Be Defensive: What Cybersecurity Experts Do (and Why it Matters)
Cybersecurity experts are often asked for advice on why cybersecurity is needed. Modern security means not only ensuring that you are physically safe and protecting your assets, but also includes the safety of your digital security and assets. Think about where you are the most vulnerable, and let that sink in for a moment.
What do cybersecurity professionals do?
The list of responsibilities for cybersecurity professionals is extensive, but essentially they are responsible for preventing online data from being compromised. According to Staffan Truvé, Chief Technology Officer of Recorded Future, “We spend a lot of money trying to fix things after they happen, but we should stop the attacks before they happen.”1
To put the price of cybercrime into perspective, an Accenture report on the costs of cybercrime was published in 2017 – detailing the average costs for a cyberattack that lasts less than 30 days to total $7.7 million. If the cyber attack lasts longer than 90 days this average cost escalates to $12.2 million.2
We spend a lot of money trying to fix things after they happen, but we should stop the attacks before they happen.
STAFFAN TRUVÉ
CHIEF TECHNOLOGY OFFICE OF RECORDED FUTURE
If the following questions are making you uncomfortable, you should seriously consider re-evaluating some of your – and your team’s – online behaviours:
- When did your employees last change the password to any of their accounts?
- Have your employees replied with sensitive information to strange emails?
- Do your employees overshare moments of their life on social media by posting photographs of their houses, pets or children?
All the security systems and protocols that you have paid for, installed and implemented at great cost, mean nothing if reckless behaviour is still enabling cyberattacks. For this reason, we have outlined some useful advice from cybersecurity professionals below on how to increase the security of your organisation.
Access vs control vs privacy: these three variables provide vulnerable entry points. Increasing risk in the digital world has seen higher cybercrime statistics since we developed technological marvels like the internet, WiFi and cloud-based systems.
Why cybersecurity is needed
According to cybersecurity experts, consider implementing these security measures to protect your business from cybercrime and losses:
1. Complete a cyber risk security analysis
John Chambers, former CEO of Cisco said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”3 Fortunately, it’s not all doom and gloom. There are ways to hinder cybercriminals from targeting your organisation. Dealing with this requires businesses to be aware of the risks posed through a cyber risk security analysis.4
This entails performing an assessment on the organisation’s technology and information systems, including processes, software and hardware:5 all things required to keep the organisation running in this digital age. This becomes an essential part of the risk management strategy. According to Sanjay Deo, President of 24by7 Security, “A risk assessment is often a mandatory baseline that compliance regulations ask for.”6
The importance of a cyber risk security analysis can’t be overstated as it:
- Determines the relevance of threats to your organisation
- Focuses on specific internal and external vulnerabilities
- Assesses the impact of exploiting the identified vulnerabilities
- Compares the risks of exploitation
Cyber risk assessments also raise awareness within the company of digital vulnerabilities by serving as an executive summary of sorts. This assists C-suite executives in highlighting specific problems without going into unnecessary details, and in determining what areas of the business need more growth and investment.
There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.
JOHN CHAMBERS
FORMER CEO OF CISCO
2. Ensure you have cybersecurity insurance
Linking to the points above, if you want cybersecurity insurance, you will first need to have performed a cyber risk assessment.7 It’s becoming common practice to take out insurance against the harmful risks of cybercrime. Coverage for this is industry-specific and higher risk industries like retail and finance will be more expensive to insure.
Scott Lockman, the Director of Commercial Insurance at Clements Worldwide states, “Cyber-liability protection has been around for about a decade, but insurance companies have become better at identifying risks and are able to underwrite against those risks.”
3. Train your staff on secure practices
Human error is the greatest threat to cybersecurity, internally and externally, for your organisation.9 Cyrus Walker, CEO of Chicago-based Data Defenders says research shows approximately 80% of security-related incidents occur as a result of employee behaviour.10 The major risk factor in phishing and malware attacks is simply down to human nature, and our ability to be tricked by others. The trick to ensuring that your cybersecurity is secure, is by effecting behavioural changes to the users of your system.
