Prior to devising sophisticated security plans and threat models, it is important to be aware about the information that is most valuable to your company. As the old adage goes, ‘’a chain is only as strong as its weakest link’’, similarly, adopting baseline protection measures (such as a regularly updated antivirus and encrypted email) will not be enough if you are aiming at creating a formidable cybersecurity plan. Data breaches cause serious damages to trust, reputation and expenditures of businesses. The 2016 data breach at Yahoo saw over 3 billion accounts compromised which led to a $350 million knock in its acquisition price to Verizon. To prevent data breaches and maintain the trust of customers, it is essential that your business assets are protected at all costs.
Note: this guide should be used to inform further research and planning and not as a guide to be implemented. It is crucial that you consult with a reliable cybersecurity expert before implementing any strategy.
Knowledge is power and the first step to developing a cybersecurity plan is to understand the different threats and their consequences. Sometimes, leaders fail to conceptualise the real effect of a security breach until it is too late. When it comes to cybersecurity breaches, there is a real need to cultivate the not ‘’if’’ but ‘’when’’ mentality. Some of the most common types of cybersecurity threats include:
Virus – This is a type of malicious software that replicates its own code when executed and ‘infects’ parts of your computer. Viruses typically perform some form of harmful action on your computer such as sending out spam emails, leeching computer power and corrupting data.
Trojan horse – This is a type of malicious software (malware) that uses social engineering techniques to present itself as something that it’s not. This could come in the form of a fake PDF file or fake advertisement that creates a vulnerability when accessed. This technique combines with others such as ransomware as a means to go unnoticed.
Worm – Computer worms replicate themselves with the intention of spreading throughout a network. Unlike viruses, they don’t usually corrupt or modify data but can cause major disruption by increasing network traffic. In combination with a payload (a code which executes an attack), it can be used to delete files or install backdoors in your systems.
Keyloggers – A type of software or hardware that records the keys struck on a keyboard. The data of what was typed can be accessed by someone remotely which can reveal sensitive information such as passwords or confidential communication.
Ransomware – Ransomware is a payload that when executed begins to encrypt the files on your computer so that you can’t access it. The key to unlocking your files is only delivered once you pay a fee to a remote hacker, otherwise your files will be deleted and unrecoverable after a period of time.
Spyware – Spyware is a type of code that tracks and collects information about a user. This can take the form of keyloggers, tracking cookies, trojan horses and adware. This can be classified as a threat depending on who is tracking you and by what means, but many businesses also use some form of it in the form of cookies which track your behaviour even as you leave their site.
Man in the middle attack – This is a type of deception where your communications are being hijacked or rerouted to a bad actor instead of the intended recipient. It is deceptive in the sense that you believe that the other party is authentic but they are not. An example of this would be clicking on a website that appears to be what you intended but you are actually redirected to a phoney site where your details are stolen.
DDoS – Distributed denial of service attacks or DDoS are when an attacker uses multiple connections to flood a machine with requests which overloads the systems resources, causing it to crash. As the traffic is coming from many sources (hence the distributed name), it can be difficult to block against the attack by blocking a single source.
Brute force attack – If you have weak passwords, some hackers are able to leverage their computing power to perform calculations that can crack encryption and discover passwords. This is achieved by using computer power to perform a rapid amount of combinatory password attempts until the right answer is achieved.
Some of the core themes of cybersecurity involve: confidentiality, integrity, availability. Understanding these themes will give you the strategic view that you need to be able to work with cybersecurity professionals.
In all organisations, there is information and data that you want to keep private. You will most likely have different levels of confidentiality with the most sensitive data being only accessible to the executive team. This includes trade secrets, intellectual property, customer data, company data, strategy and internal communications. Cybersecurity ensures that this data remains confidential by stopping unauthorised users from accessing it. This is likely the largest risk for business as the damage can have a compounding effect.
The integrity of your data describes the extent to which your data remains intact and has not been compromised. A virus for instance can corrupt the files on your system which can make them unreadable. Another case is if your communications become hijacked in the case of a man in the middle attack (MITM) or with other social engineering techniques. In addition to having only authorised people accessing your data, you also need to ensure that malicious software doesn’t compromise it in any way.
