Getting Cyberfit During the Pandemic: Cybersecurity Essentials

Getting_CyberFit_During_The_Pandemic
Helen Yu

Understanding cybersecurity is crucial because it protects all types of data from theft and damage.

An Introduction To Cybersecurity 

Cybersecurity includes sensitive data, business information, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, governmental data and industry information systems.

“Crampons make it easy to climb the ice without slipping,” says a guide to scaling Vatnajökull, Iceland’s largest and most majestic glacier.

Easy to climb? Really? I nearly lost my life ascending that ice cap when one of my crampons popped off my boot. (Thank goodness for carabiners!)

Which brings me to Cybersecurity.

Much like climbers must see the “bite” in Vatnajökull’s mesmeric beauty, CISOs must see the threats in otherwise sublime landscapes of workforces that are always on, always connected. I don’t mean just obvious threats like malware, IoT attacks, spear-phishing, session hijacking, and the rest. The need to avoid these dangers goes without saying.

I’m talking about the single greatest threat to corporate cybersecurity: naiveté. Blind faith. The tendency to evaluate your cyber protections over-optimistically, through “rose-colored glasses.”

Cybersecurity_Trends

In the context of cybersecurity, naiveté is the expectation that employees will follow security policies assiduously; that they’ll be consistently cyber-vigilant by recognizing ransomware when they see it, identifying spear-phishing when it happens, managing their passwords responsibly, operating sensibly on social media, and protecting sensitive information like log-in credentials.

This is a dangerous supposition, akin to climbers forgoing carabiners because, after all, how could crampons possibly fail while scaling a glacier’s jagged contours? Just how faulty is the assumption that employees will conduct themselves cyber-vigilantly at all times? Exceedingly! 95% of all cyberattacks result from human error, with each attack incurring an average cost of $150 million.

What is Cybersecurity? 

Cybersecurity’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage.

It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

Cybersecurity_Debunked

Cybersecurity applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.

  • Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.
  • Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.
  • Information security protects the integrity and privacy of data, both in storage and in transit.
  • Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.
  • Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.
  • End-user education addresses the most unpredictable cyber-security factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.

Types of Cyber Threats 

Common cyber threats include:

  • Malware, such as ransomware, botnet software, RATs (remote access Trojans), rootkits and bootkits, spyware, Trojans, viruses and worms.
  • Backdoors, which allow remote access.
  • Form jacking, which inserts malicious code into online forms.
  • Crypto jacking, which installs illicit cryptocurrency mining software.
  • DDoS (distributed denial-of-service) attacks, which flood servers, systems and networks with traffic to knock them offline.
  • DNS (domain name system) poisoning attacks, which compromise the DNS to redirect traffic to malicious sites.

Types_of_Cyber-Attacks

What is the Cost of Cyber Crime? 

Cyber crime now costs over a staggering $1 trillion. If cyber criminals continue operating at their current rate, then, by 2025, research indicates that global cyber crime costs will reach $10.5 trillion.

The average UK cybersecurity budget is around $900,000, compared to an average of $1.46 million globally, according to Hiscox. Thirty-one percent of UK organizations have done a cyber risk assessment in the last 12 months, according to the UK Government’s report into cybersecurity breaches.

Real_Cost_of_Cybercrime

What is all this money being spent on? New technologies to replace new technologies that turn vulnerable overnight. Consider continuous authentication — post-authentication security technology developed to replace two-factor authentication (2FA) when the latter turned susceptible to devious workarounds like SIM swapping and password-reset processes that bypass 2FA.

What is all this money being spent on? New technologies to replace new technologies that turn vulnerable overnight. Consider continuous authentication — post-authentication security technology developed to replace two-factor authentication (2FA) when the latter turned susceptible to devious workarounds like SIM swapping and password-reset processes that bypass 2FA.

Continuous authentication combines continual monitoring of user activity with advanced biometrics, machine learning, and crowd-sourced data to produce a security system that vastly improves upon traditional login techniques.

Think of it as AI-infused continuous security.

How To Achieve True Continuous Security? 

In order to achieve true continuous security, address this question first: where to start?