Most organisations don’t properly train their staff on cybersecurity counter-measures. This training should be focused on everyone, up to CEO and including senior management level.11 These people are the most likely people to be targeted due to their high-level positions within the organisation.
Most criminals use three simple sets of questions to obtain key information that can be mined to allow criminals access to your personal accounts.12 The way they gain access to this information can seem innocent, such as those fun quizzes that you complete on social media.13
Research shows approximately 80% of security-related incidents occur as a result of employee behavior
CYRUS WALKER
CEO OF CHICAGO-BASED DATA DEFENDERS
There are three common questions that may be asked to retrieve or change your password:14
- What was your or your mother’s maiden name?
- What was the street that you used to live on as a child?
- What’s your pet’s name?
Training and awareness need to be reinforced consistently, as people allow criminals access points to sensitive data, not the internet. This training needs to demonstrate smart behaviours for how to interact with the digital world, to ensure you avoid making yourself the target of a cyberattack.
Chairman of IoD Surrey and Managing Director of ramsac, Rob May emphasises in his TEDx speech on cybersecurity, “An intelligent person needs reinforcement of an idea at least six times, but you won’t always work with intelligent people. Therefore, companies don’t reinforce this as frequently as they should.”16
4. Make sure your top-level employees understand the impact of cybercrime
If your board members aren’t making cybercrime a priority, then there is a disconnect between their understanding of the technological landscape, and the potentially harmful and often long-term effects of cybercrime.17 There should be board processes in place to evaluate, strategise, and handle cybercrime.
May succinctly puts this point across by stating that, “We should trust less in the digital world… cybersecurity isn’t merely an IT problem, it needs to be embraced from the top down to the bottom levels of an organisation.”18
5. Update your policies concerning privacy and cybersecurity
Are your privacy and security policies up-to-date? Most businesses outsource services or products to third parties and it’s important to ensure those third parties are following your privacy and security policies if they have access to your internal software and servers.19
6. Change your passwords regularly
Using one password or even one password with slight variations is risky. The problem with changing your password often is that you may not remember all the passwords. An easy method to circumvent this is by using a password manager that can assist with password generation and logging into your accounts.20
7. Be smart about sharing personal information
Phishing is exactly what the name sounds like. Cybercriminals are fishing, hoping that with the right bait, you’ll be caught – hook, line and sinker.21 Phishing often resembles emails that ask you to reset your password or account information through an infected link. The email is supposed to represent a legitimate company, containing their branding and email style. Usually, small details on the email will help you to detect if this is a genuine email from that company or not. Phishing has also evolved into “whaling” – where top-tier people in the organisation are targeted to steal company-sensitive information.22
8. Understand that your Internet of Things (IoT) devices have poor security
You may not think your printer needs to be secure, but that seemingly innocuous object has been the focal point of many cyberattacks in recent years. According to Wired, “A single open port on a network connected printer is all a sophisticated malware attack needs to infect a network, send copies of itself to other connected devices and potentially seize confidential data.”23
Be more aware of your connected devices – every device is a potential backdoor that a hacker can use to infiltrate your organisation. These include: USBs, CCTV cameras, routers and printers. Most of these devices are made to connect to your security network, and have security features. The cost of overlooking cybersecurity for your IoT devices can run into millions, and simply using these features may mitigate the severity of a cyberattack quite drastically.
9. Lock your phone or laptop when unattended
The danger of leaving your device unattended with all your information readily available, especially in public or workspaces isn’t worth the risk. Always lock your devices if you leave their vicinity.25
10. Be careful of free WiFi
Criminals can use this as an entry point into your devices and steal your personal data.26 Most publicly accessible WiFi spots require you to login to use the free WiFi. Malware such as keyloggers or spyware can then be downloaded onto your mobile or the electronic device you’re using. From this, hackers can gain access to your private information. On top of being generally wary of free WiFi, it’s also a good idea to ensure you have anti-virus software installed on your devices.
