Data breaches put not only your company and employees at risk but also your customers. Depending on the scale of a breach, your reputation could become significantly damaged, driving down profits and jeopardizing relationships and business with customers and clients.
According to the Ponemon Institute’s 2018 Cost of a Data Breach study, the average cost of a breach for a company in the United States is $7.91 million, so it’s more important than ever that companies invest in cybersecurity. It’s no longer a question of if your network will be compromised, but rather when your network will be compromised.
Below, we explore the strategies business owners should adopt to protect their assets from cyberattacks.
Types of Data Breaches and Cybercriminals
Cybersecurity focuses on protecting your organization’s valuable customer, employee and internal data, including the following:
- Customer personal and payment card information
- Trade secrets
- Business partner or supply chain information
- Plant operational data
- Financial data
These assets are usually attacked by four types of cyber adversaries, including the following:
- Nation states seeking an economic, political or military advantage
- Organized crime networks motivated by financial gains
- Hacktivists hoping to influence political or social change or to put pressure on a business to alter its practices
- Insiders motivated by personal advantage, monetary gain or professional revenge
Cybercriminals have several attack methods at their disposal:
- Cryptojacking. This is the secret use of your computing device to mine cryptocurrency.
- Ransomware. Hackers can gain access to a company’s system using malicious software, commonly known as malware. Once inside, hackers can encrypt and hold sensitive data hostage for payment.
- Fileless Attacks. These attacks, also known as a non malware, zero-footprint or macro attacks, don’t need to install software to infect a machine. Instead, a machine’s existing vulnerabilities and common system tools are exploited to add malicious code into normally safe processes.
- Spear Phishing and CEO Fraud. A hacker emails employees posing as a trustworthy source — often C-level executives — asking for information in hopes of the recipient innocently providing details that allow them to access a network.
- Internet of Things (IoT) Attacks. Devices such as smartwatches, video conferencing systems or heating and ventilation systems are targeted because they often connect to a company’s network.
Even simple actions can help, such as changing the default username and password on network and IoT devices, including firewalls, routers, and wireless access points. Ensure that industrial control systems are segmented or air-gapped from corporate networks.
It’s also important to back up critical data, make sure that offline copies exist, and that the backups can be used to restore systems. To help prevent attacks, keep your antivirus and system software updated through frequent patching.
The first step to protecting data is to identify the type of data your company touches by taking inventory and categorizing data. Determine how that data is stored and moves through your network. Next, identify those who have access to sensitive data. After data is identified, perform a risk assessment to identify threats and vulnerabilities to the assets.
Once you’ve identified assets, protect data by using logical and physical access controls. Logical access controls validate that personnel have been assigned access to systems and data based on job responsibilities.
Additional protection methods include the following:
- Encrypting data at rest and in transit
- Establishing controls around data lifecycle management
- Employing change management controls for software and hardware
- Determining systems are fully patched and default usernames and passwords have been changed
You’ll also want to provide security awareness training to employees. Those with access or privileged rights to sensitive information should be trained to spot and appropriately question or respond to suspicious requests, even if they appear to come from legitimate sources.
You should also continually monitor the activities of third-party service providers, such as cloud and software-as-a-service (SaaS) operators, who come into contact with your sensitive data.
Even if you feel data is protected, methods should be put in place to identify malicious activity on your network. Detection controls are critical because they can provide real-time alerts once exceptions are noted.
Security information and event management (SIEM) products will centralize the logs from all devices on the network, provide intelligence and correlation of events, and alert you when a malicious event is triggered.
Other methods of detection controls include the following:
- User access reviews to detect issues related to segregation of duties
- Vulnerability management program such as vulnerability scanning and penetration testing to identify vulnerabilities and system weaknesses
Swift Reactions to a Breach
In the event of a breach, it’s important to have respective response and disaster recovery plans ready so you can react as quickly as possible. A response plan helps contain and mitigate incidents, while a disaster recovery plan helps restore operations in a timely manner.
As part of these plans, you’ll want to identify roles and responsibilities for various personnel. Both plans should be updated and tested at least annually.
Protecting your data requires constant vigilance. Seeking the support of a trusted professional advisor who specializes in cybersecurity can help you set up protective systems and continuously monitor and protect your most valuable information.
Troy Hawes has been providing IT consulting services since 2001. At Moss Adams, Troy serves clients in a variety of industries including communications and media, utilities and critical infrastructure, health care, and higher education. He can be reached at (206) 302-6529 or [email protected].
Jon King is a manager for Moss Adams IT Consulting Services. He has more than 12 years of experience managing technical infrastructure systems and advising senior leadership on security policy and practices. He can be reached at (949) 221-4062 or [email protected].
Assurance, tax and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.