Hopefully every business is familiar with the concepts of email, text and phone call scams, multifactor authentication, and cyber monitoring. Those are cyber basics for any company that uses the internet. But hackers make a living out of breaking in and getting around network protections.
Cyber risk has been one of company executives’ top 3 concerns for years and the threat is increasing with the current situation in the world, but the will to secure networks, communications, financials and operational systems has been lacking. This has led to major failures at utility and shipping companies, as well as insurers, pharmacies, retailers and financial services providers. There is hardly any industry that hasn’t been hit — and hit hard. Read more here about the current threat to cyber security in the US.
Here are the main weaknesses, and what to do about them.
Problem 1. Passwords
Hackers prefer the easiest route into your business networks. That typically is through exploiting weak or stolen passwords. While everyone hates dealing with them, password updates and unique, long, random strings of characters are a basic line of defense, pruning the low-hanging fruit that cybercriminals crave.
While it may be convenient to reuse passwords across multiple sites, this provides easy access to business networks. When a password is compromised on one account, it can swiftly be applied to all other accounts held by the user. So, for example, if your employee has a social media account that uses the same password as their email account for your company, you have a potential unlocked door.
The password warning has been repeated many times, but password insecurities remain the most exploited gateways for cybercriminals. According to the cybersecurity firm Trusona, more than 80% of cyber breaches stem from weak or stolen passwords. So what can your company do?
Password solutions: Even though employees may be annoyed by it, you should require a long string (12-16 characters) of mixed letters, numbers and symbols. Make sure your employees are not reusing their passwords on any other accounts, and require passwords to be changed frequently — as often as once a month. You may even want your information technology staff to change the passwords on their end and require users to authenticate themselves to renew access.
Trend: Some companies are moving toward biometrics to eliminate passwords on mission-critical systems. These are high-end, more expensive techniques, but they are becoming increasingly mainstreamed and, therefore, affordable. They include fingerprint, iris, facial and voice recognition. The drawback is loss of access if something happens to the unique user and the identifying asset is lost or compromised (for example, a burn, eye loss or death). If you go this route, make sure you have an administrative workaround.
Problem 2. Lost devices
In today’s economy, company business is increasingly done via mobile devices, which creates multiple layers of security risk. The most common scenario is the loss or theft of a device. In these cases, the data on the device may be used to your company’s detriment. Devices include both company-provided and personal hardware that accesses business systems.
Lost device solutions: Every company that permits mobile access to its systems should ensure that devices can be tracked, recovered and/or rendered useless (bricked) if necessary. A clear policy should be instituted so employees understand that any hardware — even personal devices — used to access company networks may be monitored, searched and manipulated to protect company assets.
Trend: Endpoint hygiene, a series of protocols that provide device-level security, is increasingly being pushed by information security experts. It includes undeletable tethering, which ties devices (endpoints) to a governing program and cannot be turned off by the endpoint user. It allows real-time monitoring of a device’s location and activity and immediate action to lock the device, prevent unauthorized access, and maintain regulatory and security compliance.
Problem 3. Lost/compromised data
Data is vulnerable to internet hackers, as well as low-tech snoops who tie into hotspots, Bluetooth or other open lines of access. Businesses can and do use prevention, such as firewalls, encryption and virtual private networks, but professional hackers can pick basic commercial locks pretty easily.
And, unfortunately, businesses frequently don’t run software and firmware updates, leaving open doors for cybercriminals. Centralization of company data, whether on the cloud or an in-house server, is also problematic. Just one infiltration into that data store could take your company out of operation and cost large sums to remedy.
Trend: Data fracturing or “decentralization” is a new way to prevent hacker access to the mother lode of your crucial business files and ensure recoverability. Basically, your company stores pieces of encrypted data on segregated computers (called nodes) across a global network. It’s an adaptation of blockchain that restricts access via keys that you can tightly control and invalidate, if necessary (for example, if someone leaves your firm).
To illustrate, imagine you use a single cloud provider. If a hacker infiltrates, they can snake into all your files. With decentralized cloud storage, each node contains only pieces of your data set, and the interloper cannot do anything with those encrypted, partial assets. But you can because you have the keys for all the different nodes. This is a nascent technology, but some companies are already using and perfecting it.
Solution. Cyber Insurance
Step one is to make sure that you are using the best practices outlined above. Step two is to contact us to get more information about cyber insurance and how it can help your business minimize cyber risks.
