacy, company reputation, legal liability, market share and disruption of supply chains.
Studies of executives show that a loss of reputation remains a primary concern, with 85 percent of executives citing reputation as the most important factor, as reported in the Harvard Business Review. Even worse is when companies don’t realize that these problems are occurring right under their noses.
Passwords are still a problem, because most people still have free reign to choose the passwords they like and remember. This leads to names, birthdates, pet names, spouse names, children — all of which are very easy to crack. Your password instead needs to be meaningless, it needs to be complex and it needs to feature a variety of characters. Today we have password manager programs that are an excellent opportunity to strengthen and secure all your passwords in one place. These password policies need to be implemented throughout the company and enforced.
This means to lock down the stuff on your desk, including your personal and work laptops, as well as your smartphone and any other network connected device. Companies are notorious for not locking everything down. Remember: you’re as safe as your weakest point. Keep these devices stored in a safe place. The rule above regarding passwords also applies to smartphones and tablets: don’t use “1-2-3-4” or your birthday as your unlock code. Lock your laptop if you get up to get a cup of coffee and you’re only going to be gone 10 minutes; someone can happen by and maliciously install malware on this device and you’d never know it. There should be a policy for this spelled out and implemented throughout the company.
If someone can get their hands on a device they may be able to get inside it. Lock it up, put it in your desk, and lock your office door. This sounds basic, but it’s not so simple. I worked for some of the largest IT vendors in the world and virtually every networking vendor had a way to access the device if they had physical access to it. A man with an electrician’s uniform can go up to most receptionists at most company offices and gain access to their electrical closet within minutes. Once inside, in the privacy of that closet he can break into any device. This means he owns your network, which means he owns your peace of mind. Lock it up, keep it locked and ensure your policies reflect this.
Train your people
It can be easy to train people on proper security procedures and the proper ways to handle sensitive data. Train your employees to recognize attacks when they occur and to look out for other malicious players in your midst. More than half — 60 percent — of all attacks originate inside of your network. It’s not too hard to have simple policies and procedures that instruct employees on how to look for suspicious behavior and to have a clean and effective way to report it. You need to be able to audit the training results carefully on an ongoing basis to make sure it’s being effective.
Cybersecurity needs to be a priority
The way cybersecurity is communicated to a company’s user community often involves a lack of focus. Security needs to be a priority and it needs to be a priority from the top down. Verizon’s Annual Threat Report showed 65 percent of corporate executives believe data security is a top priority. Leadership should lead by example to show they’ve made cybersecurity a primary concern. This PR effort is internal and critical to your cybersecurity. Note that process and not technology are the key commonalities.
A strong security policy
I used to enter clients’ environments to evaluate their security, and I’d ask if they could show me their security policy. Most of the time I’d get sheepish looks and embarrassed smiles, but no actual security policy. Studies have shown that about 38 percent of companies admit to not having any security policy at all, and I believe that actual number is much higher. Have a strong security policy. It should be driven and supported by the executive level; otherwise it will mean nothing. This is the root of successful security posture.
Test your security
If you think you’ve put together a rock-solid security policy, you need to be sure of it. This requires testing and evaluation by an objective third party you can trust, not your internal IT department which has a vested interest in proving that your current security posture is just fine. As principal of a corporation, your job is to deal with the possibility of failure. This is the only way to know for sure, short of having an actual breach.
Demand excellence from security pros
It doesn’t matter if your security professionals are your in-house IT people, or a security contractor, or a security products vendor. You need to ensure there’s an environment of excellence from these providers. You need to communicate to them that you expect the serious concrete results laid out, on paper. You need to make sure you have in place the policy that demands specific performance objectives. There should be metrics to measure your people on these criteria. You don’t need to be a security or technical expert yourself, but you definitely need to communicate your expectations. And you need to see regular, executive level reports to verify this.
Have a plan
Be ready for the attack that will inevitably come your way. This is not an eventuality — it’s unequivocal. Be ready to respond quickly and cleanly. This can be the difference between an attack and a major breach that lands you on the front page of the newspaper. The first is a problem; the latter is a catastrophe. And this cannot be emphasized enough: a major breach is what we’re ultimately trying to prevent. The exposure in the media can be intense, so be prepared with your response.
This may sound simplistic but it’s not. A large number of executives leave the decisions regarding what’s going to happen to their security posture up to subordinates. Even worse, it’s basically left up to the hacker to decide which direction you’re going to take. Place your future into your own hands; it’s not that complex with the right help, and the right path to get you there is a very real and achievable objective. These are all process issues above, and a better process is where it will be fixed. You should take action immediately, because the cybercriminals are working on it today.
Jerry Hutcheson is a writer, public speaker and consultant. His company Cybercreed Consulting helps company management and executives protect themselves from cyberattack. He has a book coming out shortly titled “One False Click: How to protect yourself in the coming cyberwar.” www.jerryhutcheson.com.