Practical and Easy Ways to Help Protect Your Business From the Hidden Risks of Cybersecurity Issues, Part 1
Cybersecurity should concern everyone in the era of digital assets and big data. Cybersecurity incidents have quickly become a norm in our daily lives. Some of them are quite large and some relatively small. Both disrupt the lives of the people affected just the same regardless of scale.
Identity theft is probably one of the earliest known types of cyber threat. Predators take advantage of any number of opportunities to steal personal data. It can happen during credit card use, with misplaced bills, or even with social security numbers left out in the open. A case in point: some may remember the case of Lifelock’s CEO, Todd Davis. He purposely displayed his personal social security number on the company website and in billboard ads. He did this to tout that Lifelock provided a security system so safe that even if one were to expose a social security number in this way, the identity would be safe. In actuality, it wasn’t. His identity was stolen multiple times — thirteen times to be exact.
One could say that it’s now been many years since that happened. We know a lot more about data security. Today, we have better ways to deal with our information to avoid becoming an easy target. But cyber attackers have also come a long way. They’ve gotten smarter, more relentless, and equipped with far more computing power. They’ve developed counter measures to the protections we’ve built. They typically spend more time attacking our systems than we do in protecting them. And, as if that’s not enough, there is increasingly far more data to protect.
The truth is that if we aren’t able to trace every digital asset we have, and everywhere that we keep them — never mind knowing how to protect it all, we’re already vulnerable.
Much of Cybersecurity Risk is Actually Closer to Home
There are certain images often associated with cyber crimes. Some people may immediately think of a faceless person in a hoodie. For others, it might be a glowing padlock against a light blue background with lines penetrating the padlock representing a connected network. Both images make cyber incidents seem like something done by unknown people in unidentifiable spaces. They make us believe that these events are happening far removed from us. This may result in many of us participating with cybersecurity passively at best, leaving the bulk of the job in “professional” hands. But is it really something that should be left just in the hands of a few?
To answer that question, let’s clear up a common misperception about the nature of cybersecurity issues. We often lump together cybersecurity problems into an activity commonly referred to as “hacking”. Various activities and motivations lie behind resulting disruptions. Some are prompted by financial motives or by pranksters playing jokes, and indeed these may be traced back to someone who is truly nameless and faceless “out there”. Also, there are less common cyber threats involved with warfare, terrorism, and espionage. These are at the level of national security and any single person would find difficult to prevent them. In reality, however, over 90% of cybersecurity disruptions come from people who are much closer to us. Often they’re people we work with. Motives include everything from revenge to financial gain. Also included are many disruptions that come from plain and simple human error.
Simple Precautions and Procedures to Mitigate Cybersecurity Risk
The majority of disruptions come from insiders with a lot of them happening due to simple mistakes like a small oversight or perhaps due to a pure lack of procedures. So, there are lots of things that all of us can do to prevent them, regardless of profession and expertise. They include:
- Adopting certain business practices and standards.
- Using good passwords.
- Not shouting out your social security number or any other sensitive information in the office.
- Locking computers and cabinets when not in use.
- Opening only recognizable emails and not opening suspicious looking documents.
- Taking the advice of IT administration.
- Installing selected permissions to allow access only to necessary personnel.
All of this is practicing good “cyber hygiene” at the work place. We already maintain certain practices to keep our personal day-to-day physical lives clean and hygienic. Cyber hygiene works the same. We need to implement certain clean hygiene routines and practices in the digital work place.
Wait, There’s More; Hacking is a Threat After All?
Maintaining cyber hygiene practices and protections at the work place is a good starting point for everyone. But, recent reports indicate hackers have figured out a workaround even for this. First of all, they’re more methodical in cracking the code and have more firepower to break it. More pertinent, they’re looking for vulnerable third-party vendors. Typically referred to as third-party risk, cyber attackers are taking this route to target multiple “end-user” businesses by going through their third-party vendors.
The term “ransomware” has become a well-known style of this kind of cyber threat. Many headlines referencing this have emerged lately. However, not many companies or even those in the regulatory fields have fully focused on third-party risk management. Ransomware is a type of malware designed purposely to disrupt normal operations. This locks devices or encrypts files, whose perpetrators then extort payment from victims for them to regain access to these files. Ransomware breaches frequently happen through third-party products or services, like software, a data warehouse, or an operating system — any digital asset is fair game.
