Three ways to combat cyber threats
Hackers don’t discriminate, thanks to increased connectivity, globalization and the 'commercialization' of cybercrime.
Regardless of the size of your company, your business sector or your level of brand visibility, you are susceptible to a cyberattack. Hackers don’t discriminate.
This was one of the major takeaways from a recent roundtable discussion I participated in focusing on the growing threat of cyberattacks and how companies can best protect themselves.
The roundtable, hosted by Allianz Global Corporate & Specialty, included myself and two of the country’s foremost experts in business security, Steve Martino, Cisco senior vice president and chief information security officer, and Dr. Gregory Falco, Stanford fellow, CISAC security researcher and MIT graduate.
While we were all in agreement on the ever-increasing level and intensity of cyberattacks, one of our goals in coming together was to forge a consensus on what businesses — big and small — can do to address and protect themselves from such attacks and the debilitating collateral damage they invariably leave in their wake.
As we all know, increasing connectivity, globalization and the “commercialization” of cybercrime are driving the greater frequency and severity of cyber incidents, including data breaches. And the threat is growing more acute and costly for businesses.
In fact, a leading researcher on cyber statistics, Cybersecurity Ventures, predicted in its Annual Cybercrime Report that hackers will cost the world $6 trillion annually by 2021. Cyberattacks, even those that cause minimal damage, can lead to severe business interruption and financial loss.
The numbers tell an alarming and unnerving story. According to an annual data breach report sponsored by IBM, data breaches cost companies $3.86 million on average in 2017. In some of the worst case scenarios, “mega breaches” cost enterprises anywhere between $40 million and $350 million. These numbers are staggering, yet on the rise.
“Every company today is a tech company,” said Cisco’s Steve Martino. “Some companies no longer have any physical assets; all risks have some tie to technology… This brings more and new exposure to risk.”
To address this new normal, Dr. Falco stressed that cyber leadership needs to start from the top of any organization. “If leaders aren’t pushing and demonstrating good cybersecurity,” he said, “it is unrealistic to expect the rest of the organization to follow suit.”
He added that cyber risk should not exclusively be managed by a CISO because a cyberattack can cause serious economic and reputational damages to your business that expands far beyond your technology infrastructure.
“Frankly, the CEO’s job is on the line and board members need to push leadership to adopt the latest advancements that are feasible for an organization to adopt,” concluded Falco.
With that in mind, here are three concrete ways for companies to combat cyber threats and mitigate any potential damage stemming from a data breach.
No 1: Have a cybersecurity expert at the board level.
If your company doesn’t have an individual with tech/cyber security experience on the board, it’s incumbent to create a new board position or hire an IT consultant who can serve as a close adviser regarding cybersecurity strategy. Companies must have access to business professionals who understand the cyber landscape, existing threats and are keenly aware of the known unknowns. The onus is on the board of directors to ramp up their cyber security budgets. Roughly 73% of organizations said it is “very common” or “common” to have just one person responsible for alerting the business to vulnerabilities and also applying patches and updates to systems and software, according to a recent survey of 510 IT and cybersecurity leaders. For many companies, there’s still too much emphasis on traditional business risks and not enough on digital risk. This has to change.
No. 2: Sharpen employee awareness/cyber security training.
Often times, a data breach happens after an employee unwittingly clicks on a link in an email, unleashing malware into the entire organization. That’s why there’s a growing onus on organizations to provide cyber security training, awareness and education on an annual basis. The threat landscape changes quickly and employees need to be kept abreast of these changes in real time. Training doesn’t have to be overly complicated. Half the battle is making sure employees are able to sharpen their digital antennas and understand that some emails are not always what they appear. Employees must be aware of protocols regarding who they report to when they spot something fishy in their inbox and how to address the situation quickly.
No. 3: Bolster your password management efforts.
There are all sorts of circuitous ways hackers can breach corporate computer system(s). For example, malicious actors online could hack into your Gmail account and use that access to get into your company’s business network. Many people use the same computer password for both their personal and professional accounts. Companies need to disabuse their employees that that’s acceptable. Employees need to be conditioned not only to have unique passwords for different computers and different hand-held devices but to change the passwords frequently (and make sure changes in passwords are a significant departure from previous ones).
Considering the pace of technological change — and how hackers invariably seem to stay just a few steps ahead of any companies’ best efforts to curtail their activity — organizations that continue to give cyber security the short shift could one day find themselves facing an existential threat.
Further, individual board members and/or C-suite executives who ignore or downplay cybersecurity efforts could be on the hook if, following a breach, they are found to have abrogated their corporate responsibility. At that point, having to leave the company may be the least of their worries.
Change can happen but only when companies — and those that comprise their leadership teams — make a concerted investment in a robust cybersecurity program. Until then, history, and hacking, will indeed continue to repeat itself.
Emy Donavan (Emy.Donavan@agcs.allianz.com) is the global head of Cyber, Tech and Media PI at Allianz Global Corporate & Specialty. These opinions are her own.
See also: