To participate in the digital economy is to engage in a difficult balancing act between protecting and surrendering private data. Companies are working harder than ever to personalize their customer experiences and develop the intellectual property that differentiates them from competitors, all while collecting a massive amount of information about behaviors and preferences and doing their best to protect it against bad actors.
As a result cybersecurity has never been of greater concern and the costs of cybercrime to both businesses and consumers are mounting. A recent report from McAffee put the global annual cost of cybercrime at approximately $600 billion and they expect that number will only continue to increase over time. Spending on cybersecurity has reached incredible highs in recent years. Gartner estimates that spending on enterprise cybersecurity will exceed $124 billion in 2019, an almost 9% increase from their 2018 spending estimate of $114 billion.
But the costs to business go beyond the money. Consumers are aware that their data is a valuable resource and that its theft and misuse will have serious consequences. In a recent IBM survey of more than 10,000 consumers around the world, 78% of US respondents believe it's critical to keep a customer's data secure, but only 20% believe companies are taking enough steps to do so. In a Ping Identity survey of more than 3,000 consumers from the US, UK, France and Germany, 78% of respondents said they'd no longer interact with a brand online after a data breach, and 36% say they would stop interacting with the brand altogether. 49% of respondents report they would never initiate contact with a recently compromised business.
And concern continues to spread. Following a series of high profile breaches government focus on cybersecurity is at its most intense. The European Union has taken the first steps toward a unified policy with the recent implementation of GDPR , which essentially criminalizes failure and forces any business with a digital presence (all of them) to be better stewards of consumer data for fear of legal repercussion. Other governments are expected to follow their example in the near future with more stringent laws of their own.
Cybersecurity will never become less complex or necessary, but listed below are seven essential steps we believe leading CIOs of any sized organization should take today to shrink their surface attack area and protect against inevitable future attacks.
- Develop a comprehensive cybersecurity strategy.
In a recent survey from management consulting firm A.T. Kearny of 400 executive and board members around the world, cybersecurity is ranked as their number one concern for the third year in a row. But despite the admission that nearly 85% of their businesses have experienced a breach in the last three years, only 39% of those surveyed have developed and implemented a comprehensive cybersecurity strategy. The stakes are too high to linger among the remaining 60%.
Instead of addressing cybersecurity risks on a case-by-case basis as they are discovered, businesses should take a top-down, holistic approach to the challenge, focusing on the people involved as well as the technology. The most sophisticated cybersecurity software counts for nothing if an email phishing scam or ransomware attack finds a victim willing to download a malicious file. From the CIO or CTO to the newest hire, it's vital every member of an organization be trained to understand potential threats to the business and that more sophisticated attacks could rely on social engineering as often as brute force technologies. To maintain a culture of knowledge and prevention it can even be worthwhile to test employees from time to time with mock attacks and scams, managed by either a third party specialist or internal experts.
- Require multi-factor authentication.
Multi-factor authentication (MFA) is not a new technology, but in a digital world of ever more sophisticated security-breaching techniques and tools it's more important now than ever. According to a recent Verizon report, almost 95% of web-based application breaches were enabled by weak or stolen credentials, usually obtained via phishing schemes or keylogging. Of course a strong, consistently updated, and unique password is a vital first step toward security, but it's always better to "measure twice and cut once."
Because MFA usually requires at least two pieces of information to authenticate a login attempt—a password and access to an individual's personal device or email for an instance-based code or token—it's much more likely that the user is who they say they are. And by incorporating behavioral data, location information, and more to verify remote access, IT departments are able to more easily differentiate genuine and fraudulent login attempts. The best part of MFA? The cost of implementing the service is usually cheap and the training required is minimal. Most employees are likely familiar with MFA in other digital experiences, such as mobile banking, so it should be easy for most in the organization to comply with this quick and simple upgrade.
- Embed preventative measures in every component of your IT infrastructure.
With the ubiquity of Internet of Things-enabled infrastructure components and machinery comes increased risk of malware infection at every level of your IT infrastructure. It's not enough to hope passwords protect your wireless access points, or the familiarity of IP phones and telepresence equipment. Every component that comprises your IT infrastructure should be incorporated into your cybersecurity strategy and equipped with preventative measures. Ideally each component is incorporated into an observation system that allows administrators to gain a complete view of the IT infrastructure's health and behavior.
