According to Techcrunch, the 2013 breach of Target cost a whopping $162M. In a year of increasingly damaging public hacks, it’s important to reiterate the central place that cybersecurity must play in every company’s digital strategy.
A single breach can lead to the destruction of brand confidence, not to mention cost millions. Ignorance of even basic cybersecurity practices is widespread and alarming, particularly among executives. In an effort to combat this dangerous ignorance, here is a compiled list covering the key areas of cybersecurity. This list can serve as a launching off point, a place to begin understanding the dynamics of cybersecurity as well as how to protect both yourself and your organization.
Establish employee training
Establish basic security practices and policies like requiring strong passwords or lessons in how to avoid phishing attacks. Like any security enterprise, cybersecurity requires teamwork with all members of an organization playing a part in identifying potential threats and vulnerabilities. When employees are both ignorant of threats and aren’t involved in cybersecurity, not only can vulnerabilities go unnoticed but also the employees themselves can become conduits through which attacks are executed. (Source: DHS)
Access specific controls & network segmentation
By creating specific access controls for users as well as segmented networks you can limit their access to only the systems they need for their specific tasks thus limiting sensitive data exposure.
Vigorously maintain best practices on payment methods
Work with banks or processors to ensure the most trusted tools and anti-fraud services are being used and consistently updated. Isolate payment systems from other less secure systems.
Secure Wifi accounts
Insure that all company Wi-Fi networks are secure, encrypted, and hidden. Wi-fi networks often function as an unlocked door into the entire company.
Mobile action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require employees to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while on public networks. Lastly, implement reporting procedures for lost or stolen equipment.
Collect detailed logs
For a complete record of what goes on in your systems, you should collect detailed logs and report data. This is especially the case for applications that don’t have internal logging, by adding logging tools the activities of these applications you will be able to plug any security holes those applications may create.
Use secure remote access methods
The ability to remotely connect to a network has added a great deal of convenience for end users, but a secure access method, such as a VPN, must be used if remote access is required.
Maintain awareness of vulnerabilities and implement necessary patches and updates
In its 2015 Data Breach Investigations Report, Verizon observes that many breaches are enabled by not addressing known vulnerabilities, noting that 99.9% of exploited vulnerabilities were compromised more than a year after public disclosure of the issue. Most vendors work to develop patches for identified vulnerabilities. But even after patches and updates have been released, many systems remain vulnerable because organizations are either unaware of or choose to not implement these fixes.
Create a data breach response plan
Regardless of your security capabilities a breach is always possible. Having a response plan laid out ahead of time will allow you to close any vulnerabilities and limit the damage done.
Involve executives in cybersecurity
In a study of cyber incident response by the Ponemon Institute, researchers found that only 20% of IT security professionals surveyed regularly communicated with management about threats. Additionally, just 14% of these individuals reported that executive management participated in the incident management process. The study authors note that a deficit of involvement and awareness by organization executives may make it difficult to secure funding for cybersecurity measures and to get the support of leadership for company-wide efforts. Executives must begin to take active involvement in securing a company’s data, assets, and employees.
Wired’s fantastic security section
Department of Homeland Security
CNET’s security section
Information Week’s Dark Reading