Threats are mounting, but effective controls and regular education can reduce risks significantly.
According to a study released by IBM Security in July of 2019, the average cost to global businesses of a data breach is $2.92 million and has risen by 12% over the past five years. In the U.S., the average cost is much higher, at $8.19 million.1 Further, these numbers do not account for less quantifiable costs, such as reputational damage with clients and vendors, productivity loss or lower employee morale.
While the volume and complexity of threats continue to grow, experts agree that businesses can significantly reduce their exposure – and costs if a breach occurs – by following some well-vetted best practices for operating in the current threat environment. Below is a list of such practices, which begin with setting a strong governance framework and are underpinned by continual awareness and education.
All cybersecurity programs must begin with a strong governance foundation; policies, standards, procedures and commitment from senior management are crucial building blocks for protecting data. A good way to begin this process is through performing a comprehensive analysis of the information ecosystem that needs protecting. This includes:
- Outlining who might attack your business and identifying the potential types of impact.
- Defining your technology inventory, including servers, desktops, laptops, mobile devices and removable media.
- Defining both your local-area networks (LANs) and wide-area networks (WANs).
- Outlining your third-party supply chain.
- Classifying your people inventory – individuals, roles, access and monitoring.
To establish governance and create structure for your program, you need documented policies and procedures. The results of litigation, due diligence and outside audits will all rely on these documents. They will also support business resiliency.
When building or refreshing your program and its supporting documents, consider doing the following:
- Establishing a governing body to review and set priorities
- Limiting access to non-work related sites, such as personal email, social networking, shopping and data sharing portals
- Establishing a process to build security and privacy tenets into projects from inception
- Implementing and prioritizing secure coding protocols
- Analyzing the risk of third-party vendors
- Testing and measuring your control effectiveness
- Having a cyber incident responsive plan and testing the plan annually
- Documenting procedures to follow if you suspect your business has been compromised
- Hiring and retaining effective information security talent
- Keeping accurate records, logs and audit results and applying the information gathered to consistently improve your program.
In addition to policies and procedures, operational plans – living documents that evolve with your organization’s growth and changing cyber trends – will also help strengthen your defenses. These plans are not one-size-fits-all but rather should combine company and industry specific add-ons with certain core components. An operational plan should allow you to prioritize both your short- and long-term cyber security plans and budgets and should consider the use of new systems, increases in business volume, and the addition of employees and new supplies.
Vulnerability assessments identify weaknesses in your systems and should be conducted at least annually. They should cover your business and its supply chain and include both physical and cyber components. Using an outside firm to perform the review is highly preferred.
The protection of confidential information is critical to the continued success and protection of your business. Begin by identifying your most valuable and sensitive information, then establish controls to protect the information based on the risk associated with unauthorized access or loss. Below are some of the most effective practices in this area:
- Using encryption tools wherever possible, including for email distribution and file transfers
- Understanding the legal requirements as it relates to protecting Personally Identifiable Information (PII), including regulations around HIPPA and PCI, if applicable
- Determining what types of protection are necessary for stored data
- Considering the use of secure file sharing tools
The more factors needed to login or perform other transactions related to your business, the lower the risk of a breach. These can often be put into place with minimal impact on speed and convenience. For financial transactions, use both multi-factor options and call back procedures.
In order for your cybersecurity program to be effective, your employees need to understand it and stay informed about evolving threats. In addition to regular education with updated curriculum on the topics listed below, ensure that evolving threats are tracked and that your education program has the flexibility to keep your employees informed of new threats in addition to those that already exist:
- Social media
- Social engineering
- Business Email Compromise (BEC)
- Executive compromise emails/Whaling
- Phishing emails
- Device use
- International travel
- Public Wi-Fi
The presence of reliable recovery options, including not storing your backup data in the same location and server as your production data, will aid in mitigating the threats of a security compromise. Be disciplined in the creation, protection and testing of backups for critical data and technology systems.
Irregular network traffic, access patterns, physical activity, and the size and types of files leaving your business should all be closely examined. If possible, consider hiring an outside firm with specialized tools and resources to help you with this work. Also, be aware of legal restrictions against certain types of monitoring, particularly as it relates to your workforce.
Strengthen your cybersecurity defenses through intelligence-sharing opportunities with peers, vendors, law enforcement and industry affiliations. Also, make sure to stay informed with information offered by the Federal Trade Commission, the Federal Bureau of Investigation (FBI) and the National Cyber Security Alliance. Whenever possible, subscribe to “cyber alerts” of current threats and indicators of compromise, such as those available through the National Cyber Awareness System.
While there is no foolproof solution to protecting your business against cyber threats, following the above best practices will position you among the best of your peers. For more information on how to protect both your business and family, visit the Northern Trust Security Center.
- IBM 2019 Cost of a Data Breach Report, retrieved from https://www.ibm.com/security/data-breach.