BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Why Your Company's First Line Of Cybersecurity Is Not Your CTO

YEC
POST WRITTEN BY
Scott Krawitz

While today’s cyber threats have seemingly innocuous names – Poodle, Heartbleed or other – the threats can cost companies millions. As a technology executive who has strategized, consulted on and implemented solutions for cyber security across multiple verticals including healthcare, financial services and legal, I know from experience that the stakes to a company’s bottom line and reputation are enormous.

Consider the stock dive after Yahoo announced that a billion of its email accounts were compromised, something that put its potential sale to Verizon for $4.8 billion at peril. Whether the threat comes from a cybercriminal, a competitor, a hacktivist with a political axe to grind, or a disgruntled employee, the statistics are staggering: In 2015, top British insurance company Lloyd’s of London estimated that cyber attacks cost companies $400 billion per year. By 2019, the cost of data breaches will be over $2 trillion globally, according to a study published by Juniper Research. The threats are across the board – and can wipe out small- and medium-sized companies, too, simply because they often do not possess the resources to hire a full-time CTO or IT support to adequately monitor security. As the threats grow, it is critical that each company design and implement a security policy that offers multi-layered access protection.

Remember when computers were “standalone” objects in an office? Not so long ago, companies had to worry about someone stealing their computer and taking all their records. As the world has become increasingly digitized, the risks are unprecedented and come from everywhere and anywhere. Now, every piece of information that flows through a device – desktop computers, mobile devices, tablets, laptops, and connected devices (aka the internet of things) serves as a point of exposure. This exposes businesses, customers and clients to additional risks, as every piece of information that is online becomes an asset that can be hacked, taken advantage of, and compromised for malicious intent.

Employees Are The First Line Of Security

Executives do not realize that a major threat to their company’s security is social engineering, which refers to the psychological manipulation of users who unknowingly divulge confidential information. Cybercriminals can use tricks to gain the confidence of company employees and partners. The goal is usually to execute a larger -- and more complex -- fraudulent transaction.

The problem is not the use (or lack) of security tools and technology, but rather employees who are unknowingly the objects of security threats. The latest trick employed by criminals is to emulate executives within a company in a trusted environment. For example, an employee receives a legitimate-looking email from the CEO or CFO, instructing them to wire money. Before, employees used to be able to tell if the email was real, but today, employees are often duped by sophisticated hackers.

Employee awareness is key. Companies may spend tens of millions of dollars to secure their systems, but employees must be trained and educated on the risks. Systems of verification should be put in place, including stopgap measures and policies to limit the damage caused by security breaches. For example, there could be a general rule is that if an email is received with instructions to wire money, there would policies and procedures in place to do so, and a financial limit to these transactions.

In addition to employee awareness, other measures include password management, monitoring services, lockdowns in case of data breaches, minimum permission sets, and more. An incident response plan is critical: If the company is hacked, which staff members handle it, and what procedures are instantly implemented internally and externally?

Is Your Business Hack-Proof?

One method to ensure employee awareness is to regularly hire a security firm to see how deeply they can penetrate the system. These would expose weaknesses in employee awareness early and often. One might argue that security breaches are “right sized” – in other words, intruders will put in enough effort if the rewards are high enough. A burglar breaking into a house, for instance, will not put much effort into robbing the house if all there is to steal is an old TV and costume jewelry. Another example would be using a club to lock a steering wheel on an old car: This might be enough to deter some car thieves, but not enough if it is a Ferrari.

To ensure the safekeeping of your digital assets, make sure that you protect them like a house and all its parts: the house’s architecture, as well as the tenants and possessions inside. A right-sized solution begins with a security audit, which will help a senior management team understand a company’s blind spots. Ideally, the audit would be honed and focused, and the auditor must understand the business they are examining. A reputable security consulting firm will help each company understand its unique risks.

A key question to ask yourself: Is your company PCI (payment card industry), or in the case of health care companies, HIPAA (Health Insurance Portability and Accountability Act) compliant? Companies that are not compliant face a greater risk of a security breach, but more importantly face potential lawsuits from consumers and fines from banks if the thieves have charged merchandise or other with stolen credit card numbers.

Cleaning up the mess – remediation costs – adds to the bill. Lost revenue and a damaged reputation add to the long-term costs. One question that I constantly have: Why aren’t organizations doing a better job of protecting their assets? There is no greater risk a company faces than getting hacked. Companies simply are not aware of the tremendous threats and costs, or perhaps they, ironically, have a false sense of security. Entire companies and businesses are left hanging in the balance.