Security investments and culture
Events of late have once again highlighted the importance of cybersecurity for companies large and small. The critical nature of technology in the fight against cyber threats can’t be underestimated and those relying on old technology or simply the most basic defences are looking for trouble.
How many small businesses can afford a ransomware demand of $5000 or more? How many large corporations have to suddenly spend millions in ransomware extortion costs or updating their cyber technology after an attack, not to mention the soft expenses like PR and appeasing your customers and partners? Garmin is said to have paid a $10 million ransom to get back access to its data, but how much more will it take to restore its reputation?
In South Africa, not defending adequately against cyber-attacks and losing personal data will soon also land you in trouble with the Protection of Personal Information Act, which will have its own consequences. And a failure in one’s defences does not always mean not enough technology is in place, it can also be bad decisions by staff.
An often ignored part of a cyber-attack of any kind is the role people play, most often accidentally, allowing malware in. Chris Ogden, CEO of RubiBlue says that while cyber-attacks are a fact of life, many companies and individuals have not reached the point where effective defences are also a fact of life, especially when it comes to employees.
“When it comes to security, any type of security, one always has to start with the individual,” he explains. Everybody must understand their role in securing the organisation and the consequences of not doing it. If someone has access to sensitive information and runs a malware script by clicking on an attachment or plugging in a USB drive they found, they are a single point of failure in the organisation’s security posture. And with people working from home, security awareness may be relaxed, which is yet another risk to organisations.
Ogden adds that many people, at all levels, still haven’t grasped how dangerous it is to simply share information with others – like passwords or confidential information. Convenience often wins out over common sense, even after people have been trained. The solution is for each person to take ownership of their security responsibilities and they must be taught the consequences of failure. Especially in smaller companies, for example, failure can result in the business closing.
Plan for the worst
There are enormous profits to be made from cybercrime today, and very little can be done to stop the criminals. Laws against hacking and such do little to assist companies as most cybercriminals operate from foreign countries, and even local ones know how to hide their identities. The capabilities of law enforcement in this regard are also lacking.
Ogden says it is therefore imperative that organisations plan for the worst. “Having planned your defences, through both technical solutions and human training, you also need to plan for failure: what if they do get in?”
An organisation can have cyber-insurance to handle the costs of a breach, or most of the costs, but how are you going to reassure your customers and partners that you are back on track and it is business as usual? Perhaps a better question would be to ask if you can get back on track.
Be ready for an emergency restart
What are you going to do about your data and systems? Do you know which data or systems should be considered your ‘treasures’ and should receive the ultimate protection? Do you have backup systems that actually restore data and will allow you to be up and running quickly? Do you know who has access to your data treasures? Does everyone with access need it?
As noted, with more people working from home now, it is even more important that they be educated about security and their role. Homes do not have the budget to install the same security that is in place at work and people therefore need to be even more vigilant and careful. A culture of security needs to be built and staff need to understand that their responsibilities do not stop because they are not in the office.
“A security mindset is actually a corporate asset given the risk environment today,” states Ogden. “Just as you budget for security technology and services, you need to budget for employee training and awareness campaigns, and it doesn’t hurt to screen new employees before hiring them.”
In the cybersecurity world, failure is an option. In fact, it is almost guaranteed that at some stage you will be hit. Ogden recommends that organisations not only plan their risk mitigation strategies using both technology and people, but also plan for the worst. “If the worst does happen, know what you need to do and make sure you can get back up and running – safely – as fast as possible.”
As seen on Security SA