Cybersecurity has already become a major topic among businesses operating in our increasingly digital world, and with each passing day the severity of the issue just seems to grow. News just came from across the pond revealing that every one of England’s National Health Service trusts officially fail the security standards required of them, according to The Guardian.
Echoes of widespread deficiency are corroborated by the latest Hiscox Cyber Readiness Report 2018, which found that 73 percent of firms surveyed face major shortcomings in cybersecurity readiness. The Hiscox team surveyed over 1,000 department managers, IT specialists, and key professionals at US companies large and small. Other findings include:
- 69 percent of respondents rank the threat of cyberattack and fraud as the top risks to their business.
- The average IT budget of respondents was $11.65 million, with 10.6 percent of that budget being devoted to cybersecurity. 60 percent of respondents believe this spending will increase by five percent or more.
- Of the organizations making an investment in cybersecurity efforts, 54 percent indicated that employee training helped reduce the number of cyber hacks and incidents. Furthermore, 43 percent of US companies reported conducting cybersecurity exercises, such as phishing experiments, to understand employee behavior and readiness.
- The average cost of cybercrime to organizations with more than 1,000 employees was $1.05 million, with the highest costs topping $25 million.
- 58 percent of US companies with more than 250 employees have cyber insurance, while only 21 percent of US companies with fewer than 250 employees can say the same. In addition, more than half (52 percent) of US small businesses say they have no intention of securing cyber insurance, while only 9 percent of their larger counterparts say the same.
Interestingly, individual consumers seem to already sense that these shortcomings exist, with 77 percent of Americans reporting that they are concerned about financial information being stolen or compromised. After the infamous Equifax hack in 2017, this should probably come as no surprise.
Data Breach Prevention Strategies
As the Hiscox report showed, over half of the businesses that invested in cybersecurity efforts indicated that employee training and cybersecurity exercises proved effective in reducing incidents. In fact, the aforementioned Equifax hack has been blamed on the failure of a singular employee to update unpatched software. It’s important to understand that this accusation comes from the former CEO of Equifax, and so it perhaps should be taken with a grain of salt. Nevertheless, it represents the same disconnect that happens in far too many companies; if one person fails, the entire organization is at risk. It’s everybody’s responsibility to become and remain knowledgeable of cybersecurity best practices.
On the organization’s end, Bill Mann, CPO at Centrify, suggests adopting what is called a “zero trust” model. Here’s how he explains that concept, in an interview with TechRepublic’s Dan Patterson:
“…let me explain what zero trust is in very simple terms. We inherently trust too much in our environment and our inclination to trust too many things has really led to us relying upon forms of security which are really not helping us in the new world order. Think of it in the old world order, you had a firewall which was a perimeter. We used to trust that the firewall was going to keep the bad guys out, but the reality is that the bad guys are already in our environment. Also, the reality is that we’ve got a lot of mobile workers and outsourced IT and we’re using stats and infrastructure as a service so a danger is also not residing within the walls that the firewalls were previously protecting.”
Zero trust comes down to knowing your user, the device they’re connecting to the environment, and restricting their access so that they only have the privileges they need to do their job. This can be achieved by replacing BYOD with corporate hardware and asset tracking.
Beyond tracking employees and the hardware they use, you should also take steps to manage your data. Record Nations recommends using a document management plan, which details the process from creation to destruction of internal documents and data. They write that there are typically eight essential components to include in every document management plan:
- Conduct a complete inventory of all your existing records.
- Determine who will be responsible for your record management process.
- Develop a record retention and destruction schedule.
- Evaluate and determine the best methods for storing and managing your records.
- Create and document proper company policies and procedures.
- Create a disaster recovery plan in case of data breach or other emergencies.
- Implement your document management plan and train employees.
- Maintain and audit your program for efficiency and effectiveness.
Of course, these strategies will only get you so far, and only represent a very small amount of the multiple facets of cybersecurity. The fact is, the fight to defend our data and digital infrastructures has just begun, and will rage for a long time to come — and if we ever hope to mount an effective defense in the future, we must overcome our cybersecurity shortcomings in the now.