If you’re an operating business today, you know about cybersecurity. Hopefully, most of what you know you’ve heard from news reporting and not from personal experience. Whatever the case, every business owner is aware that there is a dark world of cybercrime threatening businesses around the world.
But a passing awareness isn’t enough for a modern business. Even small businesses are prime targets for cyber criminals, with 43% of all cyber attacks targeting them.
43% of cyber attack victims were small businesses.
That’s why it’s vital for every business owner or leader to have a deeper understanding of what cybersecurity really is. And, lucky for, you’re already in the right place.
In this article, ISG Technology hopes to provide you with an overview of essential (and some nonessential but fun) cybersecurity information to help inform you business strategy including:
The history of cybersecurity
History can be useful when trying to understand how a thing works. At the very least, it can be an interesting tidbit to throw around during party conversations.
Hopefully, this brief history of cybersecurity falls into both of those categories.
The evolution of hacking and cyberthreats
The history of cybersecurity begins with the advent of our modern technology boom, so around 1970. When the idea of a computer was still new and networks were a thing only the largest businesses had.
Back then, the area of attack for cybercriminals, or more colloquially “hackers,” was much smaller. Before the internet, the hacker had to be on the computer they were hacking. No advanced algorithms, no remote access. Typically, the motivation was corporate or government espionage.
Near 1980, hackers began to incorporate advanced programming to create worms capable of navigating through networks. By 1990, viruses were all the rage, propagating and destroying information and sometimes entire email systems. By that time, a new worldwide industry was formed to start combating these growing cybercrimes.
The advent of antivirus
With more and more viruses disrupting personal life as well as business operation, the antivirus industry came into the picture. By today’s standards, antivirus was a straightforward product: software would scan your system looking for any of the identifying characteristics of viruses and then eliminate the virus.
The main issue was the software needed to have the virus information in order to scan for it properly. When there were a few thousand viruses, it was possible. But as active viruses grew into the millions, a new solution was needed.
Which brings us to the modern-day threat landscape.
The modern-day threat landscape
Cybercrime is very much a product of evolution. Every advance in technology introduced new, creative cyber threats that would target them. This has forced the growth of the cybersecurity industry and the adoption of a more strategic, tactical approach to cybersecurity.
Then vs now
Up until the 2000s, software was the common solution to cyber threats. Some companies could have in-house security experts, but much of that work was manual and almost inoperable at scale.
This caused a completely new industry to spring up from the antivirus industry. Cybersecurity began to be a word used when referencing technology-focused crimes. The end result was a categorical realignment of how we approach cyber threat prevention.
The technology boom
Arguably, the technology boom began with the creation of the personal computer. This was the inflection point where technology wasn’t just something massive businesses had access to. Suddenly everyone could have a computer used to do any number of things — like play Snake.
Once the internet rolled around, technology took off at a break-neck pace. Cell phones, MP3 players, smartphones and now smart-literally-everything. This new and evolving nexus of technology and the internet create a massive playground for cyber threats.
The average digital consumer owns 3.2 connected devices.
That’s right, your employee’s personal smartphone risks a cyberattack on your business. Even your router can be hacked.
For all the ways technology improves your business, it introduces sizeable risk as well.
An account for everything
Netflix, Amazon, your electric supplier and even your dog walker — more and more services are now accessible through the internet. And for each of those services, you have a separate account with login credentials. And everyone knows how annoying it is trying to remember the information for that account you last used 5 months ago.
But managing all of those accounts is more than annoying. It introduces a massive new avenue for cybercriminals to exploit.
Let’s take social media as a prime example. Social media is a key part of the technology boom. That boom resulted in the average person having more than 7 social media accounts.
The average person has 7.6 social media accounts.
Every single one of those accounts has some sort of personally-identifying information. And cybercriminals are able to use that personal information to create various profit avenues.
If social media account were all we had to worry about, that might not seem so threatening. But what about your bank, financial planning, loans, or any account that has linked financial information? Now we’re talking about a massive area where cybercriminals can prosper.
