Cybercrime Reaching $600 Billion; A Reminder to Review Cybersecurity Policies and Processes

Various sources list the cost of cybercrime to the global economy at somewhere near $600 billion each year. This figure will no doubt continue to rise as they cybercriminals put the extra effort into researching and targeting specific people and companies. While it’s still important to secure the physical environment, the security concerns now center around cybercrime and the possibility that a data breach will likely strike at some point.

Following are some tips for preventing the hackers from wreaking havoc in your network.

Invest in tools for defense and investigation

The integrity of the network is important and hackers will take any opportunity they can to peruse it. Often this means convincing someone to click a link or attachment that lets lose malware allowing them to do just that.

Invest in some tools to defend the perimeter and to watch what is going around the network. Being able to trace activity is not to be nosey, but to be able to do some investigation should something come up.

Tools for the roaming employees

Remember that users are not always sitting at a desk or cubicle in the physical office. They work from home, in coffee shops, on airplanes, etc. It’s well known that hackers will sit in public places with sniffers and capture all traffic that crosses a network. They are successful because employees don’t have tools installed to prevent it and/or they are not educated on when it’s OK to use the free public WiFi and when it isn’t.

Include tools in the arsenal that allow them to do that safely such as training them about the risks of using the open WiFi and installing VPNs on their mobile devices and laptops. Having a connection that is secure will help prevent information getting into the wrong hands when users connect wherever they are in order to get work done.

And don’t forget to encrypt their computers. Should one get stolen, at least it’ll be harder for the thieves to capture any sensitive company or customer data.

Strong password policies never go out of fashion

Weak passwords are easy to crack and this is a craft that hackers continue to use over and over. In addition, password reuse attacks are becoming more successful.

Create a strong password policy. Include guidelines on what this means, so there is no ambiguity to the users. Force users to change them on a regular basis and make sure they are not using the same one for multiple accounts. Password reuse has been blamed for breaches of accounts at the UK National Lottery, Spotify, and TaxAct. A strong password should be a minimum of eight characters, include upper and lower case letters, a number or more, and at least one special character.

Humans are still the weakest link

Those who use social engineering scams continue to evolve their methods and are getting better and better about making their messages seem legitimate. Last year, a phishing scam targeted at high-level executives (whaling) was identified, called TA530. It used the names, titles, and company names of the executives to try to obtain sensitive information such as online banking credentials or W-2 information.

Teach employees how to identify social engineering of all types; particularly phishing. Then test their knowledge periodically. This will give you the opportunity to retrain or change your methods as needed.

Make a plan

Not only should you create cybersecurity policies, but you should have an action plan should you find your organization the center of a data breach or other cybersecurity event.

Clearly state who is responsible for each task such as speaking to the media, employees, and customers. Keep all contact details current and don’t forget to include how to reach your plan actors after working hours. Review the plan at least annually and update it then or whenever the players or their information changes.

Enforce the plan

It does no good to spend time writing policies and guidelines if you are not going to enforce them. Clearly define the penalties for not abiding by the rules should they be broken. Then be sure to follow through with the related penalties.

People cannot be modified like machines and software. They have minds of their own and behaviors are not easily changed. Set up clear processes and procedures on how employees, contractors, and anyone who logs into your network can interact with it. Include a mobile policy and bring your own device (BYOD) policy.

It’s not just the money

Money is not all that can be lost in the case of an intrusion. It can also mean a hit to reputation and trust, repeat business, and may result in legal issues. Class-action lawsuits were filed against Sony Pictures, 21st Century Oncology, and Anthem as a result of data breaches of their systems. Therefore, it’s well worth some time and effort to make sure your company is as prepared as it can be to avoid a data breach and respond quickly and appropriately to one if needed.

Vulnerabilities are found regularly and security companies are always trying to develop new products and strategies in order to stay a step or three ahead of the bad guys. However, the bad guys are always trying to outsmart good guys and are being successful at it. New scams and tricks pop up all the time. Keep up with the news, keep your systems up to date with the latest patches and updates, and continually train your employees and contractors to keep on top of it all.

© Copyright 2017 Stickley on Security