The average cost of a data breach in 2020 will exceed $150 million. The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
Let’s get straight to the point.
Every company is vulnerable. Nothing in the world is 100% secure, especially in the digital world. There is an attack every 39 seconds, and your company is not excluded as a target.
Why is every company vulnerable?
When businesses are for-profit, profit is consistently chosen over security best practices. Vital security details can be overlooked. Once-valuable infrastructure can be forgotten. Once-trusted staff, with company secrets, will eventually leave to work for another company, taking their secrets with them. The code that is written by your most experienced developer is not bulletproof, despite assurances and a god-like reputation. The truth is that humans are flawed, and it is those flawed individuals who write the code securing your most precious assets. But sometimes it is not software that is at fault for a security compromise. Sometimes it is a combination of circumstances that you cannot predict. This is why knowledge of attack vectors and secure protocols can go along way to preventing a breach. Even if it’s as simple as making your employees realize that they shouldn’t use the same password for their facebook and work admin portal.
Why you should care
The impact of a cyber-attack is catastrophic. You could experience a loss of profits, loss of trust, lawsuits, and an inevitable PR disaster.
Security breaches are a hot topic in the media. With increasing publicity, companies are becoming more aware of the threats towards their business. Accordingly, it comes as no surprise that 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000.
If you don’t spend the money on information security now, you may have to spend 3-times that amount in the wake of a data breach.
Equifax has recently experienced negative media headlines, after being deemed liable for their 2017 breach, which affected 147.9 million consumers worldwide. That’s at least 147.9 million people who no longer trust Equifax, in addition to millions of people who don’t use Equifax but have negative associations due to media coverage. It takes years of hard work and consistent business to build trust, integrity, and respect. Being the victim of a breach can destroy all of that in significantly less time than it took to build. Consequently, the Federal Trade Commission (FTC) fined Equifax $425 million.
Ignorance is not bliss
Ignoring security in favor of profits means you are consciously deciding to disrespect your users, who are ironically integral to those profits. You may boast that it hasn’t happened to you, but how do you know?
You won’t always be immediately aware that you have been compromised. Sensitive data such as passwords, credit card details, and social security numbers may have been compromised months or even years before you are notified. ‘Zero-Day’ vulnerabilities, which are vulnerabilities unknown to the vendor and could compromise the security of a host or product, are discovered daily, and they are ‘Zero-Day’ because they have zero-time to address or patch the vulnerability.
‘Zero-Day’ vulnerabilities can be reported ethically through responsible disclosure, such as on Zerodium. However, they are also traded illegally on the darknet to buyers with malicious intent, such as using it for financial or political gain. Data breaches that go undetected can affect millions of users before any action is taken to remedy the breach.
Just look at the activity here. White hat hackers make a living from finding and reporting vulnerabilities in the most secure platforms on the web. Companies that have had a bug bounty program with hackerone.com or bugcrowd.com for years are still informed daily of new vulnerabilities on their platform. There is no feeling of “we’ve caught them all”, I can assure you.
“Small businesses don’t need to worry.”
Yes, they do.
43% of breach victims were small businesses. Cisco’s 2018 SMB Cybersecurity Report found that 53% of mid-market companies in 26 countries experienced a breach. For small and medium businesses, one breach often puts them out of business. That’s because 54% of all cyber-attacks cause financial damages exceeding $500,000.
The code securing access to your server might be adhering to all the security best practices, using secure protocols, but that will do little to prevent an employee from falling victim to a slightly sophisticated phishing attempt, a technique often resulting in a victim unintentionally revealing their admin password to an attacker over email. Not surprising, considering 94% of all malware is spread through email.
Attempts like these are recorded daily, with 62% of businesses reported to have experienced phishing and social engineering attacks in 2018.
As your company grows, so does your attack surface
The bigger the company, the more digital assets, the more attack vectors, and the more likely that digital assets are forgotten about and become harder to track. Maybe a development environment was created using production data, with bugs that don’t exist in production or clear-text PII (personally identifiable information), such as passwords and credit card numbers, or revealing API keys with admin-level privileges. Maybe the attacker just needs to navigate to a subdomain and look through the source code to see the API key just sitting there.
The largest corporations, with a wealth of software developers at hand, are not necessarily more secure. The amount of developers and security experts required to be secure is directly proportional to the company and digital asset size. Equifax, as well as Capital One and Facebook, are examples of the large companies suffering a security breach more recently.
As your business grows, so should your cybersecurity spending. Globally approximately $6 trillion is expected to be spent on cybersecurity by 2021. Large companies have faced this reality, which is reflected in the increase in demand for cybersecurity experts. A demand that has been growing for many years, and will continue to increase for the foreseeable future, along with the evolution of modern technology.
As you expand, your digital infrastructure becomes more complex, and your system’s security requirements change. To protect your growing infrastructure, you should isolate sections of your digital business by segmenting networks and splitting them into subnetworks, thereby improving security and performance. This ensures that being compromised only affects that segment.
The last thing you want is the attackers to have access to all systems and data from a single breach.
Don’t trust implicitly
Be mindful of who you give privileged access to. Despite best practices advising companies to apply the rule of least privilege, many companies implicitly trust their staff without a second thought. For example, 53% of companies had over 1,000 sensitive files open to every employee, and 34% of data breaches involved internal actors. If those statistics don’t make you paranoid about your trusted staff, then I don’t know what will.
Implement secure policies from the start
Use strict Access Control Lists (ACL’s). Don’t grant employees access to data, networks, and software that is not necessary for their daily work duties.
For example, to prevent social engineering, consider implementing a web filter, protecting against web-based attacks. Taking measures to prevent web-based attacks is essential, as 1 in 13 web requests lead to malware. It will prevent employees from visiting sites that are not deemed as relevant to the work. It helps to prevent employees from visiting phishing websites or sites that host malware. Additionally, DNS-based web filters help to protect wired or wireless networks, whilst protecting remote workers, including blocking malware downloads.
Consider providing all staff, regardless of their role, with Security Awareness Training. Don’t leave security responsibility solely to developers. Everyone should have at least basic training in cybersecurity and a working knowledge of the Open Web Application Security Project (OWASP) top 10, the top 10 web application security vulnerabilities.
Think beyond your company premises
Selectively choose your vendors, partners and software dependencies. The infrastructure that you control may be secure, but what about the third-party API that you just integrated? Has that been thoroughly checked for vulnerabilities?
Software bugs can be introduced today that were not present yesterday, especially if you are a tech-based company, as updates are pushed almost daily due to constant development. Therefore, a day-to-day assessment of security is unreliable. Think about who you share data with, and which partners or dependencies require sensitive data to be shared. What would it mean for your business if their systems were compromised? How would your users be affected?
The battle to stay secure is continuous. Take action now. It’s in your company’s best interests.