Pull the Plug on Cyber Crime
The events of 2020 have been a watershed year in many ways, especially for cyber activity as society, en masse, leveraged technology to maintain operations. Naturally, cyber criminals wasted no time exploiting this opportunity. A sharp increase in both the number and severity of cyber attacks has resulted across all sectors. Barely one month into the new year several notable attacks have already been made at the state and program member level. This year, maintaining cyber security will be more important than ever before.
Step 1: Face the risk.
It is often said that a chain is only as strong as its weakest link. Are members in your organization – the links in your chain – on the same page about the importance of cyber security?
Many medium to small organizations believe that their operations are simply too small to be of any interest to criminals. Either that or, because they don’t store sensitive records or other valuable information as part of their standard operations, that they are unlikely to be targeted. Unfortunately, this is overwhelmingly proving not to be the case. If it were, personal identity theft and fraud would not be nearly so commonplace.
Ransomware is another good example of this. In most cases, it matters less to the attacker what information your organization relies on than the fact that your organization does rely on information to operate. The more dependent society becomes on information and technology, the more likely it becomes that a cyber criminal can extort ransoms from a wider pool of victims. In reality, any technology user, no matter how small, becomes a potentially lucrative target to a criminal hoping to turn a profit.
As in real life, cyber security is everyone’s responsibility. It is crucial that the links in your chain, from leadership down to volunteers, share the same buy-in and commitment to cyber security. When it comes to warding off cyber attacks, a culture of vigilance is key.
Step 2: Take time to take stock.
So your organization has acknowledged that cyber security is an important subject. Now what?
Taking the time to determine your organization’s “cyber profile” is a valuable next step in your cyber security efforts. This could include identifying:
- Services you utilize, apps, software programs, hardware, servers, backups, etc.
- The types of data you handle, data destruction policies, and what your responsibilities are regarding the safeguarding of said data
- Cyber policies, processes, and protocols
- Cyber security training programs for staff and Volunteers
Having a clear understanding of these items will be a big help in determining the full scope and scale of your cyber operations. This is paramount in determining your organization’s level of cyber risk, which will differ depending on the industry you are in, the services you provide, and the technology you utilize. When your cyber profile has been identified, you can develop and implement a tailored defense that is best able to protect your organization’s information and assets.
Step 3: Update or implement your security measures.
As they say, a good defense is a good offense. Do not rely exclusively on passive systems like data backups, firewalls, and antivirus software to protect your organization. An effective cyber security strategy utilizes both passive and active security measures.
Passive Security
Think of “passive” measures as the first line of defense, like a home security system equipped with cameras, sensors, and alarms. Once installed, the system constantly monitors the property and alerts the homeowner to potential threats. This type of system can be a major deterrent to bad actors, as it dramatically reduces the likelihood that a home break-in will be attempted in the first place. If a criminal decides to target the home anyway, there’s a good chance the system will be able to thwart the break-in attempt before any real damage is done.
However, this passive system is still not a total guarantee of safety. Despite setting off the alarm, a burglar might still be able to break in, steal valuable property, and escape before the police are able to arrive. While the passive system was able to identify and monitor the break in – which are invaluable assets in the aftermath of a crime – it was not a total guarantee of safety: the loss of valuable property still occurred. The takeaway? While the passive system certainly helped and was a valuable investment, it was not a comprehensive security strategy all on its own.
Most organizations have some form of passive cyber security in place, or are at least aware that they should. While no security system is 100% secure, adding active elements is an excellent way to help fill in some of the gaps left by passive security.
Active Security
If passive security is like a home security system, think of active security in terms of remembering to lock doors, switching out the locks when the keys are lost, and calling in a professional to do a security assessment. The best home security system in the world is useless if you leave your front door open all day long – that is an element of security that is actively influenced by the homeowner. Examples of active security in terms of cyber systems can take many forms, including:
- Ongoing training for staff and volunteers
- Regular password updates
- Mandatory minimum password requirements
- Utilizing multi-factor authentication
- Augmenting the efforts of your internal IT team with additional resources and insight from professional organizations that specialize in analyzing systems and cyber risk
If your organization has no dedicated IT staff, then seeking out professional advice of some kind is absolutely essential. Talk to your broker or program risk manager for advice on how to identify reliable vendors that can assist you in these areas.
The following websites are excellent resources for additional research on best practices and emerging trends in the cyber security landscape. Remember, you may also have access to additional cyber resources as part of a cyber policy as well.
If you have questions regarding your organization’s current cyber security strategy, or would like assistance in getting started, please contact your broker or program risk manager today. Cyber security is a threat every technology user faces. Do your part – #BeCyberSmart.