Cyber attacks spiked 164% in the first half of 2017, compared to the same period in 2016, entailing 918 disclosed breaches-according reports on broadcaster CNBC. Threats vary from sector to sector. Healthcare, for example, is more susceptible to crypto-locker ransomware like the infamous WannaCry.
Internet-connected consumer devices often fall prey to malware that shackles them to remotely controlled botnets such as Mirai. Varied though the threat may be, and staggering though these numbers are, the word disclosed highlights a central paradox: While transparency contributes to the overall fortification of cyber-security protocols and procedures, battening down the hatches presumably mitigates further financial risk.
Sure, a disclosure is immensely beneficial in terms of buttressing industrial safeguards, national and global security, and customer protection – not to mention mitigating the longer-term repercussions of an attack – but so too can disclosure exact lasting damage on a bottom line.
The nature, intent, and consequences of an attack notwithstanding, the way companies have responded to breaches is closely related to their designation: public or private. CFOs at public and private companies face different risks and pressures when it comes to cyber-security and disclosure, and exhibit divergent perspectives when it comes to preparation.
Broadly speaking, public company CFOs are more likely to outsource cyber-security to third-party firms, while private CFOs tend to invest in in-house IT teams. Regardless of who secures a company’s network, breaches are often known by CFOs before they are made public. By disclosing a breach, CFOs of publicly traded companies might trigger investor panic and sell-off, whereas private company CFOs risk irreparable harm to consumer and employee confidence.
On one hand, foreknowledge of pending disclosures can put unique pressure on public company executives, who often own considerable amounts of company stock. The ongoing federal investigation of three Equifax C-suite managers for insider trading arose due to alleged stock dumping prior to the revelation of the company’s catastrophic cyber-attack.
Equifax underscores the tension between a public corporation’s responsibility to its board, shareholders, and customers, and the financial implications of both the breach itself and legal requirements governing its reporting and remediation.
On the other, while private companies aren’t under the same legal obligations in terms of disclosure, and while the short-term consequences may be less impactful, these companies still face long-term pitfalls, such as lost trust and tarnished brands. Moreover, a medium-sized business may not have the capital or reserves to recover reputationally or financially after a major data breach the way a multinational corporation can.
Additionally, the moderate scale of many private companies sometimes instills a false sense of security. Middle-market businesses often assume they’ll be overlooked by attackers, whether due to a large number of similar companies, or a lack of enticing assets. After all, isn’t it the bigger fish that stockpile the type of data and info that hackers tend to target?
A lack of proper preparation only exacerbates the panic once an attack does occur. Attempting to deal with an attack on the down low can earn private enterprises a reputation as easy marks, and provoke subsequent attacks. Further, if the rearguard strategy backfires, or is exposed by the press, this can amplify the damage to a company’s brand and leadership, not to mention potential legal consequences if a court can prove negligence.
In terms of the bigger picture, the lack of reliable data pertaining to attacks on private companies leads to lopsided analysis regarding the multifaceted aims and motives driving these attacks, resulting in a sort of half-finished portrait of the threat landscape.
While cybersecurity prevention could be vastly improved by greater information sharing, some surveys of CSOs indicate that only one in seven attacks are reported to authorities. Alas, as it stands, adequate event modeling, and risk and security assessments, are being stymied by a lack of shared intel on private company breaches, effectively hampering the development of comprehensive prevention and management strategies.
This lack has precipitated the introduction of numerous cyber-security regulations around the world, and though the regulatory ecosystem is in a state of flux, the global trend is invariably toward greater transparency. CNBC notes that “governments around the world are introducing legislation which will force more companies to disclose data breaches,” a reach that already extends to private enterprises.
Both private and public companies are compelled to comply with local, national and global disclosure regulations, including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and the EU’s General Data Protection Regulation (GDPR).
The GDPR, which regulates the collection and storage of customer information and data, and can levy fines of up to €20 million, requires that private companies disclose if they have a footprint in Europe, or otherwise handle the information of European citizens.
