By Jerry Thompson
The cybersecurity threat landscape is now more fraught than ever. New revelations on the scope and severity of 2017’s Equifax hack seem to roll out by the day. The IRS has just released a number of tax scam-related warnings well ahead of schedule. And Uber, breached in 2016, is still running the gamut of reputational damage control in the face of its customers’ potential data exposure.
Yet what is most shocking about these cyber attacks, scams, and data breach reports is that they now scarcely seem to shock us at all. Many businesses appear to have adopted an attitude of learned helplessness where these attacks are concerned. Indeed, while 75% of executives report that their greatest risks come from bad actors on the digital front, only 19% consider themselves adequately prepared to mitigate these threats.
All this comes even as most experts now regard data breach not as a possibility, but an inevitability. Over the past five years, the wave of cyber breaches hitting businesses has nearly doubled in size. And with the Internet of Things projected to expand to 20.4 billion devices by 2020, these risks will only grow.
With the threat of data breach escalating at fiber optic speeds, businesses cannot afford to respond at a dial-up pace. Nor can they content themselves with partial measures or fortify only one stronghold of cyberdefense.
Too often, companies dedicate their resources to preventive efforts alone, imagining that if they turn their attention to retroactive measures, they are preemptively conceding defeat. Yet rather than view breach prevention as an isolated set of tactics apart from breach response and recovery, businesses need to see it as just one component of a comprehensive, customized cybersecurity strategy—one that integrates readiness, response and retrospective measures into a fluid, strategic framework.
Businesses must start by differentiating between their internal and external vulnerabilities and preempt each one accordingly. One of the largest factors in securing company data involves properly training employees in how to open, handle and store sensitive information. Too many cyber breaches occur when unsuspecting personnel exposes company systems by downloading unsolicited email attachments or clicking on suspicious links.
Because these errors can instantaneously subject an entire network to malware or ransomware, early and continuous employee education is critical. Routine cybersecurity drills and debriefs should not merely consist of running through a generic list of best practices, but instead take into account workplace- and department-specific strengths and weaknesses. Strong breach readiness requires a trained workforce well-versed in its unique threats and individual protocols for dealing with them.
Organizations must also conduct ongoing screenings of end-user and external networks. The number of these networks varies by company and by sector, with healthcare organizations among the most frequent to engage with end-users. (Lately, healthcare organizations have also been some of the organizations most vulnerable to data exposure.)
Un- or under-secured external networks are a surprisingly common way for companies to expose sensitive information to malicious third parties; both Equifax and FedEx, in fact, were breached because of their flawed external network security measures. By contrast, excellent breach readiness involves securing end-users and external networks through routine network scans and regularly searching third-party platforms, like the Dark Web, for company data. At this stage, the groundwork of breach readiness becomes the cornerstone for solid breach response.
Ultimately, a company’s internal incident response team is the first line of defense in cases of a data breach or cyber attack. For this reason, while specific incident response team roles and procedures will differ by organization, a number of characteristics should remain consistent regardless of company sector or size.
At the helm of every effective incident response team is a company executive with decision-making authority and, if applicable, contact with a company’s Board of Directors. The rest of the team should comprise personnel from multiple departments throughout the organization, including IT, finances, compliance and account management. At least one member, preferably from the company’s HR or communications department, should serve as the breach response “spokesperson” and be charged with overseeing all media and external communications.
In cases of small or service-industry businesses that do not have different expert departments in-house, incident response teams can incorporate trusted external resources, like outside legal counsel familiar with cybersecurity and disclosure laws. By highlighting strengths and weaknesses within a company’s existing defense strategy, and by developing a rapport with local resources in advance, businesses can go a long way in making sure their incident response team is ready to spring into action at the first sign of a breach.
Companies must be prepared to communicate frequently with key stakeholders in the aftermath of a data breach. Here, it can be wise to draft sample emails and other communications detailing the nature of and company response to the breach in advance. During and after a breach, when energy is scattered and emotions are high, having immediate access to a number of pre-vetted templates for engaging with the public can save a company time and effort and will often reduce the risk of a client or regulatory fallout.
After a breach has been arrested, assessed and adequately reported, retrospective occurs. During this stage, companies should turn to patch whatever loopholes allowed the breach to occur, restoring business operations and discussing areas where its breach strategy was effective as well as what could be improved.
According to the 2018 Global Risks Report, cybercrime is expected to cost U.S. businesses 8 trillion dollars over the next 5 years, affecting small businesses disproportionately. If a breach does occur, minimizing its impact starts with these conversations. As the risks and costs of cybercrime and data breach continue to rise, so should an organization’s level of awareness, preparedness, and expertise.
About the Author
Jerry Thompson is senior vice president of Identity Guard, provided by Intersections, Inc., which since 1996 has protected more than 47 million consumers. Learn more about Identity Guard by visiting Jerry online at https://www.identityguard.com/.