With the continuous state of change in the global data security threat landscape, organizations face cyber attacks and security breaches that grow in frequency and sophistication every day. As a result, healthcare organizations today spend a significant amount of money on security tools, including firewalls and anti-malware services. Those solutions, however, offer little protection against a phishing attack, which tricks an authorized user into downloading malicious software or compromising credentials.
The ugly truth is that most organizations today have either been the victim of a recent cyber security breach, or will be in the future. With this accepted reality that a breach will happen for most companies, corporate security is no longer an IT concern, but a business concern. The hole in communication between executives and the security team can result in costly losses and damages to data and the enterprise’s reputation. According to a 2015 Ponemon study, boards of directors are not as informed and knowledgeable about cyber security risks as they should be to fulfill their governance responsibilities. The study showed a disturbing rift in cyber security knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.
The good and bad news is that according to IDC’s Mobile Security Predictions for 2015, users remain a key element of security. With the number of mobile users having surpassed the number of desktop users, securing these devices is the greater challenge. For whatever reason – curiosity, inattention, a mistake – more often than not, a user will unknowingly click on a malicious link.
“Most organizations want to enable their employees to connect from anywhere, anytime, with any device,” noted Stephen Nardone, practice director of security and mobility for Connection. “Whether or not it is a company-issued device or a BYOD model, there needs to be a very solid strategy about how you can do that safely and securely.”
With the continuous state of change in the global data security threat landscape, organizations face cyber attacks and security breaches that grow in frequency and sophistication every day. As a result, healthcare organizations today spend a significant amount of money on security tools, including firewalls and anti-malware services. Those solutions, however, offer little protection against a phishing attack, which tricks an authorized user into downloading malicious software or compromising credentials.
The ugly truth is that most organizations today have either been the victim of a recent cyber security breach, or will be in the future. With this accepted reality that a breach will happen for most companies, corporate security is no longer an IT concern, but a business concern. The hole in communication between executives and the security team can result in costly losses and damages to data and the enterprise’s reputation. According to a 2015 Ponemon study, boards of directors are not as informed and knowledgeable about cyber security risks as they should be to fulfill their governance responsibilities. The study showed a disturbing rift in cyber security knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.
The good and bad news is that according to IDC’s Mobile Security Predictions for 2015, users remain a key element of security. With the number of mobile users having surpassed the number of desktop users, securing these devices is the greater challenge. For whatever reason – curiosity, inattention, a mistake – more often than not, a user will unknowingly click on a malicious link.
“Most organizations want to enable their employees to connect from anywhere, anytime, with any device,” noted Stephen Nardone, practice director of security and mobility for Connection. “Whether or not it is a company-issued device or a BYOD model, there needs to be a very solid strategy about how you can do that safely and securely.”
Creating a Culture of Responsibility
When it comes to cyber security, especially phishing/spear phishing, what employees don't know (and/or ignore) can hurt the organization. In fact, the total annual cost of phishing for the average-sized organization is estimated to be $3.77 million, most of which is due to the loss of employee productivity. The costs associated with intellectual property theft are considerably higher, $538 billion a year.
“The long and short of it is that everybody needs to be aware of proper security policies, procedures, and their daily use, and must be active in ensuring a secure workplace,” said Nardone. “Employees need to understand what can happen to the organization and to the people within it if they fail to verify before clicking.”
Cyber security is vital to every area of an organization. All corporate stakeholders should play a role in designing a living, breathing security plan to protect their business. Companies can create a culture of responsible, effective security practices and meaningful threat awareness by following three tenets:
- To defend against threats, make communication a priority.
- When it comes to cyber security, especially phishing or spear phishing, what you don’t know (and/or ignore) can hurt you and your organization.
- Security is not a one-time, one-person activity.
“Whether from hackers, organized crime, rogue states, disgruntled and/or careless employees, by way of accident, malware and zero-day attacks, drive-by downloads, watering hole attacks, or denial and distributed denial of service (DoS/DDoS) attacks, the evidence of the escalating threat environment is everywhere,” explained Nardone. “Know that nobody is immune.”
Nardone and his team offer the following statistics as proof:
- Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40% increase over the previous year.
- Small- and medium-sized businesses saw an uptick too, with attacks increasing 26% and 30%, respectively.
- Non-targeted attacks, which make up the majority of malware, increased by 26%.