The dark web
As with any criminal industry, there is a criminal underworld that connects criminals to other criminals. For cybercrime, the go-to underworld is known as the dark web.
The dark web functions just like you’d expect any other internet browser to. The main difference is it requires special software and authorization credentials to gain access to it — but once you have access, there is all manner of illegal activity hosted there.
From illegal drugs and firearms to hacked accounts and credit card information, the dark web is the market where cybercriminals can sell their ill-gotten goods. A growing industry within the dark web is hacked access to corporate networks. A study from HP found that 60% of dark web vendors offering access to business networks had access to 10 or more corporate networks.
“Many [dark web] vendors offer access to individual businesses, with more than 60% offering a gateway into 10 or more corporate networks”
If any of your corporate information was ever stolen, in all likelihood it would end up on the dark web. The worst part about that is that you may never know it was stolen and sold.
Automated criminality
Automation and artificial intelligence are the future of technology. An ever-growing number of companies are turning to AI to offload part or all of their workloads. And so are cybercriminals.
The full impact of AI in cybercrime isn’t here yet. Much like AI in other industries, we’re very much in the nascent stages. But a report developed by 26 cybersecurity professionals lays out a potentially huge industry shift with the advent of AI:
“A natural effect [of AI cybercrime] would be to expand the set of actors who can carry out particular attacks, the rate at which they can carry out these attacks, and the set of potential targets.”
-The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation
This is a prime example of why the cybersecurity industry adopted more strategic, tactical mindsets following the evolution of cyber threats. Instead of new threats completely breaking current processes, we can keep ahead of the evolving threat landscape with advanced strategy.
Risks, vulnerabilities and breaches, oh my! The lingo and what it means
Before we go too much further, we need to make sure to establish the basic definitions of common cybersecurity lingo.
Risk
Anything that opens your business up to loss or damage. In cybersecurity specifically, it means anything that can be targeted by cyber threats. Business wide, it can mean anything that can cause loss, whether it be revenue, data, clients, or reputation.
Vulnerabilities
Weakness or gaps in your security infrastructure. These are the ingresses through which cyber threats can get in and cause damage to your business.
Assessments
Think of it as a checklist applied to your business. The two most common types are risk and vulnerability assessments. You or a professional will go through your entire business to identify anything that is a risk or a vulnerability in order to bring awareness — and hopefully, remediation — to it.
Threats
This is pretty straightforward. A threat is anything that means to do your business harm. Viruses, malware, ransomware, hackers, on and on: they’re all threats.
Hacking/hackers
Hacking is the cyberthreat that requires the most human activity. Often, it is used to refer to people actively working to get into a network or other business-critical system through a compromised account or manually hacked system.
Social engineering and phishing
Social engineering, and by extension phishing and spear phishing, is a common cyber threat in today’s business environment. It refers to the use of personal information to make malicious emails appear as if they are coming from a reputable source or even from someone the end-user knows in order to elicit confidential information.
Breach
A breach is when a cyberthreat successfully gets into a system. Whether it’s malware, a virus or a hacker, breaches are a worst-case scenario for cybersecurity.
Forensics
Forensics is what follows the remediation of a cyber breach. It is the effort to identify what the threat was, what it attacked, and attempt to trace it back to its source.
What’s at risk
So what is really at risk if your business doesn’t have a complete cybersecurity strategy? That’s a complicated question to answer. A lot of the risk is easy to stick a number to, but there are a lot of risks that are more existential threats to the overall well-being of your business.
So let’s jump into them.
The dollars and cents
Let’s start with the easiest risk to stick some numbers to.
From IBMs most recent “Cost of a Data Breach Report” in 2019, the total average cost of a data breach was $3.92 million. This average can come from a lot of sources.
The total average cost of a data breach in 2019 was $3.92 million
For instance, when Equifax lost the personal and financial information of 150 million people in 2017, they had a massive settlement. The cost? Between $575 million and $700 million. All for an unpatched framework in one database.
