It is easy to develop blind spots in our thinking, particularly toward things that we see often, as if they become invisible to us after so much repetition. For instance, we may read so much about cyberattacks and how important security is that it may make it more difficult to logically consider the topic and strategize protection. After all, just about every type of system you can imagine has been hacked, from smart city technology and alarm systems to mobile bank apps, plane systems, and cars.
The seeming overabundance of attention on cyberattacks is actually a window into the reality that the threat landscape is increasingly complex and must be confronted to avoid huge losses. Spurred by various forces, companies know that cybersecurity deserves consideration – but they do not always move forward systematically. This article looks at drivers of cybersecurity as a top priority, evidence of failure to implement full security best practices, and steps you can take to fortify your posture.
3 forces driving the increasing importance of cybersecurity
According to a 2017 Fortinet poll of IT executives, three key reasons that cybersecurity is becoming a bigger priority in business boardrooms are:
Cloud migration proliferating – It is no secret that cloud is being utilized more broadly within business. With workloads being switched over to cloud, nearly three-quarters of IT security executives said that they think cloud security is becoming a greater concern. Just over three-quarters (77%) said that their boards were recognizing cloud security and a budget to ensure it as top points of focus. The actual implementation of cloud security solutions was not quite as high, though, with only half of those polled (50%) saying that they would adopt cloud security solutions in the upcoming 12 months.
Regulatory scrutiny growing – Greater prioritization of IT security is also fueled by additional regulations, cited by one-third of those polled (34%). Of particular interest is the General Data Protection Regulation (GDPR), which could bring fines, additional costs, and credibility concerns (since violations are posted publicly).
Cyberattacks and data breaches rising – The vast majority (85%) said that their organization had suffered a data breach. The most common form of attack was malware and ransomware, listed by nearly half of decision-makers surveyed (47%). There was progress in the right direction in making security a bigger focus following WannaCry and other prominent worldwide attacks. The scope and makeup of today’s attacks are making it a concern of boards rather than just IT leadership.
Concern with security does not always result in action
Agreeing with the above survey, another indicator of how critical security is to business comes from the UK’s Department for Culture, Media and Sport. When this agency polled more than 1500 UK-based businesses in 2017, nearly three-quarters (74%) said that digital security was a top priority for senior management, while two-thirds (67%) said that they had purchased cybersecurity systems or services in the previous year. Investment in cybersecurity was stronger with larger organizations: the survey found that 91% of those from large enterprises had spent on information security, while the number was 87% for midsize firms. The safeguarding of customer data was the #1 reason for cybersecurity investment, cited by 51% of those surveyed. Problematically, only one in three respondents said that their business had a formal cybersecurity policy in force (or had cybersecurity guidelines listed within audit documentation or a business continuity plan). The number was even lower for the implementation of cybersecurity incident management plans (i.e., the actions to take if you were to learn you were being attacked): just 11 percent of UK organizations polled had one enacted.
Perhaps the key point to take away from that survey is that businesses are generally prioritizing security – investing in security technologies, for instance – but do not comprehensively follow cybersecurity best practices. As George Ralph noted in Private Equity Wire, “It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks were dealt with more effectively.”
Taking action for better cybersecurity
#1 – Take a proactive approach to cybersecurity.
It is critical to develop some knowledge about common threats and understand essential ways that you can identify threats, noted Deloitte.
#2 – Go beyond risk avoidance to building resiliency.
PwC found that organizations that were creating a climate of risk resilience were seeing better long-term financial gains than those that were simply responding to problems as they arose. The PwC researchers gave the example of Japan following the tsunami in 2011, when businesses that had risk management programs with business continuity plans were able to get back up and running much more quickly than those that did not.
#3 – Test for the weakest link.
Seeing how well you handle mock situations can inform a much stronger approach, so use stress tests. These tests should incorporate all your interdependencies, so that you know what might go wrong with other systems on which your own systems rely.
#4 – Strengthen your defenses.
Develop a complete strategy for patching, secure software development, and a secure physical environment, said Deloitte.
#5 – Give special attention to threats that could alter or eliminate data.
While confidentiality now stands as the most critical objective of cybersecurity within the business world, integrity will take its place in the near future, per Dan Geer (cited by PwC), who specializes in risk management and IT security. A heightened focus on maintaining integrity will facilitate recovery from an attack. Blockchain is one technology that will assist organizations with integrity.
#6 – Maintain oversight and make updates.
Typically organizations detect vulnerabilities, create patches, and keep threats from becoming broader problems. At the same time, many businesses do not make sure that their disaster recovery plan is relevant to their circumstances or that their staff remains informed on key security concerns, per the EC-Council.
While it is critical to monitor your system and react to what you see, monitoring is not enough on its own. It is important, said the council, to change the way that you approach cybersecurity given the continuing growth and development of threats. The council suggests including these three strategies:
- Establish an inventory that routinely scans your assets and rapidly locates vulnerabilities.
- Fix vulnerabilities systematically through a mitigation process.
- Organize and consolidate your threat intelligence in a central location.
#7 – Be aware of ransomware.
According to Panda Security, we were already clocking 230,000 new malware samples per day in 2015. Specifically, ransomware is on the rise. This type of attack occurred 36% more frequently in 2017 and is projected to become increasingly prevalent.
As the EC-Council puts it, what is now occurring in cybercrime is mass blackmail. Ransomware is a threat to the confidentiality of private information. Malicious parties access your personally identifiable information (PII), encrypt it, and also transfer out a copy of all the data from company devices – for leverage in blackmail efforts. The thieves then demand payment, which is sometimes collected in installments.
Your secure ecommerce platform
Do you need full-featured ecommerce software run on secure infrastructure? At Total Server Solutions, your data is hosted within our PCI-DSS and SSAE-16 compliant datacenter. See our comprehensive ecommerce solutions.