- More than 317 million new pieces of malware were created last year, meaning nearly one million new threats were released daily.
“Due to common misconceptions, few mobile users are aware of their ability to improve the overall mobile security posture,” offered Nardone. “The three key reasons: perception, intentionally undermining security controls, and lack of visible security warnings.”
A managed security service can help users get a better handle on data and security, and yet 81% of data breach victims surveyed in the 2015 Trustwave Global Security Report said they had neither a system nor a managed security service in place to ensure they could self-detect data breaches; they simply rely on notification from an external party.
“These results are surprising, given the fact that self-detected breaches take just 14.5 days to contain from their intrusion date, whereas breaches detected by an external party take an average of 154 days,” said Nardone. “The consequences of this gap in communication are vast and not only financial. Breaches result in a loss of confidential data and sensitive records.”
The good news is that these and other attacks can be mitigated with employee awareness and bolstered with the appropriate training, procedures, policies, and plans.
Implementing a Plan for Breaches
Having a plan in place to stop an innocent click from turning into a breach will help an organization understand how to combat cyber crime. Steps include backing up files, setting user controls, segmenting the company’s network, and having an incident response plan. There are a few keys to success:
- Refocus the corporate culture on safer security behaviors by making security a priority at the top.
- Reconfigure the executive team and make security and technology a top priority and agenda item to shift the focus and open lines of communication.
- Become knowledgeable about the security of the enterprise to build a valuable trust between the board and IT professionals.
- Require mandatory employee training to learn how to identify potential scams.
- Stay educated and informed.
- Though it is a legal obligation for executives to involve themselves in information security, it is also best practice to make security an agenda item at every meeting.
- Officers need to know the incident response plans and disaster recovery policies, so they should ask questions about business continuity and cyber security regulations and insurance.
- Form an information security committee.
- Create a culture that prioritizes the security of critical data by forming an information security committee and engaging with the team regularly.
- The team of directors involved in designing and reassessing the plan should meet often to review policies on incident management, user education and awareness, and managing user privileges.
- The committee should have an incident response plan and clearly defined protocols for BYOD and working remotely.
- Review and evaluate frequently.
- An information security protection program must be well documented and frequently updated, executed, monitored, and reassessed.
- The enterprise that is able to evidence an information security protection program will likely be subject to less regulatory scrutiny and fines in the event of a breach.
- The standards of what is reasonable in prevention and protection continue to evolve, and executives need to be aware of changes.
Reducing Risk Through a Cyber Security Assessment
While eliminating all breaches is cyber security’s ultimate objective, followed closely by detecting and remediating all breaches that do crack an organization’s defenses, breaches will continue to occur. However, a company can significantly reduce its level of risk by preparing the organization and its users through a security risk assessment. That’s where a trusted partner like Connection and its industry-leading security solutions and services can help.
A basic cyber security assessment should mitigate risk, address compliance, evaluate a security team’s response capabilities, and improve overall security through:
- Physical security
- Personal security
- Training and education
- Account and password management
- Critical or noncritical data control and protection
- Data loss prevention, detection, and mitigation
- Compliance and audit
- Disaster recovery
- Management oversight
- Written security policy and procedures
Choose a partner that can help identify vulnerabilities in the corporate environment and determine which ones are exploitable and dangerous. Next, develop a prioritized action plan to support the organization’s ability to define, document, and manage acceptable risk requirements. Based on an organization’s needs, environment, business processes, and security goals, security experts can provide insights to help implement the right solutions to address critical risks and protect operations. The best partners are those who work as an extension of an organization’s IT team, to help keep companies operating safely and securely.
“The capability to bring something bad into your environment, without a user really knowing, is just tremendous,” said Nardone. “You need expertise to look at that risk, understand what the threats are and how those vulnerabilities can be exploited, and then bring the risk to an acceptable level.”
Connection’s Security Practice offers solutions and services to counteract increased risk proliferation. The company’s team of experts has designed industry-leading assessments, analysis, technology planning, and integration that focus on a unified and centralized solutions approach, risk management guidance, and oversight, including managed security services to combat attacks and prepare for the unknown.
“A clearly defined enterprise mobile management strategy will outline policies and procedures that encourage the use of mobile devices in a secure environment,” counseled Nardone. This must include a properly configured Mobile Device Management system to ensure proper device security, and application and data access management “Look at the structure of your organization, determine which key players need to be part of this decision-making process, and know that you are not alone.”