Guest post by Dr. Shannon McMurtrey with contributions from Jeff Riggins
It seems we cannot navigate a news cycle without at least one high profile data breach. Considering newsworthy breaches are only those reported by large organizations, it might be surprising to learn that cyber theft is the fastest growing crime in the United States. Although we don’t hear about all cyber-crime on the nightly news, no organization, large or small, public or private, is safe. By 2021, cyber-crime costs are projected to reach an annual total of $6 trillion. To help put this in perspective, since 2001 American taxpayers have spent an estimated $5.6 trillion on the wars in Afghanistan, Iraq, Syria, and Pakistan combined.
More worrisome than the potential costs is the increasing frequency of foreign interference in our elections and signs that foreign governments are attacking, and gaining access to some of our nation’s most critical infrastructure.
As a result, many organizations are beginning to focus more on Cybersecurity. In fact, 64% of organizations indicate their security budgets are expanding. This leads to the first of the five steps you can take to secure your organization.
1. Include Cybersecurity in your annual budgeting process and invest in training and talent.
The global logistics giant A.P. Moller-Maersk, was an unintended victim of a cyber-attack directed at Ukraine. The attack cost the organization $200-300 million. In an interview with The Financial Times, CEO Soren Skou humbly admitted that with, “Most business problems, you will have an intuitive idea on what to do. But with this and my skills, I had no intuitive idea on how to move forward.” Organizations must invest in Cybersecurity talent and training to ensure senior leaders are prepared.
“As cybersecurity threats continue to escalate and consumers demand better cybersecurity protections, companies must outlay increasing capital to secure their businesses” – Larry Jones, Chief Executive
A global study on the costs of data breaches published in July 2018 by IBM Security found one of the top three factors for avoiding and/or minimizing costs is employee training. Clearly, resources must be allocated to prepare for, defend, and recover from cyber-attacks.
2. Involve senior leadership and align your organization appropriately.
Organizational structure can increase enterprise risk if there are no clear lines of communication for reporting security issues to the board. The reverse is also true, if security practitioners’ efforts are not coordinated with the board’s priorities within the organization, enterprise risk increases. Simply moving your Chief Information Security Officer (CISO) out from under the Chief Information Officer (CIO) increases visibility and accountability for security matters. While it does add a new report to the CEO, it also puts cyber-risk where it should be, in the C-Suite. Senior executives should also be personally diligent regarding cybersecurity as they are often targets themselves.
3. Use strong passwords and multi-factor authentication.
An employee with a weak password can bring down the entire organization. Passwords must be lengthy and never shared with anyone, even the IT department. While two-factor authentication or 2FA, is a step in the right direction, it’s still not the best answer. When most people think of two-factor authentication they either do not know what it is, or think of their cell phone. Many websites rely on a code sent via text message as their method of supporting two-factor authentication. However, there have been many successful attacks against this form of 2FA. In fact, the National Institute for Standards and Technology (NIST) warns against using a phone as the “second factor.”
The better approach, as we are learning from Google, is to use a security key. By employing mandatory security keys, Google has cut successful phishing attacks to zero. Google sells their key for $50. However, before you rush out and place your order, you should note the device is manufactured in China, which could introduce supply chain risk.
4. Make backups of all of your important data.
This may be the most well-known of any of the recommendations on this list. However, we still see examples of organizations not following this best practice. The rampant spread of ransomware is evidence that organizations are not doing a good job of backing up their data, and testing their restoration ability. A well thought out security policy will outline your organization’s backup strategy and your recovery time objective (RTO). Procedures must be in place to test an organization’s ability to meet that RTO. It may be extremely costly to realize the RTO is not achievable while responding to a security breach.
5. Download and install patches in a timely manner.
All software has bugs, and some of those bugs can lead to catastrophic security events. This is why software vendors regularly release security patches. It is imperative that organizations have a strategy for downloading, testing, installing, and deploying patches in a fast and efficient a manner. The largest ransomware outbreak in history occurred in May of 2017 and could have been avoided by installing patches in a timely manner. Microsoft released a patch in April of 2017 that fixed the vulnerability that allowed WannaCry to spread so far and so fast. It is mission critical for organizations to have a plan for installing patches in a timely manner.
“There are two types of companies in this country, those who know they’ve been hacked, and those who don’t know they’ve been hacked.” – Mike Rodgers, former US congressman and chairman of the House Permanent Select Committee on Intelligence
The most important suggestion I have made is the first one. You must invest in information security training and talent on an ongoing basis. People are an organization’s most valuable asset. Invest in them and they will help you protect your organization. If you fail to invest in them, they may well become your weakest link.
Remember, there is no such thing as perfect information security; it is a journey, not a destination.