But what about companies that aren’t huge behemonths that can survive a huge loss? Well, most studies, including one from Gartner, put the average cost of an hour of downtime in the neighborhood of $5,600 per minute, or around $300,000 per hour.
So the natural question to ask is: can your company foot that bill?
The full weight of the law
We mentioned that Equifax payout, right? Well, that payout was the result of a class-action suit put against the company. Yes, that means that a breach can put you in the crosshairs of the law.
Think about it: if you handle any client information — especially financial or personal information — and that information is stolen or lost because of a breach of your company’s systems, you are going to be seen as the one at fault.
Because of this murky, and honestly still ill-defined, area of legal action, things like cybersecurity insurance are becoming a must-have for businesses. If your business handles any confidential or financial information, cybersecurity should be a top-of-list item for you.
Putting your reputation on the line
A lot of the “cost” of a breach can be drawn down to revenue. But there is something that may be even more damaging than footing a large bill, and that is the damage done to your reputation.
The number one impact a breach can have on your business is on client retention. A survey from Thales found that 64% of consumers are unlikely to do business with a company where their financial or sensitive data was stolen.
If a breach impacting only 20% of your clients occurred, you would still lose just over 6% of your total clients. And depending on what line of business you are in, that can amount millions of dollars in lost revenue.
So it’s safe to say that great cybersecurity will protect your reputation and improve overall client retention.
“64% of consumers say they are unlikely to do business with a company where their financial or sensitive data was stolen.”
The risk sectors of an average business
Now that we’ve established what is at risk from cyber threats we can identify where the largest risk sectors of most businesses are.
Keep in mind though; these are the most common risk areas for businesses. If you want to know your business’s risk areas, you should get a complete risk assessment by a third party.
This is potentially the biggest single area of risk in your entire organization. That’s not just because most people use email as a way of professional communication. It’s also because a large amount of cyber threats are targeting email. In 2019, 33% of malicious activity was social engineering — which almost always is funneling into inboxes.
“33% of malicious activity involved social engineering.”
To add to the brute force of these efforts, they often target your least cybersecurity-conscious staff members. When it comes to social engineering attacks, your receptionist can be just as valuable as your CIO.
Network
Your network is the central data transmission hub of your business. Because of the fact that so much vital and valuable information lives on your network, it’s a natural target for cyber criminals.
The modern network is also connected to the larger world-wide Internet. And with that comes a whole slew of remote-access hacking and cyber threats. Not only do these threats target information, they can also create hidden backdoors that allow continued access that can be bought and sold on the dark web.
The cloud
Almost 80% of businesses’ workloads are now in the cloud. So it’s safe to say part — if not all — of your workload touches some sort of cloud infrastructure.
79% of businesses workloads are in the cloud
For most companies, certain applications are hosted on the public cloud. Common examples are Office 365, Google services, and pretty much any software that has a web login portal. There is also the private cloud, which compared to public has a significantly smaller and more manageable risk surface.
Because the cloud operates on the back of the internet, it is a prime target for cyber criminals. If part of your workflow does exist on the cloud, chances are there is valuable information being transmitted and hosted on your cloud provider’s servers.
The main risk associated with the public cloud is how big of a target it is. Take Office 365 for example. Many businesses have a significant portion of their workload running through Microsoft’s servers. That makes Microsoft’s cloud infrastructure a huge target with a lot of valuable information. And that’s the sweet spot for cyber threats.
Personal devices
We discussed earlier the proliferation of personal connected devices. Because of that proliferation, businesses began leveraging their employee’s personal devices to save some money while creating a more mobile, connected workflow.
This is traditionally called a bring your own device policy, or BYOD.
54% of SMBs have a formalized BYOD policy. While this policy is a great boon for the remote worker as well as the business, it introduces a whole slew of additional, often unsecured, risks.
