Cyberattacks are becoming ubiquitous as the number of connected devices in the world grows. Current projections from Statista show total connected Internet of Things (IoT) devices surpassing 30 billion globally by 2020, many of which represent potential paths for malicious activity.
Depending on the intentions of those gaining unauthorized system access or otherwise affecting regular operations, this activity can represent anything from a minor nuisance to a corporate crisis marked by a significant data breach. In 2018, the average number of security breaches increased by 11 percent. According to Accenture the average cost of these incidents to affected organizations increased ninefold to $13 million. With many of these breaches taking a matter of moments for threat actors to complete and months for organizations to detect, companies stand to lose privacy, time, money, and sensitive data.
The relentless pace of technological advancement paired with sophisticated and robustly financed criminal operations should keep individuals and corporations alike on their toes. But, more often than not, this situation typically finds exposed organizations taking a reactive stance. Increasingly, these cyberattacks are becoming more pervasive, meaning the challenge has now spread well beyond the IT department to involve personnel in all departments and at every level. It is, of course, impossible to prevent all malicious activity, but it is possible to be prepared for the worst by establishing a more proactive culture.
What is a Culture of Proactive Cyber Security?
A culture of proactive cyber security is one that recognizes and mitigates potential risks and vulnerabilities before an incident occurs. This requires a company-wide effort to ensure everyone is informed and educated about how to prevent issues before they occur. However, this entire process must remain dynamic for the culture to stay relevant. So, more accurately, a culture of proactive cyber security is one that continuously recognizes and mitigates potential risks and vulnerabilities through routine due diligence and a set of established processes.
Fortunately, it’s possible to begin building this corporate culture from the ground up, and six basic steps will help you start making the shift.
1. Assess Your Industry
Before taking steps toward a proactive culture of cyber security, you have to assess the risks currently facing your specific industry, including any significant incidents that may have already occurred. Simultaneously, you must identify the authorized and unauthorized connected devices used within your organization, the systems in place to keep these devices secure, and the assets to which these devices are connected.
2. Understand Your Baseline
An organization that has identified relevant risks and the practices or products currently in place to face these risks can begin to understand its own cyber “baseline.” That is, how effective its current systems are at protecting valuable information. The best way to establish this understanding is to plan network penetration testing – a staged series of tests in which an external provider tries to gain access to an insecure network–in order to identify gaps. Though this idea may initially sound counterintuitive, there are trustworthy organizations who can help.
In the world of cybersecurity, the sharp contrast between isolated malicious actors and the cyber organizations that will remediate and mitigate the risks they pose can lead to an oversimplified understanding of hacking culture. From this view, “black hat” hackers gain unauthorized access to systems for financial gain, data theft, and other malicious purposes, while, “white hat” hackers use their knowledge to help organizations test vulnerabilities and fix existing exploits. In reality it’s often more nuanced: a reputable organization is staffed with full-time cybersecurity experts who can be relied upon to proactively identify security vulnerabilities that would be targets for malicious actors, but, just as likely, would pose huge legal and regulatory risks.
3. Establish Clear Policies and Specifications
With your baseline established and weaknesses identified, it’s time to formalize requirements and guidelines for the use of connected devices, along with specifications and requirements to evaluate all third-party products and components(including software). Guidelines are likely already in place for the use of company property, but should be reviewed to ensure the use of personal devices for work is also addressed. Personal devices often aren’t covered by the same security measures as company-owned devices and can therefore offer an easier access point to corporate networks and systems. Additionally, these guidelines should cover the networks themselves, outside vendors, and products being considered for the organization. If a new product or device contains a significant security flaw, it may represent a risk to the entire network despite internal precautions.
4. Involve Everyone
All established policies must be company-wide, as all employees represent a potentially-exploitable access path. According to Verizon’s 2019 Data Breach Investigations Report, human error contributed to 21% of breaches while 15% were the result of misuse by authorized users. Reacting to a cyber incident will likely fall to the IT department and possibly even law enforcement depending on severity, but every employee in the organization must be trained on policies, expectations, and applicable threats to ensure a truly proactive culture.
Employees are a company’s first line of defense. Education and training on everything from device use and password management to VPN credentials and specific methods of attack (e.g., ransomware, malware, phishing, and DoS) can help eliminate human error.
5. Establish As-Needed Access
Limiting vulnerabilities is one of the easiest ways to take a more proactive approach. Employees often have access to certain systems or parts of a network they don’t need and likely never use based on backend setup, and this can become problematic. Verizon’s latest report stated internal actors were involved in 34% of breaches, but even without malicious intent, unneeded access creates additional access paths. Limiting credentials on a “need-to-know” basis helps ensure that, even if a device or set of credentials is compromised, the incident can be contained.
6. Remain Diligent
Diligence is the keystone of a truly proactive cybersecurity culture. Technology is evolving faster than ever, and cyber awareness – and readiness – must keep pace. Being proactive requires an organization to maintain a continued focus on the state of their cybersecurity and the state of the industry itself. Risks are constantly shifting, internally and externally, necessitating everything from routine staff training and system benchmarking to regularly scheduled software updates.
Throughout all of these efforts, it’s important to remember that, in one form or another, people are behind every breach . Too often, the focus is placed on the technology used in cybercrimes, but the human element shouldn’t be overlooked. Similarly, the use of technology to combat cyberattacks and develop a proactive cybersecurity culture is only part of the process. Human expertise behind the scenes remains invaluable when evaluating risks, safeguarding systems, or mitigating the damage from a breach. Every company is only as strong–or as weak–as a single employee.
Though technology is necessary when creating a more cyber-secure organization, human intelligence is what makes the biggest difference. Explore Prescient’s Cyber Offerings today.