As healthcare professionals, scientists, first responders, educators and everyday people perform heroic deeds to help us through the COVID-19 pandemic, it’s important to remember that nefarious actors are active, too, seeking to do us harm in the cyber realm as our attention is understandably focused elsewhere.
Cybercriminals and hackers are always on the prowl for vulnerabilities to exploit. The global pandemic has sparked more bad behavior while we’re occupied with social distancing, layoffs and furloughs, vaccines and quarantines.
From “Zoombombing” to social engineering attempts via e-mail and phone, we’ve seen an increase in cyberattacks. The FBI has issued a number of alerts this year on pandemic-related cyberattacks, such as COVID-19 fraud schemes, attempts to exploit the increased use of telework and remote education, and online romance scams.
A particularly heinous example of how attackers have spread havoc in 2020 came to light this spring. The International Criminal Police Organization (INTERPOL) alerted authorities in its 194 member countries about an increase in the number of ransomware attacks targeting healthcare organizations. Phishing emails and visits to infected websites unleashed malware on networks, which resulted in the targets being held digitally hostage, prevented from accessing vital files and systems until a ransom was paid.
As many and varied as the cyberthreats are, however, we continue to see a common theme. Virtually every attack and breach that succeeds is made possible by human error. Consider a few of the most notorious breaches that have occurred this year.
Information on an estimated 5.2 million Marriott International guests may have been compromised when hackers used the login credentials of two employees and accessed the data via a third-party mobile app designed to help provide services to guests at hotels.
The hack of Twitter accounts belonging to high-profile personalities such as Bill Gates, Elon Musk and former President Barack Obama was allegedly made possible when a Florida teenager convinced Twitter employees that he was a co-worker who needed their credentials to access the customer service portal.
A data leak by Key Ring, a popular digital wallet app, compromised the privacy and security of 14 million users when their information was stored in an unsecured database.
Driver’s license and Social Security numbers belonging to 450,000 residents of Polk County, Florida, were exposed when an employee in the county tax collector’s office fell victim to a phishing attack.
We’re not privy to the measures these organizations employ in their cyberdefense strategy and tactics. But given the outcomes, there is a good chance that there are two steps that they – and many other organizations – have failed to take but should enact.
First, are they employing the latest cybersecurity tactics, technologies and training to empower their IT teams to take an aggressive, proactive approach to cybersecurity rather than waiting for something to happen and reacting when it inevitably does?
Second, is cybersecurity an issue that has the attention of the organization’s top management, whether it’s a board of directors, C-level executives or the owner of a small business?
When it comes to cybersecurity, smart companies have shifted their focus from a defensive mindset to process improvements and a proactive approach that identifies vulnerabilities before hackers do. Firewalls, intrusion detection systems, antivirus, and related approaches to cybersecurity are still important, but they don’t go far enough. Proactive measures, including external audits, penetration testing, and security training, are becoming more common – and effective.
One example is bringing a data analytics approach to cybersecurity. This allows you to get a handle on the conditions and issues that are specific to your network. Security professionals can’t afford to wait for trouble alerts. Instead of simply waiting for an alert to occur, they’re collecting data from multiple resources to correlate it and look for trends. This “big data” approach to security helps organizations better manage incidents and better identify attacks and potential vulnerabilities. By becoming more aware, the security team can pivot resources more quickly in order to manage risk.
Security analytics is best implemented by combining a “red team” penetration testing approach with a “blue team” defensive analyst perspective. The red team takes an offensive approach toward cybersecurity by mimicking hacker behavior. The blue team acts more defensively to combat threats. This exercise lets you learn about the vulnerabilities of your systems. Has something been misconfigured? Are you relying on old security patches and outdated software updates?
Security analytics and metrics to measure success and inform investment decisions are taking on greater importance, according to a 2018 CompTIA report on cybersecurity trends. Though just one in five organizations makes heavy use of metrics within their security function, a full 50% of firms are moderate users of these measurements.
The use of metrics in the cybersecurity realm provides an excellent opportunity to bring together many parts of the business, all working toward the common goal of making the organization as secure as possible. To be truly effective in preventing and combating threats, security awareness, knowledge and training must be present at every level of the organization, from the non-technical staff that’s handling data and information each day, to the technology professionals executing security through upper management, the C-suite and the board of directors.
This leads to point number two. Should the company’s board of directors hold some responsibility for not ensuring the organization followed proper adherence to best security practices, including maintaining a verifiable audit trail? Absolutely.
It’s long past time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection as they do in looking out for shareholder interests on the financial side. It should be standard practice for boards of directors to have standing cyber protection committees. What are boards signaling when they aren’t making this a priority?
When financial issues are involved there is direct accountability for the board because they are responsible for hiring (or firing) auditors. Yet in the case of a cyber breach, too often boards plead ignorance and stay silent, even though the hit to reputation and the financial ramifications are far more reaching and damaging than any typical accounting irregularity.
An April 2020 analysis by Comparitech of 28 publicly traded companies that suffered a data breach found that share prices fell 7.27% on average within two weeks of the breach. In the long term, breached companies underperformed the market.
The financial pain of a breach can be even more devastating – and potentially fatal – for a small business. IBM Security’s 2020 Cost of a Data Breach Report says the average total cost of a data breach is $3.86 million (USD) globally and $8.64 million for companies in the U.S.
Perhaps the reason business leaders have not taken as strong a leadership role in cybersecurity is due to fear of the unknown. Most of them can decipher a balance sheet. But do they know what a penetration test is? Do they know how important corporate intellectual property is being safeguarded? Do they know if their company is following the best practices of the NIST Cybersecurity Framework? The answer to all three is likely no.
The tech industry is doing what it can to continually provide new and updated products and services to combat cyber threats as they emerge. But companies have to be willing to use these tools and enforce the best practices detailed in the NIST Cybersecurity Framework.
Published in 2014 and updated in 2018, the framework is voluntary guidance based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it is designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
The challenges of improving cybersecurity are many.
“Our current practices are good enough.”
“We don’t have the budget.”
“The budget we have is needed for other priorities.”
All fair concerns, to be sure. But the bigger question for businesses to ponder is, “Can we survive the financial cost and reputation damage of a data breach?” Unfortunately, too many companies still choose to roll the dice, hoping they don’t get hit or ignoring the peril they – and their customers – face if they are hit. That’s an irresponsible position for any organization to take
Todd Thibodeaux is the president and chief executive officer of CompTIA, the leading non-profit trade association for the global technology industry. CompTIA represents more than 2,000 member companies and 3,000 business partners spanning the worldwide technology industry. Since joining the organization in 2008, Mr. Thibodeaux has led the expansion of CompTIA’s commitment to advancing industry growth through education and training programs, market intelligence and research, networking events, professional certifications and public advocacy.