Where to start when seeking to understand the cyber-security landscape, develop a governance framework, and create a cyber-vigilant workplace?

10_Steps_to_Cyber_Security

Ask experts and influencers where to start, and some will tell you this: Make cyber-vigilance “part of the culture.” Instead of focusing on policies or patching or training programs, they say, start by making cyber-vigilance an “everyday thing.”

I disagree.

Making cyber-vigilance part of the culture is certainly the goal, but it’s far too ambitious to serve as a starting point (or even a mid-point, for that matter). That would be like calling “scale” the starting point of a company!

Like scale, “cultural cyber-vigilance” is a goal and not a starting point.

So, where to start? And how to start?

Start not at the company level, but at the individual level and the Board level — because if the Board doesn’t understand cyber risk, the investment at the individual level won’t be made.

Why must cultural cyber-vigilance start at the individual level? Because the $120 billion companies will spend cumulatively on cybersecurity this year — largely to secure corporate networks and devices — will do nothing to prevent random workers from being tricked by phishing attacks and other malicious intrusions.

In fact, you could argue that massive spending to secure corporate networks has encouraged cyber-criminals to target workers as their only remaining points of entry, typically through phishing scams. And the scams have only become more sophisticated: Once chosen randomly, workers are now targeted by cyber-criminals specifically for their access to sensitive corporate systems.

So how to start sensitizing companies to cyber-vigilance at the Board and individual levels?

Here are a few things I recommend:

At the Board level:

  • Ensure that at least one person on the Board’s Risk Committee understands cyber risk and makes threat detection and prevention perpetual action items, with high-level metrics to set benchmarks and measure progress.
  • Leverage an acknowledged cyber framework (NIST) to enhance the cybersecurity decision-making process. This includes a direct communication channel between the Board and the CISO.
  • Conduct an independent assessment to pinpoint vulnerabilities (i.e., managed vs. unmanaged devices; web apps; shadow IT inventory; EDR, etc.)

At Individual Level:

  • Identify IT and system administrators and establish approval workflow to prevent a single point of failure.
  • For large financial transactions, use a multi-factor authentication system or a verified approval process that goes beyond an email or phone call before initiating any significant transaction or change.
  • Make Cyber Risk awareness program a mandate for each employee:
    • Educate employees to be alert to suspicious emails, links, and attachments.
    • Teach employees to protect their passwords, to never store them on a browser, and to select a strong password and replace it regularly.
    • Employees should never share their passwords, account numbers or any other private information via email.
    • Teach employees the difference between a secured website and an unsecured one.
    • Having employees configure email client to view emails as “text only” will protect you from scams that use HTML in emails.
    • Teach employees not to use removable media (USB thumb drives, SD cards, iPods, MP3 players) for private data or/and sensitive information.
    • Require employees to make sure that their PCs and servers have up-to-date firewalls.
    • Require employees to install antivirus and anti-malware software to prevent viruses.
    • Implement intrusion detection and prevention systems to monitor threats.
    • Secure Wi-Fi with robust login credentials and encryption.
    • Arrange for frequent backups to be performed.
    • Enforce user authentication with strong password protocols.
    • Require digitally signed confidential emails. The digital sign adds an important layer of security to emails and helps receivers ensure that scammers don’t alter email content during transit. You can use SSL/TLS certificates to sign and encrypt emails.
    • Employ a sender policy framework (SPF) — an email authentication/validation tool designed to detect and block spoofed or forged emails.
    • Develop a scalable security framework to support all IoT deployments.
    • Monitor third-party access to your data and limit the scope of access.

How to get your organization CyberFit? Start by “cyber-fortifying” select Board members and individuals.

These exercises offer a great start.

Conclusion 

Work_From_Home_Cybersecurity

The Covid-19 pandemic has created new challenges for organizations as they adapt to an operating model in which working from home has become the ‘new normal’. Companies are accelerating their digital transformation, and cybersecurity is now a major concern. The reputational, operational, legal and compliance implications could be considerable if cybersecurity risks are neglected.

Remote working has created challenges for many small and medium-sized businesses: they have not been sufficiently prepared for the upsurge in sophisticated cyberattacks, and much progress is needed to raise cybersecurity awareness.