Cybersecurity professionals play a vital role in identifying threats and protecting online data. As the world becomes increasingly more reliant on digital spaces, cybersecurity professionals need to be more proactive in preventing cybercrime. Become your own firewall to aid in the fight against cybercrime. Laziness and ignorance are weaknesses that cybercriminals rely on to exploit digital vulnerabilities. The future of cybersecurity rests upon humans being savvy enough to control access to their private information.
- 1 Armstrong, S. (Sept, 2017). ‘Stay safe online: Experts reveal 10 ways to protect yourself and your business from hackers’. Retrieved from Wired.
- 2 (2017). ‘Cost of cyber crime study: Insights on the security investments that make a difference’. Retrieved from Accenture.
- 3 (2018). ‘Cybersecurity. Get the full picture’. Retrieved from Cisco Systems.
- 4 Adnan, A., Nicholson, M., Stevenson, C., and Douglas, A. (2016). ‘From security monitoring to cyber risk monitoring’. Retrieved from Deloitte.
- 5 Nohe, P. (Aug, 2018). ‘How to perform a cyber risk assessment’. Retrieved from Hashed Out.
- 6 Nohe, P. (Aug, 2018). ‘How to perform a cyber risk assessment’. Retrieved from Hashed Out.
- 7 Viuker, S. (Jan, 2015). ‘Cybercrime and hacking are even bigger worries for small business owners’. Retrieved from The Guardian.
- 8 Nohe, P. (Aug, 2018). ‘How to perform a cyber risk assessment’. Retrieved from Hashed Out.
- 9 Blau, A. (Dec, 2017). ‘Better cybersecurity starts with fixing your employees’ bad habits’. Retrieved from Harvard Business Review.
- 10 Viuker, S. (Jan, 2015). ‘Cybercrime and hacking are even bigger worries for small business owners’. Retrieved from The Guardian.
- 11 Sulmeyer, M., and Dugas, M. (Nov, 2017). ‘More training won’t reduce your cyber risk’. Retrieved from Harvard Business Review
- 12 Newman, L. (Sep, 2016). ‘Time to kill security questions – or answer them with lies’. Retrieved fromWired.
- 13 Hlavaty, C. (Mar, 2018). ‘That Facebook quiz is probably stealing your personal information’. Retrieved from Houston Chronicle.
- 14 Carlton Collins, J. (Mar, 2018). ‘Online security: The password-recovery questions you should be answering’. Retrieved from
- 15 Blau, A. (Dec, 2017). ‘Better cybersecurity starts with fixing your employees’ bad habits’. Retrieved from Harvard Business Review.
- 16 May, R. (Nov, 2017). ‘Your Human Firewall – The answer to the cybersecurity problem.’ Retrieved from TEDx.
- 17 Cisco, the University of Technology Sydney and the Australian Mathematical Sciences Institute. (Feb, 2018). ‘Six habits of cyber resilient boards’. Retrieved from ISSUU.
- 18 May, R. (Nov, 2017). ‘Your Human Firewall – The answer to the cybersecurity problem’. Retrieved from TEDx.
- 19 Blau, A. (Dec, 2017). ‘Better cybersecurity starts with fixing your employees’ bad habits’. Retrieved from Harvard Business Review
- 20 (Nov, 2016). ‘10 Workplace cyber security tips’. Retrieved from FBS.
- 21 Lohrmann, D. (May, 2016). ‘Beyond spear phishing: how to address whaling and more’. Retrieved from Government Technology.
- 22 Lohrmann, D. (May, 2016). ‘Beyond spear phishing: how to address whaling and more’. Retrieved from Government Technology.
- 23 (Feb, 2017). ‘The Internet of Things has a dark side. Here’s how to protect yourself’. Retrieved from Wired.
- 24 (Feb, 2017). ‘The Internet of Things has a dark side. Here’s how to protect yourself’. Retrieved from Wired.
- 25 Phelps, T. (Sep, 2017). ‘Why you should always lock your computer’. Retrieved from Net Standard.
- 26 Dockrill, P. (Feb, 2016). ‘Here’s why you should be careful about using public Wi-Fi hotspots’. Retrieved from Science Alert.