Nobody wants to be “that” IT person who thinks their organisation is secure, but then out of nowhere, a cyberattack brings operations to a halt. The panic sets in. A million questions run through their mind, and they are is temporarily paralysed with shock.
Attacks involving crypto-jacking and ransomware are set to continue bombarding organisations. Upon investigation, Malware is a $600,000,000,000 problem, and a quick search on the dark web showed me that anyone with a browser and modest IT skills can launch an attack.
As I prepared for my presentation at our recent JuiceIT event, I asked myself – How can we reduce the impact of cybercrime? How can we change the game? I believe the answer is held in three main elements.
Organisations collect, create and store an incredible amount of data, but whose responsibility is it to protect it? It may sound like a silly question, but if you asked around your organisation, the answer would be universally identify the IT department. This approach is problematic.
If I gave you gold bar right now, what would be the first thing you’d do? Chances are, you’d Google its value, and then you wouldn’t let it out of your sight. There’s no way you’d leave it out on your desk, or trust just anyone with its care. Can you say the same for data?
I asked the group at JuiceIT if they thought their organisation had a good handle on the value of their data. Maybe two or three of 300 delegates raised their hands. Most admitted, they weren’t sure of the value of the unstructured data they carried on their person.
The stakes are now higher than ever due to new data protection regulations such as the Privacy Act’s Notifiable Data Breach (NDB) amendment and the European General Data Protection Regulation (GDPR) laws. Potential for financial reparation and reputation loss is significant, and the cost of data falling into the wrong hands has increased dramatically. As employees handle customer data, they too need to understand its value as clearly as they would a gold bar.
When the organisation recognises that information is precious, and understands its value fully, there will be an information-centric view of cybersecurity, that changes how decisions are made and technology is acquired. Understanding the value of data means the business can make sensible decisions about how to protect it.
Hackers, far more sophisticated than ever, know the value of information. They gather it, and use it to devastating effect. Employees are highly susceptible to phishing attacks, and once they are reeled in, the entire organisation can be quickly compromised. Before that happens, the culture around cybersecurity must change.
Organisations are spending more than ever on security technology, but that is only one piece of the jigsaw puzzle. What lets organisations down is typically an individual. That is not to lay blame – cybercriminals now have sophisticated methods, and the warehouse clerk or the accounts manager doesn’t see themselves as a part of the defence team. The cybercriminal learns enough from the individual’s interactions to access more lucrative business targets. Perhaps they send a convincing email, appearing to be that account’s manager, asking for banking details or passwords. What assistant wouldn’t provide such information to their boss?
Failing to put enough emphasis on the individual leaves everyone vulnerable. Just as mining organisations have created a culture of physical safety, with visible reminders and frequent safety updates, so too must organisations create a culture of cybersecurity where everyone knows their role. Safety has become such an integral part of what mining organisations do – given the level of risk, why wouldn’t organisations treat cybersecurity the same? Just like we would target zero safety incidents, we should target zero cybersecurity incidents.
I think there is still room to improve the basics – and this is imperative. Part of changing the culture must centre on improving online behaviour where it relates to passwords and emails. It is amazing how ingeniously hackers trick people into handing out their personal information and passwords – they are masters of manipulation. The hackers will use the information they gather to reach their target or sell it on the dark web.
Implementing strong authentication is a priority. Ideally, this needs to involve two factors – something the user has, and something they know. There are many options, ranging from tokens the user carries on a keyring, to texting a code to a trusted device. Introducing this second level of authentication makes it far harder to trick anyone into allowing access – and it also serves to remind users of their responsibility.
Privileged access management also reduces the damage a hacker can do. It is amazing when we perform security audits how many users can access systems or applications they don’t need. There are automated options to make it easier to manage access, and it is worth checking what features are already available in your environment.
One of the most common reasons for weak passwords is the sheer number of systems and passwords used in businesses, so users tend to use the same passphrase over and over. Making life easier gives users the chance to do the right thing. Using a password manager and a single sign-on solution means users can create unique, strong passwords without needing the memory of an elephant – they must only remember one thing.
In terms of security breaches, the question is not a matter of “if”, but rather a question of “when”. In the first three weeks of the NDB Scheme in Australia, 31 organisations reported breaches. Chances are, your organisation has a well-established routine for safety incidents, yet few have an incident response plan that covers cyberbreaches. We advise customers to plan communication for both internal teams and external audiences such as media. Preparedness can be the difference between problem and catastrophe.
We do have some weapons of our own, and to minimise risk, they must be deployed well. Remember the X-Files motto that ‘the truth is out there’? The cybersecurity version should be that ‘the truth is in there’, because our own systems contain insights about every aspect of our business – and the opportunity is there to identify inconsistencies. If you baseline your network and employ analytics to seek anomalies, you reduce risk. Better yet, partner with a managed security provider so that you have expertise on-tap, with less distraction.
Nobody wants to be that panic-stricken IT person facing disaster at the hands of a hacker. Employing three elements – knowing the value of data and making sensible decisions; creating a cybersecurity culture; and getting the basics right – makes your organisation a less attractive target that is harder to penetrate.
We run Security Alignment Workshops for organisations across all industries and businesses of varying sizes, and each has a unique set of challenges. The workshop begins with a lengthy questionnaire, followed by an investigative process where we delve deeper into potential risks. We perform an analysis and provide a report that identifies gaps, with recommendations on how cybersecurity can be tightened. In the workshop process, we look as much at processes and culture as at technology, since this forms a critical part of your risk profile. The Security Alignment Workshops are run by skilled IT security specialists with strong business experience and give a fresh pair of eyes on an important aspect of organisational risk.
Need to reduce risk or solve a security challenge? Contact me and tell me where you need help or book a Security Alignment Workshop today.