Cybersecurity vigilance requires active monitoring, training and testing to protect an organization’s most valued assets. But too often, a weak link, in the form of an under-trained employee, unknown vendor or failed application, can be all it takes to debilitate a company, exposing protected customer data, and putting it at risk for regulatory fines and permanent reputational damage.
“With the upward trend in threats, vulnerabilities, compliance requirements and digital innovation, it is important to not only implement essential cyber hygiene controls but understand the risks an organization faces,” said Karey Barker, Vice President and Chief Information Security Officer at Safety National. “What are the top threats in your industry? Where might you be vulnerable? How and when will you reduce the risk to best protect the organization?”
Organizations can start by identifying their vulnerabilities within these threats.
1. Social Engineering
Social engineering refers to the broad range of malicious activities that occur through human interactions. Attacks are based on psychological manipulation that trick users into providing sensitive information or making unfortunate security mistakes. This usually requires more background work from a perpetrator as they need to identify and engage their victim, obtain the information they need and then cover their tracks, leaving without a trace. Since these attacks rely on human error, organizations should focus on training that helps users identify social engineering in all its forms. Email phishing tests should be prioritized to help recognize which employees may need further training. A few of the more common forms of social engineering include:
- Phishing – As one of the most popular forms of social engineering, this method relies on a victim to click on malicious links through email or text, creating a sense of urgency or curiosity.
- Pretexting – Typically, an attacker will impersonate a co-worker or person of authority, asking a victim questions to gather personal data, like social security numbers, addresses, or bank records.
- Vishing – An attacker uses fraudulent voicemails or phone calls, claiming to represent a reputable company, tricking a victim into revealing personal information, such as credit card numbers or bank details.
One common theme of all types of social engineering is the tactic of creating a sense of urgency for the user to act immediately. Employees should be trained on recognizing this “red flag” and know the procedures within the organization on reporting suspected malicious activities.
2. Third-Party Exposure
Data breaches that involve a third party are $700,000 more expensive on average. Provided the frequency of cyberattacks, there is much more to lose, including consumer trust caused by reputational harm. Organizations should be aware of all vendor usage, what they are doing and how they report an incident should one occur. In addition to a breach coach that has managed thousands of ransomware attacks and can help negotiate the terms of the ransom, a cyber policy can cover association costs, like system and data recovery and legal aid. It can also assist with regulatory fines, reputational damage and liability matters.
3. Cloud Adoption
Often an organization that has adopted cloud storage assumes that its configuration is secure because “in the cloud” is a misnomer. Typically, a shared responsibility model exists between a cloud service provider (CSP) and the customer. The CSP is responsible for the infrastructure security, including items such as physical hosts, networks and data centers. The customer is responsible for the data, applications and access in the cloud. In some cases, the customer is also responsible for turning on security features the CSP offers and ensuring they are configured correctly. For example, a CSP may offer Multi-Factor Authentication but the customer has to turn it on for their users. An organization must truly understand its responsibility in managing half of this model and what items may fall into a grey area. Internal security teams should be well versed in maintaining complete control of the assets, processes and functions they own.