Why Large Companies Are Still Failing to Fend Off Hackers
Cybersecurity has been top of mind for a long time, but large organizations like the Colonial Pipeline, Twitter, and Kaseya are still being successfully breached. A study conducted by UpCity found that only 50% of companies have a cybersecurity plan in place. This comes at a moment when cyberattacks are at an all-time high. NSF-ISR Director of Information Security Tony Giles finds that many large companies are not utilizing simple cybersecurity practices to help protect their data. Now is the perfect time for companies to level up their cybersecurity.
Conduct a Risk Assessment
An essential first step in ramping up cybersecurity across a company is to conduct a risk assessment to determine where there are vulnerabilities. Conducting a risk assessment in addition to a probability and impact assessment is a great pathway for companies to understand where the risks are, how large they are and what protective action they may need. Many of our clients are surprised when we alert them of their vulnerabilities during company audits. Lack of awareness creates a domino effect of issues for an organization if it is breached by malicious hackers. The risk assessment can also provide a starting point for what security items a company can and should focus on first.
Practice, Practice, Practice
Businesses need to create an incident response policy and business continuity plan to be prepared in the event that they are breached. These plans include what steps to take if the company is breached, whom to contact and an outline of how the company can continue operating. Having a detailed plan in place is critical so leaders and team members are not scrambling in a time-sensitive emergency.
It is important to note that collaboration and repetition are key in cybersecurity planning. Once the company has outlined detailed plans for both their response and how they will continue operating, they should conduct tabletop tests to practice the plan with representatives from every department. This is a step that is often skipped, which can be detrimental in a real-life response. Tabletop tests will allow teams to become familiar with the process, so they can work quickly to protect their data and business commitments if a security breach or organizational disruption occurs.
Back to the Basics
NSF often sees companies missing basic and inexpensive information security protection. The simplest cybersecurity implementation can save a company not only their reputation but millions of dollars. An example of basic security protection is organization-wide strong passwords — these are not optional. Be sure to require your employees to have a combination of uppercase letters, lowercase letters, numbers and special symbols in their passwords. It is important to make cybersecurity a team effort. Encourage employees to go to the IT department and alert them if there has been any security issue. Organizations should also engage employees so they understand the importance of information security and their role in it.
From the top down, companies can incorporate multi-factor authentication (MFA) for employees to gain access to systems and applications. This serves as a great backup option in case employees’ login credentials are compromised. Companies should repair security flaws in their applications, including servers and end points, and update legacy infrastructure. While this can be more costly up front, compared to the cost of a cybersecurity breach, it will seem very inexpensive in the long run.
Enlist the Experts
It’s okay if you don’t consider yourself a cybersecurity expert. There are third-party certifiers, like NSF-ISR, that can help. NSF-ISR’s experienced lead auditors work with companies of all sizes to help identify threatening business risks, conduct probability and impact assessments, build awareness of information security programs, provide a comprehensive international set of controls, and align information security with overall business objectives. Additionally, experts can test organizations to ISO/IEC 27001, which helps them meet information security requirements. Companies certified to this standard demonstrate that they meet the requirements for establishing, implementing, maintaining and improving a documented information security management system. This process helps ramp up an organization’s cybersecurity and helps better safeguard data.
Conducting business in a virtual environment provides many benefits from an operational and marketing perspective; however, it inherently comes with the risk of cyberattacks. Attacks can be detrimental financially and, depending on the industry and the role of a company, a significant risk for the safety of its community. Companies need to learn how to navigate digital business while protecting their data, especially their customers’ information. By employing these tools of effective planning and practice, implementing basic security procedures, and utilizing third-party certifiers like NSF-ISR, businesses can operate more stably, knowing they are better protected from an attack than they were before.
Forbes. (2022. June 3). Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Retrieved from: www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=49d2d6e77864