It’s common and sensible business practice in this day and age to rely on some kind of third-party service, especially for small businesses. Building in-house is resource intensive and does not make sense in fields where an industry standard has already been established. The firm may already have digital protection for themselves, but if a third party risk remains unaddressed and if they fall prey to a virus, it could affect the firm. To protect a business from a 360 perspective, the business has to be aware not only of its own risk profile, but also of that of their third parties, and then make appropriate decisions as part of prudent vendor management.
Let’s take a look at a couple of recent ransomware incidents. Hackers attacked 22 Texas municipalities and demanded ransom in payment for restoring access to their own files. Typically, many smaller municipalities utilize outsourced IT services and software, as they’re not large enough to warrant a dedicated in-house technology staff or to develop their own software. These hackers specifically targeted, attacked, and penetrated the outsourced third-party company’s software.
It’s not clear if the municipalities involved will be paying ransom to regain access to their files and data. But they may not have any other option. Municipal residents at the time of attack lost access to birth and death certificates. Even their utility payments were in limbo, which was putting electric and water access at risk.
Another recent ransomware incident that might hit closer to home is in the dentistry field. The Digital Dental Record — a provider of IT software to dental practices — was attacked, which shut down hundreds of dentists’ computers. Patients simply couldn’t be treated since their computerized records couldn’t be accessed.
While neither Texas municipalities nor dental offices were directly attacked, hackers effectively stranded thousands of people without access to services that would otherwise be taken for granted. Unfortunately, they’re not the first, nor will they be the last of such third-party breach victims. We all need to realize that this can happen to any of us as long as we have any kind of digital asset. Most of us, if not all, have some aspect of our daily lives stored online with digital records. We all have a stake in actively managing this kind of risk.
Digital Assets and Big Data
What are digital assets precisely? A digital asset is something that has value and can be owned but has no physical presence, only digital. Examples include things like software, analytics, and programming codes. Data is another example of a digital asset and is fast becoming the new currency of our economy. Data is the foundation of our digital economy from which many emerging technologies are multiplying quickly.
Today, just about anyone can create data, collect it from many sources, and ingest it for some benefit. We commonly refer to this large amount of data as “big data”. Big data refers to data sets that are so large or complex that traditional data processing software applications are inadequate in managing or organizing them, never mind analyzing them.
Challenges with big data include capturing, storing, analyzing, searching, sharing, transferring, visualizing, querying, updating, and maintaining privacy. IDC predicts that the size of global data will grow from 33 zettabytes (ZB) in 2018 to 175 ZB by 2025. One ZB has 21 zeros and is 1 billion terabytes. That’s a lot of digital assets to deal with. This data has value for myriad constituents. How do we protect it to make sure that it stays in the hands of the people to whom it belongs?
Cybersecurity protects the ever-increasing big data. We cannot physically touch, store and lock-up big data using the traditional lock or vault. We’re not dealing with a person who physically breaks in via a door or window to enter a property. This makes the creation of a solution to protect assets more challenging because it requires writing code and installing software. This requires an entirely different set of skills from going to the store, buying a safe or a lock & key, and installing it at home or work.
The first lock invented goes back almost 4000 years, but it was not until the middle 1800s that a pin-tumbler key was commercialized for mass use. This came into existence in 1848 and was patented by Linus Yale in 1861. Even the physical lock & key required many different skills and roles of people to invent and commercialize it. The metal key is now probably something so ingrained into our routines and systems that the complex commercial processes represented by this metal key are now fully absorbed as the norm.
Similarly, cybersecurity is the next-generation lock & key for today’s digital assets and shouldn’t be treated much differently. It’s true that it requires new skills like data analysis and coding that didn’t exist back in 1800s. But, whether we’re making a physical key or a virtual key, at a basic level, we need people with a spectrum of skills. These are skills like developing product requirements, managing & implementing the product, or managing business development and product roll-out. The entire process is the same regardless of physical or digital assets. And, just like protecting physical assets, we all need to take an active role in the business of protecting digital assets.
In part II, a working approach to framing cybersecurity measures will be laid out, along with a cautionary tale on the hazards of neglecting proper security by a world-recognized personal data company.
If you found value in this article, please “clap” (up to 50 times).
This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day.
Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our LinkedIn page, Facebook page and our Instagram account are there for you as well.