You need to keep your systems up and running for the functioning of your business. You also need to ensure that it runs smoothly so that your team can work productively. Availability is a core pillar of cybersecurity because without it you don’t have a business to even protect anymore. There are a variety of malicious attacks that focus on availability such as DDoS attacks which crash your servers and ransomware which encrypts your data and prevents you from working.
In addition to themes, there are core pillars which represent cybersecurity execution across the board. It typically follows this process:
As the main challenge of cybersecurity is reducing human error, cybersecurity awareness and training for our team has to be an integral part of your plan. Each person in your organisation represents a vulnerability which means that the responsibility for cybersecurity has to be internalised by each employee. Some factors to consider:
Cybersecurity is about mitigating risks. Think of it in a similar manner to where you would conduct a risk assessment when making a purchasing or investment decision. The difference, however, is that the risk in cybersecurity is perpetual – it is an ongoing and constantly raging battle that demands constant vigilance. A survey conducted by continuum in 2019 reported that cyberattacks on small and medium sized businesses (SMBs) incurred a total business cost of $53,987, on average. The report paints a worrying picture and also means that apart from hiring the right cybersecurity professionals and training the staff, your cybersecurity plan has to be updated regularly. Some elements to consider:
Threat assessment – You will need to determine what type of threats could impact your business. Who out there would potentially want to hack you? What is the scale of that threat and their potential? Think about the nature of your business. Do you have access to a large dataset of sensitive customer data? Do you have highly confidential information from government contracts?
Vulnerabilities – Next, you will need to think about systems and where they could be vulnerable. For instance, consider all the hardware and software vendors you are working with as they could have vulnerabilities that you aren’t aware of. Your immediate computing environment such as using cloud storage as opposed to local can pose a risk. Other factors include poor cybersecurity training and legacy code.
Risk impact – Once you have an idea of your threats and vulnerabilities, you will need to identify what kind of an impact the breach will have. What will the costs be in terms of tangible and intangible damage?
Once you have an idea of your current risk levels, you will need to think about implementing controls that will mitigate and give you the residual risk – the amount of cyber risk that you think is tolerable for your particular business. These controls can include:
Authentication – Setting up stronger authentication systems such as two factor or even three factor systems could prevent confidential information and areas being accessed. Mobile verification in the form of Google Authenticator is a good start, but you could also consider biometric means such as eye scanning and fingerprints for your highest level areas.
Firewall – Your firewall monitors and regulates incoming and outgoing traffic in your computer network. This can prevent unauthorised access coming from outside of the network and acts essentially as a barrier to the wider web.
Anti-virus – This is a type of software that prevents, detects and removes malicious software that is attempting to damage your computer or system.
Cybersecurity training – Raising awareness and incentivising a personal and professional cybersecurity culture (for example, through gamification techniques) is one of the strongest measures you can implement. Most other controls rely on how diligently your people follow through on these guidelines.
Security audits – Maintaining and regularly analysing your software and hardware assets needs to be a constant priority. There may be zero day vulnerabilities (flaws in the hardware or software unknown to the manufacturer) that you may not discover in your first audit but that may become more apparent overtime. Reviewing security and network logs on a regular basis can also help identify suspicious behaviour.
Systems backup – In the case that your systems and data become compromised, having a means to restore everything can offset most of the damage caused. Find a backup interval that is appropriate and increase the intervals when working on key projects.
In an age where a cybersecurity breach is occurring every 39 seconds and 66% of SMB companies could go out of business either completely or shut down for a day if their data is compromised, cybersecurity threats are not going away any time soon. As long as new softwares are being developed, there will always be vulnerabilities that can be exploited. The omnipresent reach of the internet means that anyone with sufficient know-how and access to the internet can potentially extort large businesses. The threat is even greater for small businesses that lack adequate protection. However, by making cybersecurity a priority and dedicating a significant amount of your expenditures towards it, you can be sure to protect your company and stay ahead of malicious cyberattacks.
Stefan Soellner is an expert in scaling for companies, experienced consultant for business model and product innovation, and coach in the field of innovation management.