In the US, Sarbanes-Oxley (SOX) indexes the responsibilities of both public and private companies, including rules pertaining to compliance with federal prosecutors, and criminal penalties. Further, HIPAA governs how any company, public or private, handles personal health information.
Though public companies, traditionally, may have shouldered an inordinate amount of the fallout from disclosure, this has left them better readied for the implementation of legislation designed to enforce transparency. Even more advantageous, public companies now have hard-won practice mitigating the financial risks and ramifications resulting from disclosure.
Private companies, by contrast, are less aware and agile in terms of prevention and response; protecting their brand, for example, or proactively communicating with clients. Simply put, having been in battle, public CFOs are stepping up and getting more involved with cyber-security, while private CFOs, hovering on the sidelines, appear far more circumspect.
Make no mistake: this problem is only getting worse. The situation could improve rapidly if execs from companies of all stripes and sizes shared details of attacks with the larger corporate community.
Whether you are a CFO of an international, publicly-traded conglomerate, or a mid-sized regional business, it is well within your portfolio to do everything possible to properly prepare for the threat. Engage with the board, secure funding for proper security controls, and encourage leadership to be forthcoming when not if, your company’s cyber attack occurs.
About the Author
Andrew Douthwaite has over 17 years of technology experience joining VirtualArmour in 2007 as a senior engineer. Now as Chief Technology Officer, Andrew focuses on leading growth in the managed security services business and ensuring VirtualArmour is a thought leader in the security industry.
Safety is paramount to the success of your business, which is why larger companies dedicate entire departments to protective measures. Small business owners don’t always have that luxury, leaving them to handle unique risks without a massive amount of protective resources. That creates a real challenge, one that can often lead to digital, physical, and even legal issues most are unprepared to handle.
So, what can you do? Before leaving your failsafes and security protocols to the wind, check out these tips to help make protection a top priority at your small business. From simple office rules to management tools, here’s the ultimate safety strategy.
Get Rid of Personal Devices
Step one to your plan of action should be eliminating personal or bring-your-own devices in the workplace. This reduces the risk of weak links in your security plan, helping to keep the lid tight on your operations.
While this isn’t always possible, there are workarounds to achieve the same result. Instead of removing these devices from your place of business, adopt a universal security package for your employees. The usefulness of managing and auditing your entire IT infrastructure’s user access rights with a tool like SolarWinds can’t be understated.
As tight as security may be on your employee end, the world of the web is a malicious place. Malware protection is a vital safeguard for your business, manning the front lines while data enters and leaves your servers. It’s still important to train employees on security and safety measures, but this set-it-and-forget-it protection is something you can’t do without.
While this 90’s rhetoric shouldn’t need restated in 2018, the number of hacks from even seemingly airtight corporations in the past few years suggests that it hasn’t set in just yet. With a single data breach costing upwards of $1 million on average, this is one area of security you literally can’t afford to overlook.
Ensuring every member of your staff uses a strong password is crucial these days. Have them keep the word used unique, add numbers, and make sure they utilize symbols if possible for the best results. Also, it helps to have your employees change their password every six months to a year.
It isn’t something most business owners want to think about, but individuals within your operation can be just as dangerous as those on the outside. While it is important to trust your employees, it never hurts to utilize cameras and locks when possible. Plus, these tools are an excellent means of theft prevention.
Backup Your Data
From contracts to daily sales, today’s businesses record almost everything online. Technical malfunctions happen at the most inconvenient times, which is why backing up your data is essential. Instead of opting for pricey equipment, consider cloud storage as a frugal yet secure alternative. There are numerous cloud storage services available that can help you create “hard” copies of important information.
Even if you’re in the earliest stages of operation, business insurance can save you an enormous headache. Depending on what your business entails, you may need varying types of insurance. Public liability, home business, and indemnity are a few popular examples. Regardless of which kind your business needs, protecting yourself in the event of a worst-case scenario is vital.
