Cybersecurity is in the news almost weekly. Unfortunately, the number of threats is increasing. The sophistication of the attacks is growing. Individuals, businesses (large and small), and governments are under attack. For example, Colonial Pipeline, which carries gasoline, diesel and jet fuel from Texas to New York , was recently hacked in a high-profile ransomware incident. SolarWinds, a major U.S. information technology firm, was hacked in a major cyberattack that spread to its clients and went undetected for months.
WHY you should care? The problem is huge, changing quickly, complex, and expanding. It impacts everyone and every organization. According to an EY 2019 “CEO Imperative Study,” CEOs of the largest 200 global companies rated national and corporate cybersecurity as the number one threat to business growth and the international economy in the next five to 10 years.
• According to McAfee, Annual losses from cybercrime range from $500 billion to $1 trillion and are projected to rise to $5 trillion by 2024.
• According to the FBI, “There are 4,000 ransomware attacks every day.”
• According to CSIS and McAfee, “Sixty-four percent of Americans have lost personal data or had fraudulent charges due to cybercrime.”
WHAT to do about it? Here are five core principles to an overall governance approach. (Cyber-Risk Oversight 2020 by National Association of Corporate Directors.) Companies and their directors need to:
1. Risk — Recognize cybersecurity as a strategic enterprise risk, not just an IT risk.
2. Legal — Understand that cyber risks have legal implications.
3. Expertise — Ensure there is adequate access to cybersecurity expertise and discuss risk management regularly.
4. Framework — Set expectations that management will establish an enterprise-wide, cyber-risk management framework with staffing and budget.
5. Financial Exposure — Identify and quantify the financial exposure for cyber risks and which risks to accept, mitigate, or transfer (for example, through insurance and/or specific plans).
Begin now. Individuals:
1. Use complex passwords. The longer the better.
2. Update your devices, so they have the latest security features and patches.
3. Don’t open unsolicited emails. Be careful that you do not click on phishing links.
4. Back-up regularly. When was the last time you did a back-up of your data?
5. Protect your devices and internet connections. Do you have anti-virus software on your devices? Are you using two-factor authentication? Do you use a Virtual Private Connection (VPN)?
Businesses. Ask the right questions of the right people in your organization.
1.Do you have an Incident Response Plan? Establish one now.
2. How is personally identifiable information (PII) treated domestically and internationally? What other standards (e.g., HIPAA) must you comply with in your industry and how are you protecting them?
3. Which third parties have access to your systems and what controls are placed on them?
4. How do you manage and control the core security infrastructure? What defenses do your internet gateways have? Do you use two-factor authentication? Do you allow anything in your network to talk directly to the internet? How are you protecting and backing up your data?
5. What is your insider threat program? Do you employ a data-leak prevention product?
Cybercrime is a big and growing risk. To protect yourself and your business, consider people, processes, and technology. Review the core principles of risk, legal, expertise, framework, and exposure. Make sure that you have the right expertise to provide oversight. Take action now to protect, defend, and deflect.
Theresa M. Szczurek, Ph.D., is a C-level executive, corporate director and Colorado CIO of the Year. She is a technology entrepreneur and a former chief information officer for the state of Colorado. www.TMSworld.com