Planning ahead is essential in order to mitigate risk, and damage
For centuries, people and businesses have been protecting information that they didn’t want others to have. Whether they kept it in a safe, hid it in the walls of buildings or protected it with some kind of code or cipher, the idea of keeping personal information secure is not new.
The scope of risk has vastly increased. The amount of information being stored digitally has increased exponentially over the last 20 or more years, with businesses storing terabytes of data. In addition, information has become more valuable, because it can be instantly disseminated across the world, and with the introduction of the dark web, stolen information is a profit center for hackers.
There are more attack surfaces than ever before. Your only fear is no longer that someone is going to rob your physical location, but now you must be concerned that your computer systems are getting hacked, your users are getting socially engineered, your identity being stolen, and your Internet of Things-connected devices getting compromised.
The requirements for individuals and businesses have increased significantly too. There are data privacy and/or breach notification laws in all 50 states, there are industry and government compliances, and more often businesses are including data security requirements in their vendor contracts. The penalties (monetary, reputational and contractual) for not meeting these obligations are becoming more severe.
While there are many types of threats, here are some of the most common:
- Social engineering: This is the most popular way for a business to be compromised. Your employees, team members, staff and users are your No. 1 attack surface. This happens through a phishing email, a phishing phone call (also called vishing), or through in-person manipulation. There is a 91% chance that if your information is compromised, it will have started as an email link that someone shouldn’t have clicked, or a document they shouldn’t have opened.
- Ransomware: This technique relies on an employee clicking on an email link or downloading a file that looks legitimate but is not (phishing). Once that link is clicked, or the file is downloaded, the hackers will render all data on the system useless (through encryption) and demand a payment to provide you the decryption key so that you can have your files and access back. If you choose not to pay, your system will need to be rebuilt and restored from a back-up in order for you to continue working.
- System compromise: This could manifest in a variety of ways, from compromising your email system and sending phishing emails through your account to taking control of your servers and most things in between. We have seen, firsthand, the compromise of email systems, exfiltration of data, the redirection of invoice payments, the interception of critical documents and the loss of servers, data and money that can occur when your system is impacted by unauthorized access.
Protecting your business
Knowledge is power when it comes to cybersecurity. Here are some ways that you can work to protect your business:
- Make sure that you know what data you have: Understanding the data that you are storing is a critical component of preventing a compromise of that data. This may seem like a fairly obvious statement, however there are often situations where information is being stored when or where it shouldn’t be, which prevents you from protecting it.
- Understand what compliance requirements you must adhere to: These compliances could be state data privacy laws that protect resident information, federal laws such as HIPAA or contractual obligations included with vendor or client contracts. While there are dozens of compliance frameworks that you may need to adhere to, some common compliances that may apply to your business are: HIPAA, which protects personal health information; RSA 359-C:20, breach notification for New Hampshire resident data; MA 201 CMR 17, which protects Massachusetts resident data; and NIST 800-171A, which protects information that is part of the Department of Defense Supply Chain, often listed as DFARS in government or DoD contracts.
Do you know what you would do if your organization experienced an incident? This could come in the form of a lost or stolen laptop, compromised credentials, ransomware, social engineering, system compromise or inadvertent exposure of data, among others. Do you have a plan for rebuilding or recovering your system should critical data be lost? Do your employees know what to do in these situations? In order to mitigate your own risk, it’s critical that you have a plan to respond before you have an issue. Trying to figure out how to address an incident when you are in the middle of one, is like trying to plan for a blizzard two hours after it starts.
This article was written by Mainstay’s Information Security Program Director, Paige Yeater, and originally posted online by the New Hampshire Business Review on October 10, 2019. View it here.