Other small business insurance needs include:
- General liability
- Professional liability
- Errors and omissions
- Owners policy
- Workers compensation
- Product liability
- And business interruption
No, not bodyguards. Physical protection and security come in a wide variety of forms. Each of which is equally as important as the digital ones you’ve set in place. A simple example would be ensuring that your brand is unique to avoid any litigation or legal ramifications.
Another example would be the use of physical documents for contracts and agreements. Aside from creating a professional look, it further protects agreements made between you, your employees, and your clients with a hard copy. Adding arbitration clauses to those contracts is another physical security measure that can prevent legal ramifications down the road.
Finally, physical protection for a small business can be as simple as creating a safe work environment. Working to prevent accidents and encouraging non-discrimination as well as non-harassment policies might not be the first thing on your mind when the word protection comes to mind, but they are just as important as cyber security measures.
Protecting Your Business
Security isn’t something to take lightly in any business venture, but you don’t have to shell out your earnings on an entire department just to make sure your organization is protected. By following the tips and advice above, you can keep every aspect of your small business from digital to physical secure while keeping things affordable.
There are few businesses that don’t rely on the transmission of sensitive digital data in the course of their day to day operations and because of this, cyber security is an ongoing concern. Unfortunately, the businesses that are caught in the crosshairs are small to medium size enterprises, or SMEs, since most lack the financial resources to employ full-time IT staff. For those companies looking to keep their data secure in 2018, it helps to become familiar with what is trending in cyberspace security.
From there, owners and directors are in a better position to know how to protect their company’s sensitive data and that of any clients or customers who may also be harmed by even a single breach. Are you concerned over the data held on your computers and connected devices? If so, it pays to understand what you are up against.
Compliance with GDPR Regulations
Probably the biggest trend in cyber IT security is the newly launched GDPR regulations which are to be strictly adhered to by any member state of the EU. Also, anyone who does business with residents in the EU must be in compliance or face a stiff penalty. But, what are these regulations and why are they in place?
The first thing to understand is that the GDPR (General Data Protection Regulation) is in place to provide necessary layers of security to digital data, especially during the transmission of this data. With such a growing concern over data breaches and dangerous system hacks, the EU devised a set of requirements which member states and anyone doing business with member states must adhere to. Summed up, these regulations include:
- Consent must be given by subjects for the processing of data
- Privacy is to be protected by keeping collected data anonymous
- Notifications must be sent if there is a data breach
- Data must be handled safely across borders
- Certain companies are required to appoint a DPS (Data Protection Officer)
- Compliance is mandatory
You will notice that “certain companies” are required to appoint a DPO and it will be this person who oversees the internal IT support necessary to keep data secure. However, SMEs are probably ‘exempt’ from this requirement based on size and company worth. This leads us to the next top cyber IT security trend.
Managed IT Services to Ensure Data Protection
Since it isn’t typically possible for small to medium size businesses to afford full-time IT support staff, a growing trend is to contract IT support providers that specialise in cyber security. Not only is it essential to keep a network up and running but the integrity of data is of ultimate importance to ensure compliance with GDPR. This is a growing trend, second only to understanding the basic guidelines which are to be followed. Even though most companies understand the rules, they are also unprepared for the technical applications which ensure compliance.
Another of the benefits of contracting IT support providers is that they can match your cyber security needs in a bespoke manner. Not all companies have the same needs and so a team of professionals can tailor your cyber security to the type of information stored, the places it is likely to be transmitted and keep any ‘risk’ factors to a minimum based on your system.
Putting AI to Work
Here is one specific task which will almost always need the services of IT professionals. Artificial Intelligence, AI, is on the cutting edge of cyber security. Now IT professionals are using AI to help them quickly identify possible threats without human intervention in order to prevent attacks before they happen. Bear in mind that cyber attacks happen so quickly that by the time anyone is aware that your system has been breached, it’s most often too late.
Then it becomes a matter of making patches to areas through which the hackers were able to gain access to your data. Unfortunately, there is a down side to this as well. There is some amount of concern that hackers will begin using AI because, as is the case with defense, machine learning can assist cyber criminals to find weak spots where doorways can be created. To date, no AI attacks have been noted, so cyber security teams are still one up on would-be criminals.
