Cybercrime will cost businesses all over the world over US$6 trillion annually by 2021, according to Cybersecurity Ventures. Such costs include data destruction, theft of assets like money, intellectual property, and data, and disruption to businesses and lives. Estimated losses could be higher, with the figures not covering unreported crimes, fees for legal and public relations management, declines in stock valuations, and other intangible negative effects.
To better understand the real life risks faced by businesses, Tech in Asia spoke to Eugene Teo, director of security at Ultimate Software in Singapore.
“When something goes wrong, everyone is affected. It’s not just the management. Everyone should care about security,” Eugene says. His company, US-based Ultimate Software, is a human capital management (HCM) software solution in the cloud.
“There’s personally identifiable information involved with employee management and recruiting. This includes the payroll where bank account details are stored. We invest in security to make sure that the data is protected,” says Eugene.
1. Preventing inside jobs
Cybercrimes need not come from outside. It could be orchestrated from within. And in such cases, even having the latest technology might not help. Having well-planned security frameworks and processes, as well as security experts, are critical.
“Companies need clear guidelines on what information needs to be shared on a need-to-know basis only, and what can be shared within teams, departments, and the company,” Eugene advises. For example, a company could discourage employees from storing sensitive data on a public cloud service such as Amazon Web Services (AWS).
Moreover, robust guidelines are necessary to reduce the risk of inside jobs. Shockingly, half of all security incidents that involve the compromisation of information or data are caused by the people in an organization.
Companies may want to take precautions to ensure that company secrets aren’t leaked by disgruntled employees. An ex-system administrator of paper maker company Georgia-Pacific left and attacked the company’s industrial control system, wreaking US$1.1 million in damage within just two weeks.
Having a strong security team or experts may be the best bet as such internal attacks are unlikely to register as malicious activities. A team of experts can help to set up robust cyber security policies and frameworks. Measures can include conducting exit interviews, limiting employee access to and encrypting sensitive data, canceling email accounts and access to the cloud as soon as the employees leave, and creating alerts for login attempts to the network.
2. Ransomware is a growing issue
An ongoing problem in cyber security is ransomware. “Ransomware is a malicious program that people may unknowingly download while surfing the web or via email,” says Eugene. “It encrypts your files and then asks you for money, bitcoins, or wire transfers. And even if you pay, there’s no guarantee of getting your files back.”
Eugene has encountered ransomware. “An employee received an email. She wasn’t sure what exactly the attachment was and she forwarded it to a colleague to take a look.” Both of them ran the malware and their laptops were infected.
“What made it worse was that the two laptops were connected to the internal file server. The files in the shared drive were all encrypted. It affected the company,” says Eugene.
Security experts can help with such nightmarish situations where an attack bypasses security through human error. It’s a cat-and-mouse game where hackers write malware but security companies are always figuring out how to prevent and crack the encryption. It’s also important to educate your company staff on the risks of such malware and how to look out for bogus emails.
Article continues below.
Assess your company’s security profile with this cyber scoring tool. This free self-assessment tool is jointly developed by the International Data Corporation (IDC) and Quann. After the assessment, you will get a customized security report. You will also get bespoke cyber security advice from the site.
3. Everyday is backup day
Companies may be concerned with innovation and having new products hit the market. They may not invest in security or data backups. Entrepreneurs who lose their data may need to start from scratch again.
Another problem that companies face is integrating different security products from various vendors and managing security software updates. This can get in the way of progress.
Having tech is not enough – it’s also important to hire people with the right training and security acumen to deal with this.
4. Attacks can happen anytime
Having global security monitoring is important for international businesses. “At any time, someone is making sure that our system and platforms are secure,” says Eugene. “If you see someone log into an American account at 3 am Eastern Time, which is 3 pm in Singapore, it might be suspicious activity. We will analyze it to determine if it requires further investigations.”
With sensitive information or a supply chain at stake, companies need to mitigate risks by having a full-time 24/7 team, or using an externally managed security service like Quann.
Company leaders who turn a blind eye to these dangers can face a number of consequences. On top of possibly destroying the company, they can also lose their jobs or face regulatory action.
1. Lose your company, lose your job
Being compliant with security regulations doesn’t mean the company is invulnerable, as Target’s CEO Gregg Steinhafel discovered. He had been working with Target for 35 years. He was nonetheless asked to resign for a credit-card breach affecting 40 million customers in 2014. Target had actually passed compliance requirements a few months before the breach. In this case, Target lacked security expertise to advise them on the proper strategies or processes to protect themselves.
To avoid such scenarios, companies should seriously consider having a security team that consistently tests the system for vulnerabilities.
2. Know the legal ramifications
Companies need to be responsible and have the integrity to inform users who are affected so that they can remediate the problem.
When data is breached, companies may be answerable by law to a variety of stakeholders, such as customers, shareholders, traders, regulators, and boards of directors. In such an event, security, public relations, and legal teams have to work together.
“Ideally companies should perform investigations, make sure evidence is intact, and work with affected customers to make sure the breach can be mitigated,” says Eugene. “The worst thing to do is to keep quiet. Companies need to be responsible and have the integrity to inform users who are affected so that they can remediate the problem.”
On top of adequate tech protection, companies also need to think about how to set up security processes and crisis management plans with the help of experts way before a cybercrime happens. That way, public relations and legal teams can be well prepared.
If there’s something strange, who’re you gonna call?
Here is a summary of the tips covered above:
- With private information or a supply chain at stake, companies need to mitigate risks by having a full-time 24/7 IT security team, or using an externally managed security service, such as Quann.
- Experts can help build a robust framework to deal with insidious internal threats.
- Everyday ought to be a backup day.
- Update third-party security software regularly. When in doubt, consult security expert(s).
- Have a team that consistently tests the system for vulnerabilities.
- Leaders need to recognize and think about how to address legal ramifications with security experts before a cybercrime happens.
Finally, security is also about avoiding human error. Security breaches can happen over phone call, emails, and even clicking on a malicious website that looks innocuous. Cybercriminals may also send targeted emails pretending to be a familiar friend or colleague from LinkedIn or Facebook.
“An HR admin receives a phone call from the CEO asking for access to everyone’s payroll. The staff should verify with the CEO in person or return a phone call to make sure that he is who he is. If not, he or she should report the call to the security team,” says Eugene. “Someone who isn’t aware of security measures may simply share this sensitive information.”
The best measure companies can take is to invest in people. If employees aren’t doing the right thing, even having the best tech won’t save you. Educate the company to make sure that people know best practices in security and become the eyes for the security team.
“If they see something suspicious, they can inform us,” says Eugene. It’s like calling the police. “Or like Ghostbusters!”
Worried about cyber security? Assess your company’s security profile with this cyber scoring tool. This free self-assessment tool is jointly developed by the International Data Corporation (IDC) and Quann. After the assessment, you will get a customized security report. You will also get bespoke cyber security advice from the site.
This post Security nightmares can end your company. Here are all the risks you face. appeared first on Tech in Asia.