Barely a day goes by without news of another cybersecurity breach at some organization that exposes personally identifiable information. The truth is there are so many breaches that occur on such a regular basis that the news only reports a truly massive breach.
The more realistic view of data breaches is that every organization — no matter the size — will be breached at some point. With the ever-improving state of technology, it is likely to occur sooner rather than later.
This doesn’t mean you have to massively increase your cybersecurity budget to get ahead of the problem. In fact, the most common hacks are not caused by a direct assault on an organization’s technology systems. Many of us think of hackers as faceless siege engines battering down our firewalls and raiding our data warehouses like some vast invading army. While this is certainly the case for larger organizations that deal with financial or sensitive information, the more likely hack comes from bogus emails sent to staff in the hopes that they will open it and infect the system with a virus.
This is called “phishing” and it is one of the most commonly used hacks. This type of attack is popular because it is cheap and relatively easy to produce and distribute to hundreds of thousands of email addresses at a time.
It is precisely the volume of phishing attacks that make them difficult to combat. While current systems are very good at screening these emails out, they can’t get them all. As noted by InfoSec Institute, this “mass market” approach works because it only takes one click to make it profitable.
Fortunately, the most effective method for combating these hacks is also cheap and easy to produce — education and training. Nobody wants to be responsible for compromising the entire organization. If employees are properly trained to recognize (and deal with) these attacks when they occur, they will. This may be a cultural change for your organization, but the days of believing that cybersecurity is an “IT” problem are over. Organizations can no longer count on their IT department to fully protect it from this issue. Cybersecurity must be everyone’s responsibility.
An effective security program is all about managing the basics. An example of this can be found in the recent hack of the Equifax credit bureau. As noted by USA Today, the issue that caused the release of millions of individual’s personally identifiable information was published in a warning two months before the breach occurred. The problem? The maintenance fix was not applied in a timely manner before the system was attacked. While a full accounting has yet to be released, this issue does highlight another very common practice of deferred maintenance.
Every organization deals with budgetary constraints and staffing prioritization in the maintenance of its information technology. The Equifax example should be a wake-up call. The issues that enhance an organization’s cybersecurity program should be dealt with separately from the normal resource planning process. This is not to say that there shouldn’t be any limits or oversight of this activity, but system maintenance should have a higher priority than it has been given in the past.
This can be a very scary subject for many, conjuring up thoughts of massive budgets and countless implementations of the latest technology. But this does not need to be the case to protect the organization. The weakest link in any organization is its people, but they can also be its greatest strength — the difference is how and where to spend the money to have the greatest impact.