Your Responsibility as a Business Owner in a Cyber World
Each day, we learn more about the ever-changing landscape of cyber threats and the risks they pose to serving our clients. It is no longer a question of “if” your organization will be the target of a cybersecurity breach, but a question of “when”.
The best defense against cybersecurity threats is a solid plan and an unrelenting commitment to it. Regardless of an organization’s size or resources, implementing a strong cybersecurity plan is attainable with the right technology team. Usually, organizations are committed to investing in common security measures such as firewalls, anti-virus, anti-malware, and spam filtering, but other aspects of the plan are often overlooked or ignored. In this article, we will focus on three of the most important areas for a strong cybersecurity plan: awareness, passwords, and policies.
Awareness
Awareness is the most important element of a cybersecurity awareness program. As we are working diligently to provide services to our clients, we are constantly confronted with cybersecurity threats. A cybersecurity awareness program educates businesses on best practices and how to avoid the many pitfalls of cyberattacks. The benefit of these programs is their ability to prevent staff from falling victim to ransomware attacks, malware, or even worse, fraudulent wire transfers. This is accomplished through simulated email phishing attacks, lunch and learn training sessions, and testing the organization’s policies. The cybersecurity industry has found that testing employees on a regular basis is vital to the security posture of the organization and keeps these tools in the consciousness of staff. We recommend scheduling time at least once per quarter with the technology team to run tests, discuss best practices, and to educate staff.
Passwords
There has been an increased effort to educate people on the importance of maintaining strong, unique passwords. Progress is being made, but we have a long way to go. A weak password is by far the easiest way to hack into any organization. It is critical (and often overlooked) to not use the same password for many accounts. While your organization may not be a prime target for a hacker, your personal account with Apple, Google, Microsoft and other large companies is.
Example Scenario – let’s assume that someone uses the same password or password convention for their Gmail account which is the same as their business email account. Their password gets exposed due to Google or their specific account being hacked. Now the hacker has the user’s name and email address and will do an internet search to find out more information about them. That internet search will reveal many things, including the organization they work for, personal information, and search history. From there, all the hacker needs to do is find the login page for their email account and they are in. Always use a different password for each online account and use a password manager to keep track of them. By using a password manager, individuals only need to remember one password.
Policies
Policies are often overlooked, especially as it relates to cybersecurity. Every organization needs to have a general cybersecurity policy, a communication policy, a password policy, an incident response policy, and a wire transfer policy. Policies protect organizations from attacks by ensuring that all employees receive a consistent message about information exchange expectations, which protects against breaches and other fraudulent activity. In the event of a breach, the policy enables the organization to know exactly how to handle this stressful situation and what steps it can take to resolve the matter. When something bad happens, it’s human nature to panic and worry. A good policy does the thinking for us and we execute it.
Example Scenario – let’s assume an organization does wire transfers on a regular basis for real estate closings. If an employee’s email at the organization is compromised, a bad actor now has access to it and initiates a fraudulent wire transfer request to the accountant. The accountant sees the request coming from someone at the organization and executes the transfer without question or follow-up. Before the breach and bogus request are even discovered, the organization has wired $100,000 to someone other than the intended recipient of that money.
If a wire transfer policy was in place, this scenario could be prevented. A wire transfer policy must be clear and understood by everyone and always includes more than one method of authentication. The policy requires a form to be filled out, and the written request to be backed by a documented verbal approval as well.
To create strong cybersecurity policies, start by documenting all the ways your organization interacts with clients and information processing. This will assist the IT team in identifying potential holes in the policies. There is a balance to how much security each organization needs, and each organization is different. Find out if your technology team or vendors follow industry guidelines to be able to help your organization balance the required security needs with the efficiency of running the business.
A commitment to cybersecurity is required, and all organizations need to take cybersecurity threats very seriously. It could be the difference in one’s ultimate success or failure. If we all do our part, we can protect our clients’ information from being compromised.
If you have questions or would like to learn more about developing a cybersecurity plan, contact Jeff Alluri at jalluri@ele-ment.com.