Many of you probably live in fear. Fear of a data breach.
While a breach may sound innocent enough—simply someone on your team that might have lost, misplaced, or mis-transferred some data—your clients, patients and regulators may think otherwise.
In 2019, the average breach affecting relatively small organizations costed them the likes of $73,000. The cost of reputational damage to vendors and clients may actually be far greater.
I’m sure it’s of little surprise that in recent accounts with CEOS, their two greatest worries ranged from a list of technical-related developments that have recently arisen surrounding stolen and breached data and being victim of a ransomware attack.
Many CEOs know firsthand of their company experiencing a ransomware attack. Those that have lived through a ransomware attack understand the devastation and ruin involved in recovery efforts. When recovering from a ransomware attack, one thing is clear—there is no free lunch (everything will cost you).
Is your likelihood of a breach or attack REALLY that low?
Most organizations believe that nothing could ever happen to them. In fact, nearly a quarter of businesses in 2019 that ended up falling for a ransomware attack had previously said “this would NEVER happen to me”. Too small? Not the right industry? Your people understand security? You’ve invested a lot of money in security already? Passed a security risk assessment?
None of these reasons actually kept organizations safe.
Why?
While told what they were safe (or being protected) from IT staff, the underlying theme was clear—if they weren’t thinking and actively checking up that their systems were secure, in all likelihood security was not ‘good enough’ at keeping their organization safe.
More than HALF of data breaches last year did NOT result from malware.
According to a study released late in January, nearly half of data breaches resulted from malware-less attacks. More and more, hackers are finding ways to access your network WITHOUT using existing systems (ex: logging in with stolen credentials).
The more they are able to stay undetected, the more successful they will be. Hackers today are staying unseen because their methods are NOT being detected.
NOT detected by your antivirus.
NOT detected by programs you may have set up to detect suspicious user activities.
NOT detected by firewalls.
What DOES work to keep data secure?
I—like many cybersecurity experts—see the problem like going to the doctor. Say you’re getting your annual colonoscopy exam. If you’re actually showing up and getting examined, the more likely the doctor will be able to check in and see anything unusual.
With computer networks it DOESN’T take going to a specialist once a year. It DOES take getting continuous feedback as to where your vulnerabilities lie.
Instead of finding a polyp or suspicious mole—something that may have been festering for months—security experts recommend a better plan is to be ‘in the know’ on at least a weekly basis.
If your network has been hacked—or your IT team has opened a big hole for criminals to get in, would you want to wait for a quarterly report on your systems? Would a quarterly update meeting to review cybersecurity be enough?
If you had an aggressive cancer, would you prefer waiting a few more months to get anything addressed? If you’re like me, you want to do something NOW.
Will Someone Get Phished?
More and more today, we are seeing personnel learning about phishing attacks—either through word of mouth or through experience.
The problem?
They are only getting training on PREVIOUS attacks. You see, phishing testing (while useful to prime experiences of your team) is only as good at REACTIVELY giving you and your team insights on what is being done. Be aware that even if you are making sure your teams are not clicking on a phishing email based on something released months ago, doesn’t mean that they will be prepared for the next creative scam or campaign to hit your inbox.
The best ways to combat hackers?
Make sure to provide training—phishing practice is good, but also make sure you are continuously having discussions with your team around security. If your teams were to keep up on best practices with their personal security hygiene (beyond simply using unique and strong passwords) you might be able to get them to pay more attention and care about security risks impacting your business.
Never think you’re immune—shift your mindset from simply thinking “my IT team has everything covered” to one interested and skeptical of things on your network. If you come across a login that seemed too simple or glanced at a headline in the news about a company getting attacked, make sure your IT team is explaining what they are doing to protect your data and keep your organization safe from current types of attacks. Best to doubt that things are being done correctly rather than simply trust that they are.
If you know of someone in your community that has had a data breach, is it really that unlikely something might at some point happen to you?