This becomes especially important as more industrial and commercial operations become more interconnected and the surface attack areas continue to expand. Always-on connections to Cloud services, social media credentials, increased remote access, and the like: they all enable a multitude of new attack vectors via devices and components that are traditionally overlooked. For instance, if a remote worker has access to industrial machinery, it's vital that beyond the preliminary precautions of creating a VPN connection and enabling MFA for the remote connection, the machinery is able to protect itself with controller software equipped to determine who has access to its programming and what kinds of changes are allowed.
- Minimize and encrypt the customer data you collect.
Although collecting a wealth of customer data can help create better experiences and increase profits, the less data you have on hand, the less data can be compromised in a breach. Beyond the basics, such as name, mailing and email addresses, it's usually harmless to collect user preferences and some basic demographic information. But when it comes to credit card details, is that information you need to store yourself or could you leave the responsibility to another service better suited to the task?
GDPR outlines an array of restrictions and recommended behaviors, but its primary focus is the security of customer data; how it's being collected, how it's being stored, and how it can be deleted should a customer want the collector to do so. The regulation may not explicitly state that businesses must encrypt customer data, but most interpretations conclude that it encourages almost to the point of requiring. By encrypting all customer data from the start you make it far more difficult for any bad actors to abuse the information, even if they manage to breach your security.
- Test for weaknesses before someone else does.
It can be alluring to imagine that even if you've thoroughly planned your cybersecurity strategy and taken precautions, attacks only happen to other, more attractive companies. But no matter the size or prestige of your company, if you conduct business online you are to some extent a data company and must count yourself a target. As such it's vital that you understand your cybersecurity apparatus' weaknesses, from the outside in, and the only way to do so is through penetration testing.
Although bringing a third-party firm in to assault and assess your cybersecurity can be expensive—anywhere from tens to hundreds of thousands of dollars—it costs far more to suffer a data breach, with recent estimates putting the average cost to business at $3.8 million on average. For many small- to medium-sized businesses, a significant breach can mean erosion of brand reputation and possibly death of the company. But responsibility doesn't rest solely with those conducting the pen test. In addition to implementing the recommended fixes, IT has a responsibility to perform the same vital pen test function from within, working to break new products and services as often as supporting them.
- Recruit or repurpose IT staff wisely.
It's no secret that around the world there's a tremendous cybersecurity skills shortage. Between the rapidity with which the field has evolved, the specialized knowledge involved, and the universal need among businesses for cybersecurity expertise, the industry is stretched thin. One estimate from a recent ISC2 "Cybersecurity Workforce Study" put the number of vacancies globally at nearly 3 million. A surge of people entering the profession is expected in the coming years—especially among female candidates, who currently account for only 14% of cybersecurity positions—but even with an influx of young professionals, the lack of expertise may prove a liability.
In the interim CIOs have an opportunity to repurpose and retrain their IT department candidates best suited to cybersecurity responsibilities. Numerous classes and courses have been developed in recent years to give IT professionals the experience they need to get started in the field, augmenting their knowledge of an organization with the technical knowledge needed to protect its most valuable digital assets.
- Make cybersecurity a major part of business planning.
As mentioned above, spending on cybersecurity is at an all-time high and is expected to increase year over year for the foreseeable future. This expense, plus the potential costs of cybercrime, compound to have a serious impact on any organization's bottom line. It's vital that cybersecurity be a major point of discussion when it comes to budget allocations, revenue projections, and business strategy.
The strength of a digital business venture could very well depend on the strength of an organization's cybersecurity apparatus, so ideally the executives involved in managing digital health should be involved in the highest level conversations, similar to a CEO, CFO, and the like. Beyond the technical expertise these executives can provide to product development with regards to exploitable flaws and vulnerabilities, they can analyze and explain the financial impact of potential incidents and help plan ahead.
It can often feel like IT teams are rushing to catch up; to keep the lights on and respond to every emergency with the same intensity. But by developing and following a cybersecurity plan that takes into account the ideas listed above CIOs are a few steps closer to developing a cybersecurity strategy better equipped to minimize the risks.
|Like what you read? Stay current on TenFour's IT industry insight by subscribing to the Access Point blog via the link above, or connecting with us on LinkedIn, Twitter, and Facebook.
To learn more about TenFour, check out our Customer Journey page, or email firstname.lastname@example.org.