If you asked people in business, "Is cybersecurity important?" 99% of them would answer "Yes." But many things are important in business, and data security often gets pushed out of the way. Companies put off improving it because of one priority after another.
If a business delays improving its cybersecurity measures too long, it will find itself dealing with a crisis. It will lose confidential information to cyber criminals, or it will have to shut down its information systems for days to recover corrupted data.
The right time to prepare and plan for security threats is before they turn into current problems. It's a task that requires constant attention and expert assistance.
Our penetration testing services will help you to make sure your data is well protected. Call us at 612-234-7848 to schedule a consultation.
In 2019, the Kaspersky security firm reported identifying 24,610,126 "malicious objects" caught by its protective software. Close to 20% of Internet users were the targets of malware attacks. These attacks are increasingly aimed at businesses, which have more value than private, individual users. Attacks on the Internet of Things (IoT) tripled just in the first half of the year.
Any network connected to the Internet is constantly being probed for weaknesses. If it doesn't have adequate protection, it won't be long before one of those attempts gets through and does serious damage. At a minimum, it will take time away from other tasks to remove the threat. In the worst cases, the company will have to deal with stolen or corrupted data and high attendant costs.
The worst scenario is a data breach, the loss of confidential information to unauthorized access. In 2019, the average cost of a breach was $3.92 million.
Ransomware can cost an organization large sums, as they have to choose between paying a criminal and recovering corrupted files. A ransomware attack on the City of Atlanta cost it about $17 million to restore its computer systems.
In 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The corporation compounded the problem by being slow to report it. The settlement ultimately included up to $425 million to help the people who were impacted.
In areas where protecting sensitive information is a top priority, regulations and compliance requirements drive the cost of security issues up. Health care is a prime example, as HIPAA requirements demand stringent protection and impose large fines on violators. The largest fine, $5.55 million, was imposed on Advocate Health Care for negligence leading to three cyber security breaches. A business that fails to exercise due diligence is likely to be hit hard.
Businesses that handle credit card and bank account data need to follow the PCI DSS standards. Failure to comply leads to contractual fines and lawsuits. Fines for non-compliance can run as high as $100,000 per month. A business could lose its credit processing privileges until it corrects the problems.
Businesses that deal with citizens of the European Union need to comply with GDPR. Negligently exposing EU citizens' personal data is subject to heavy fines.
Fixing security issues takes time and resources. Finding the cause of an incident is seldom easy. The first piece of malware found may not be the only one or the most serious problem. A vulnerability that isn't fixed will leave the door open to re-infection. It's necessary to make sure the problem is fixed and won't come back.
Ransomware is especially messy to fix. Paying the ransom encourages crime and may not get the affected files back. A good backup system makes it easier to recover the files, but it's still a tedious process.
A security incident that gets public exposure will reduce the trust of a company's customers and partners have in it. When they're at risk of data loss and identity theft, they don't want to give their information to someone who can't protect it.
Managing information security is a balancing act. Resources are always finite, and measures that damage productivity won't get acceptance. A security plan needs to prioritize assets and give the greatest protection to the greatest cyber risk. For example, the exposure of casual conversations is a small risk compared to leaking a database full of personal information.
A key concept in information security is defense in depth. No one cybersecurity measure is 100% effective. The more obstacles cybercriminals need to overcome to gain access, the less likely they are to succeed.
The necessary layers of information systems protection include:
Sometimes malware gets through. Monitoring a data network is important to catch infections as quickly as possible. Monitoring can be internal to the network or operate from an outside service. Each approach has its advantages.
Cyber threats keep evolving, and protective measures need to keep up with them. Application firewalls, threat detection systems, and anti-malware software need regular updates so that they recognize the latest attack patterns.
Wireless access is an important concern. Smartphones and tablets make up a growing part of data networks, and poorly protected Wi-Fi access points could open up security risks. Similarly, uncontrolled shadow IT creates weaknesses. Any device that operates inside a network can do harm more readily than one coming in from the Internet.
The best technical protections won't be adequate unless the people in an organization know the importance of cybersecurity. A company needs to nurture a culture of security and train its employees in the best practices. Most security incidents involve an element of human error.
A large proportion of cybercrime attempts start with efforts to trick people, such as phishing email or social media scams. The FBI reported 114,702 phishing victims in the United States in 2019. That counts only the people who made criminal complaints, so it's certainly a gross understatement.
Insufficient diligence allows penetration of information systems. Weak passwords let intruders log in. Unattended workstations can let visitors gain access to systems. Lost and stolen devices will give away a wealth of confidential information if it isn't encrypted.
Good security practices reduce the chances that human errors will cause serious harm. The principle of least privilege says that users shouldn't have more permissions than their job requires. If their accounts or devices are compromised, the intruder won't get as far.
Strong passwords are vital. The most important measure of password strength is its length. The number of possible passwords goes up exponentially with the length of the password. Systems should reject passwords that are dictionary words or simple sequences. Two-factor authentication provides further protection.
To be sure your security is really good, you have to put it to the test. Penetration testing sets up simulated attacks on a network's defenses. A perfect cybersecurity system will block all of them. The testing report shows which tests were partially or wholly successful so that the information security staff can fix the deficiencies.
A thorough penetration test addresses human factors as well as technical ones. It includes sending phishing emails to employees to see whether they act on them. If too many people are tricked, more training is necessary.
A major cybersecurity incident can destroy a small business or cause serious harm to a large one. Security may be inconvenient, but the downtime and data loss from cyber attacks are much worse. If your organization maintains strong security, it will keep running, avoiding downtime and unexpected costs.
We can help you to protect all aspects of your information access with our penetration testing services. Call today at 612-234-7848 to schedule a free consultation.