54% of SMBs have a formal BYOD policy
In order to properly secure a BYOD policy, you need to take into account every source of the internet that the device connects to as well as the personal use it goes through. In effect, there is an infinite number of threat-vectors that your business needs to be equipped to defend against.
Public Wi-Fi
Remote working has proven to be a great benefit for companies and workers alike. Companies can save some money and workers experience less stressed, more productive days.
Today, 3.4% of the total US workforce are telecommuters. And while most of the time those employees work from home, there are some times where they work from public places like coffee shops or airports. In fact, 61% of mobile workers connect company-owned devices to public Wi-Fi networks.
61% of mobile workers connect company-owned devices to public Wi-Fi networks.
Those public networks are often unsecured, making them a hot-bed of security risk. If you connect an unsecured device to the same public network a hacker is also connected to, you’ve unintentionally opened your device to the hacker. That can create a pathway of direct access to your company’s network and data.
Yeah, public Wi-Fi is pretty frightening for cybersecurity professionals.
Modern problems require modern solutions
Like we said earlier, the industry shift that came after anti-virus occurred because of the realization that cybercrime was going to evolve at a pace where we wouldn’t be able to keep up with the individual threats. So we had to stop relying so heavily on software and hardware and approach cybersecurity from a strategic perspective.
When you can’t always identify and destroy the specific threat, what do you do to protect from cybercrime? This question is what realigned the focus of cybersecurity from remediation to prevention.
Today, a holistic cybersecurity approach requires mostly proactive solutions. Endpoint protection, monitoring, education, firewalls, scans, assessments, and more. So let’s talk about these modern-day solutions.
Strategy first
The only way to keep up with a rapidly evolving security landscape is to adopt an approach that creates resources that can work on any cyberthreat. That resulted in the transition to a strategy-first cybersecurity approach.
By thinking of cybersecurity in terms of an overall united strategy, you are already considering the risk your organization faces. And that is crucial. A cybersecurity approach that secures one part over another is insufficiently secure. But an approach that sees all the separate pieces as part of a greater whole will have better, more complete cybersecurity.
With this shift in philosophy, things like risk assessments, cybersecurity frameworks and vulnerability testing were introduced and leveraged to define the rest of the security strategy.
Reduce your risk surface area
Identifying the risk sectors of your business is a very important task for developing a complete cybersecurity strategy. The best way to begin thinking about risk areas is to consider all of the different accounts and services your business and employees use.
For instance, your business could have one solution for email, one for phone calls, another for HR, accounting, and on and on. Each of those accounts is a different risk posed to your business. And that’s just the beginning.
The best, and often easiest way, to reduce the risk facing your business is to consolidate your accounts and login structure. Often, you can use one suite for a whole stack of solutions — for example the Microsoft suite — or use one account as the main login for most of your services. And adding multi-factor authentication is always a plus.
Risk and vulnerability assessments
The first step to understand all of the risk and vulnerabilities of your business is to identify them. That’s precisely what assessments are built to do.
Risk and vulnerability assessments apply a standardized checklist to your business system in order to identify any risk or vulnerabilities. Sometimes, these assessments follow an established framework, such as NIST. Third parties can also have their own proprietary way of assessing your business.
These tests will take into account everything from user education to directory structure and permissions. The goal is to provide your business with actionable information to easily improve your cybersecurity posture.
VPN and MFA
Virtual private networks (VPN) and multi-factor authentication (MFA) are two simple, low-cost and effective security measures that every business should implement.
Let’s say that one more time:
Virtual private network and multi-factor authentication are two simple, low-cost and effective security measures that every business should use.
-Us
A VPN is the ideal solution to the pesky public Wi-Fi problem introduced earlier. A VPN creates a private and secured connection to another network over the internet. This protects your mobile workers from hacking attempts piggy-backing public Wi-Fi.
MFA adds additional authentication method to your log in credentials. These additional methods can be a fingerprint or face scan or a temporary code generated by an authentication app or sent via text. It’s a simple — and often free — security solution that makes it extremely difficult for accounts to be hacked.