A Growing Emphasis on Patches
If there is anything the WannaCry ransomware attack taught us it would be the need to keep up to date with patches as they are released. In fact, statistics prove that there are more than 4,000 ransomware attacks daily and that WannaCry was responsible for at least 230,000 computers being attacked in a single day across more than 150 nations. The reason this particular ransomware attack was able to reach that many systems is because they failed to download and install the patch Microsoft released after recognising the hole.
These companies either didn’t understand the need for staying current with security patches or simply failed to do so based on time constraints of staff. When no one is in charge of IT security, someone needs to step away from their job to find a fix. This is often insufficient due to lack of knowledge and experience, so here again, it pays to use the services of IT support pros.
A Growing Need for Real Time Defense
Somehow the gap continues to grow between known malware and viruses and what anti-virus and anti-malware tools are able to protect in real time. As mentioned above, mutations of known malware and viruses are being released daily and it is almost impossible to keep up to date with the tools needed to guard against attack. However, that being said, IT security teams provide defence at the end-point so that they can check criminal behaviours before they impact your computer. Malicious behaviours are identified in real-time and stopped dead in their tracks before they are able to penetrate your computer.
Connected Devices Are a Growing Concern
Something else to look for in 2018 and beyond is a growing concern over the vulnerability of connected devices that are rolling out by the billions each and every day around the globe. The IoT is a wonderful boon for anyone seeking ease of use or remote access, but when it comes to the potential for hacking, they can be a real risk. Since each device is connected to your computer and through your computer to the network, hackers can now target the device in order to find a back door into your system. You will see a growing emphasis on IoT (Internet of Things) security in the coming years, but this one area is of high importance in 2018.
The internet has become an essential part of business management for numerous reasons. Primarily, it is an incredibly useful tool that enables any company to reach out to more people, conduct safe transactions, assess their processes, and source an immense range of tools and resources that can streamline your business management and grow your company. However, with the huge benefits that the digital age offers, there are also some significant risks. It’s vital for any company that is looking to improve and increase its reliance on the internet, to assess the possible risks and limit the chances of them happening. The reasons for this may seem obvious, but some of the issues may not have occurred to you, so here are the three reasons why you should be protecting yourself online.
The growing threat of cybercrime
It would be hard not to have noticed the prevalence of news articles and headlines that report on the latest incidents of cybercrime. Large and small companies are both at risk of costly and damaging cyber attacks, so it’s vital that you as a business owner are not merely aware of the latest threats, but also the reasons why protection is so important. The increasing sophistication of cyber attacks, in whatever form, means that you need to not only prepare yourself for the risks but ensure that your employees are as aware as you are. It is for this reason why staff training sessions on basic internet security are an essential part of your weekly business management.
It’s a business risk
One of the main reasons why you need to make a concerted effort to protect yourself from cybercriminals is down to the damage that they can cause. This is not simply a case of financial risk, although that’s certainly one of the issues that you need to concern yourself with. However, one of the primary targets of cybercriminals is not simply access to your bank details, but access to your data. That data, whether it’s that of you, your employees, your customers, or your suppliers, can be used in a number of nefarious ways, with identity theft and phishing targets the key issues to concern yourself with. The growing sophistication of hackers has led companies to optimize their security methods, with many opting to upgrade rather than update, and transferring to SonicWall firewall technology to create an extra layer of protection between the data that you hold and the criminals that want it.
Staying safe can grow your business in ways that you may not have considered. Having a strong security attitude is not only a good way to stress the importance of strong and secure internet use in your employees, but it can also become an additional selling point when it comes to attracting new customers. As consumers become ever more comfortable browsing and making purchases online, they are also becoming more aware of the risks when it comes to sharing their personal information. Having a robust security system in place is not only vital when it comes to protecting yourself; it could make the difference between a customer trusting you enough to click the transaction button or choosing your competitors.