Cybersecurity is a huge risk to companies of all sizes. Because both the frequency and sophistication of cyber security breaches around the world are advancing so quickly, it is imperative that companies increase their preparedness. Although sophistication is increasing, the majority of breaches are not the result of sophisticated hacking, they are due to human error, for companies that generally means employee errors in opening spam emails and clicking on bad links. Globig recently discussed the topic of cybersecurity with expert, Adam Anderson, the CEO and founder of Atlas Vault. Mr. Anderson offered some great tips on the prevention of cybersecurity breaches.
This article will describe 5 essential tips to help companies limit or prevent security breaches.
1. Involve company board members and senior management
-
All companies should have a cybersecurity risk management program in place. A cybersecurity risk management program should include a company’s cybersecurity strategies, policies, and practices. The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity provides guidance on improving or establishing a risk management program. This program should start at the top. Company board members and senior management are responsible for establishing and implementing these policies. Cybersecurity, privacy, and data breach response should be a priority at the highest level of a company. Without senior level buy-in, implementation of a risk management program won’t be as successful.
2. Create and implement an employee education and training program
Companies attribute more than half of their breaches to malicious or negligent employee activities, yet most companies aren’t doing enough to prevent these human errors. Two of the biggest hacks employees face are phishing and ransomware.
Phishing: Phishing is when an internet fraudster impersonate a business to trick a person into giving out his personal information. Phishing occurs through email, text message, and even pop-up messages. The typical phishing email asks for personal, often including financial information. The following are examples of what a phishing message looks like:
“We suspect an unauthorized transaction occurred on your account. To ensure that your account is not compromised, click on the link below to confirm your identity.”
“During the verification of your account, we could not verify your information. Click here to update and verify your information.”
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
Ransomware: Ransomware is an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. Malware encrypts files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network. Ransomware attacks are usually delivered via an attachment to an email, although another trend is to send them through e-cards.
There are many ways to limit or prevent employee negligence that results in a security breach. All companies should have a cybersecurity risk management program that includes robust policies and employee training that aims to limit or prevent these breaches. An education and training program should be applicable to all employees, even senior management and should be ongoing. First and foremost, employees should be taught to never open a fake email or click a fake link. Here are some important things employees should look for to determine whether an email is fake.
- Is someone asking for personal information, money, or help? Companies will not ask for personal or financial information through an insecure network or link.
- Who is sending the email? Why would that person or company send the email? How did the person or company get the receiver’s contact information? If an email comes from an unknown source, it’s worth it to be suspicious.
- Is the email written with poor grammar?
- Are there weird spaces in the email?
- Is the URL weird. Many hackers will use a familiar company email with slight changes, generally the addition of period in weird places. Ex: we.lls.fargo.
Many companies are now training their employees with simulated phishing emails. These emails test whether an employee recognizes a phishing email. Generally phishing simulator emails are sent out periodically, at some companies about one per quarter. These tests are effective because they are a hands-on way to train employees and have proven to change behavior. Once employees understand that they are being tested regularly, their behavior changes and they take an extra second or two to determine whether the email is a fake. Here is a list of the top phishing simulators so you can test your team.
3. Don’t store more data than necessary
If there is no need to store particular information, don’t store that information. Some countries do not allow companies to store unnecessary or unused personal information. Companies should make it part of their risk management policy to purge all information that is no longer relevant or needed for business purposes.
4. Mitigate human risk by outsourcing
This goes hand-in-hand with storing no more data than necessary. Don’t do things in-house. Although large companies are not immune from cyber attacks, they are often in a better position than smaller companies to prevent and respond to hacks. Outsourcing when possible will protect a company in many ways. Companies can find SAS products to handle all of their business needs, and are likely better suited to handle those needs than the company itself. Ex: Google is better at email security than most companies.
5. Ensure your partners and supply chains are secure
Working with other companies is a necessary part of business today. It doesn’t matter how secure a company is if its partners and supply chains are not. Determining whether a partner or supply chain is secure is difficult. Most large companies will employ a long, comprehensive questionnaire that is sent to all potential partners and suppliers. The vetting process can take months. Most smaller businesses will not employ this same method. Here are some helpful questions companies should ask their potential partners and suppliers:
- What are you doing with the data that passes through your program that your receive from me?
- How are you complying with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (often called the Cybersecurity framework or CSF)?
- What industry standards do you comply with?
- Have you had an internal or external security audit?
With the prevalence of cybersecurity breaches today, no company can afford to do business without a comprehensive and effective cybersecurity risk management program in place. The 5 essential tips described above should be a part of any risk management program.
About Globig:
If you have international offices with employees and business teams focused on foreign markets, Globig is a must for saving valuable time and money, and for managing risk.
Want to learn more? We are here to help.