As little ones dream of sugarplums this holiday season, the world’s cybercriminals are dreaming of a new decade in which they will plot ever more clever and evil ways in which to bring down your company’s security framework. Their vision is to cost you money and time in lost productivity, compliance risk exposure, and the icing on the gingerbread house, a data breach in which ransomware can play a part.
Data breaches are hitting companies in all business sectors, from finance to health care services. This year a Capital One breach affected 100 million-plus credit card applications and more than 100,000 Social Security numbers; the Quest Diagnostics breach affected more than 12 million patients, and approximately 540 million Facebook user records were exposed by third-party app developers.
YOUR 2020 SECURITY GAMEPLAN
While the big brand names tend to get more public attention when there is an attack, the harsh reality is any company – small, medium or large – is vulnerable to a costly data breach and expensive recovery. Threats come from external sources like nation-state cyber criminals looking to cause large scale disruption. They also can come from third-party sources like the Facebook event. What companies are now realizing more is that threats, though inadvertent, can also come from within.
Employees who unwittingly click on an email link designed to introduce malware into the network, or staff members who decide to work on company privacy material on a device off the corporate network are prime examples of what security professionals refer to as ‘insider threats.’ To add to these threats there is another aspect, ‘shadow IT,’ in which employees purchase devices or applications, and start using them without following any company security protocols first to ensure data protection.
Against this landscape of a varied threat environment, consider tuning up your company’s security architecture and policies in order to begin the next year, and decade, with a stronger posture from which to defend against cyber threats. These practices are highly recommended by security IT teams:
- Encourage Greater Employee Awareness. Distracted employees, whether busy with holiday thoughts or work deadlines, are a perfect target for phishing or spam emails. Cyber criminals are getting better at tricking users into opening these types of emails with marketing tricks so it is likely even the most self-aware user can eventually fall prey. Holiday season is also a perfect time for cyber criminals since the marketing noise-level to all potential consumers reaches record pitch. Regular reminders about phishing threats need to be disseminated via employee portals, social media and even in managers’ meetings. It also pays to go an extra step and conduct periodic drills on phishing email campaigns. When an employee sees they clicked on a fraudulent link they will change their behavior to become more diligent.
- Promote Security as an All-Hands Initiative. Everyone in an organization needs to feel responsible for helping protect their data privacy, and in fact, their company’s livelihood. IT and security teams need to communicate their overall cybersecurity strategy and encourage all employees to immediately report any suspicious activity. IT staff also needs to keep employees updated with any new threat information and with any improvements they have made to the company’s security infrastructure. Good internal communication will help employees feel confident that IT is executing security controls effectively and their individual contribution can impact the entire organization.
- Improve Company Cyber Hygiene. Security threats continue to increase and malware is becoming more sophisticated. Consequently, companies will continue to be defeated by a lack of basic cyber hygiene. To clean up their security act, IT needs to regularly revisit and upgrade their security and threat prevention measures. This scrutiny needs to include patching from Microsoft, Adobe, Google and other vendors that publish security updates. Continual surveillance should also include deep visibility into traffic patterns across the network to alert users to denial-of-service-threats, or the insidious low-volume attacks, like stress tests.
- Prevent Shadow IT Threats. Well-intentioned employees or contractors can introduce devices, services and applications into the corporate network without any of these elements being vetted by IT for potential risk or compliance privacy threats. As part of continued cyber hygiene, a worthy goal for 2020 is to look at adding any necessary software that provides real-time visibility into the network, thus enabling IT to take immediate action on issues that may affect the security, health and productivity of user devices and the business.
- Tighten Control on Mobile Application Access. Employees increasingly want more flexibility in their work schedules. Whether traveling or working from a remote office or home, they expect access to any application they desire. Companies are beginning to see that uncontrolled access is another means of bringing threats into the network. To step up threat defense, institute application controls and privilege management protocols that prevent unneeded access. The ideal scenario is one in which employees can access any application critical to their job, and if using a device remotely, cannot access applications outside their realm of responsibility. Of course, as employees gain new responsibilities or change job functions, identity management software can help make adjustments to access as needed.
SECURITY IN THE NEW YEAR
No doubt, 2020 and the next decade will bring new threats to businesses and the personal data privacy of citizens. The best practice is to look at cybersecurity as a prism – one facet being the external threats from malicious cyber criminals, another facet the inadvertent entry of malware by employees opening scam email links, and yet another facet the plethora of devices in use today, many of which may not be subject to effective access controls.
By incorporating these five security practices, companies can address this multi-faceted threat landscape. The best holiday gift is a data secure environment for company success in the New Year.