When it comes to cybersecurity, there are three basic knowledge issues that plague most organizations:
- They don’t know what data assets they have.
- They don’t know where it is stored.
- They don’t know how secure it is.
A recent good example is the July 2019 Capital One breach where a hacker is said to have accessed data about credit card customers’ and applicants’ data via a firewall misconfiguration in the firm’s cloud infrastructure. Having the answers to 1-3 above, might have helped prevent this loss of valuable data and even more valuable customer trust.
For the longest time, the common rule among firms was to “collect as much info as you can from visitors/members in hopes that it might prove insightful one day.” Such unnecessary collection of unessential data is still prevalent on most websites, mobile applications, and sadly brick and mortar stores. Would-be users are faced with the decision of either forking over non-consequential data or forgoing discounts at best. At worse, they’re forbidden access to tools that are in today’s society deemed necessary (banking tools, social media, etc.). Their data – phone numbers, email addresses, geographical locations via ip addresses, etc. – which can be used to identify them completely, have become the mandated price of entry. This cost, at first a light burden to consumers and a supposed boon to the businesses and sites they patronized, are now correctly recognized as a dual-edged sword: insightful and valuable, yes, but also a severe liability due to the ever-increasing prevalence of hacking and data abuse.
The number of cyber attacks, data breaches, data leaks and espionage have increased dramatically and devastatingly in the past decade with cyber crime evolving into a sophisticated industry for “hacking” companies. These companies operate with evermore impunity, some with physical buildings and regularly-paid employees, and reside primarily in places where authorities turn a blind eye to their operations. These firms create the demand for their own services by attacking targets, and then posing as legitimate cybersecurity companies, they provide the solution to those hapless victims, at a cost.
This year, the Word Economic Forum listed cyber threats behind climate change and natural disasters as the fourth greatest risk to world economies. Companies and individuals residing in locations that have been lauded for their social fabric and lack of corruption are no longer as insulated as they once were by geographical boundaries from the lawlessness and vicious criminal activities present elsewhere. Through the connection of the internet of things and mass migration of data to the cloud, all data is accessible with the right tools or information. AI is utilized by cyber criminals now to create nearly undetectable polymorphic malware code and personalize attacks. The dark web provides increasingly sophisticated communication tools and a relatively secure marketplace to hackers. Worse, the amounts of massive money in play in this industry grows exponentially. All of these factors have rendered cyber crime defense a never ending race to stay ahead of cyber criminals, and sadly, since no one – companies or individuals – are immune, all must participate.
Cost of cybercrime courtesy of Raconteur:
What are the first things that companies and individuals should do to avoid suffering a devastating attack?
- Do a Data Asset Audit. Know what you have, where it is stored, and how well it is protected. Follow a standard data asset framework tool like SOC 2 to accomplish this
- Do a Risk Analysis. Use a standard risk analysis tool like NIST 800-53 and understand the potential impacts of your vulnerabilities being exploited.
- Determine Your Risk Appetite. Figure out what damage you can live with, and prioritize defending against the damage that will cause the most detriment.
- Implement Defensive Measures. Hire a well-known or recommended firm to help resolve your prioritized vulnerabilities. Fix easy issues first like training employees on best practices and observing least-privilege access rules.
- Manage and Maintain. Last, but not least, form an emergency plan and establish best practices for monitoring your systems and managing your data. If possible, also have a cybersecurity firm on retainer to help you restore systems and mitigate damage at a moments notice not if, but when, you are successfully attacked.
Of course the first action item, if you are a company, is to convince your decision makers that these steps are necessary and must be prioritized. That’s easier said than done. However, if the quick rundown of facts in this article aren’t sufficient, bring us in to make the case for you.