Educate the end-user
Your business’s number one risk sector is your staff. Many reports have been conducted that reveal this fact: 90% of cyber data breaches in the UK in 2019 were caused by human error; 91% of enterprise security breaches on the public cloud were caused by people; employee training reduces the average total cost of a data breach by $270,000.
“Employee training reduces the average cost of a security breach by $270,000.”
The bulk of cyber threats facing your business are targeting the end-user. Tactics like social engineering, phishing and spear-phishing have outstanding success rate given the relative ease of the activity. It is vital that your employees understand email and web best practices as well as how to identify a malicious email.
If your business can transfer your staff from your greatest risk into your greatest defense, you’re well suited to preventing many cybersecurity incidents.
Proactive monitoring
Operating in front of cyber threats is a key component of employing a strategic approach to cybersecurity. The best way to stay ahead of threats is to constantly, and proactively, monitor all of your risk areas.
This requires an increasingly advanced set of tools managed by professionals to carry out adequately. The tools are able to monitor the flow of data in and our of your organization as well as any changes made to your systems. This gives a complete picture of activity. With this picture, trained security professionals are able to identify when an activity or set of activities is out of the norm or harmful.
This solution isn’t something you should handle in-house. This implementation and management of a proactive monitoring solution is best left to the professionals.
Endpoint security and encryption
Endpoints are any end-user devices that connects to your company network. These devices can act as gateways the cyber criminals go through to access you entire network to harvest data or create a backdoor that makes future entry easier.
The idea with endpoint security is to develop strategies and implement tools that secure these gateways. This has always been a standard of any cybersecurity plan, but recently it’s become more important — and more difficult — due to connectivity demands. BYOD policies and cloud computing are two practices that throw wrenches into traditional endpoint security.
“Employees working from home or connecting to Wi-Fi networks to work on-the-go means that the enterprise network security perimeter is more porous than ever.”
Endpoint security is usually a combination of firewalls, antivirus, encryption and permission controls. A firewall is your first line of defense against malicious activity from outside of your network. Antivirus, as we established earlier, is constantly searching for viruses on endpoints.
Encryption is a newer, more important feature of endpoint protection. Encryption essentially codes all of your data so that only people who have the “key” to the encryption are able to decipher the data and view it. This means that even if a bad-actor gets data off of your network, they probably won’t be able to view it.
Application controls are a management feature that sets restrictions on what applications are allowed to be used on your network. Your business can significantly reduce it’s risk surface by allowing only secured applications on your network.
Fight AI with AI
We’ve established that artificial intelligence could bring a whole new age of cyber threats to your business. Luckily, AI has already been at work transforming cybersecurity.
Keeping up with the rapidly growing amounts of malware in existence has proven to be a difficult task for the cybersecurity industry. AI is poised to be a massive benefit in that fight. By using machine learning algorithms, AI security systems are able to identify and detect potential threats aimed at your business.
A more niche use of AI is permission control restrictions. For instance, if a company wanted to not allow employees to access certain data from public Wi-Fi, AI could be trained to identify the connection security and immediately alter permissions based upon that information.
What’s best is the possibilities of AI are potentially endless. Who’s to say just how intelligent our cybersecurity systems can become?
Cybersecurity is complicated, but that doesn’t mean it has to be
If you’ve made it to this point, we hope you feel you have a better understanding of cybersecurity as it relates to your business. We also expect you to be a little overwhelmed.
If it didn’t come across anywhere else in this article, let us say it here: cybersecurity is something best left to the professionals. We wish it was as simple as “buy this and that, and you’re good to go!”
It’s not.
If you want your business to be protected from the cyber threats out there, you need professionals dedicated to the task. We recommend finding a managed cybersecurity partner who you can offload all of your security strategy, monitoring and maintenance to. You can trust that they will have the resources and experience needed to secure your staff, revenue and reputation.