Cybersecurity: Will Organizations Ever be Safe from the Denizens of the Dark Web?
Managing cybersecurity often feels like a never-ending job. Just when an organization feels its infrastructure is secure, a new threat vector emerges and it’s back to the drawing board. The faceless inhabitants of the dark web are constantly innovating, using society’s increasing reliance on digital distribution channels against it. Can this cycle be broken or are businesses doomed to play catch-up for all time?
THE SOLUTION starts with understanding how a cybercriminal thinks. A hacker looks at an organization’s use of technology and finds weakness they can exploit. Thus, any use of technology is fair game. The initial response is one that has been popular for millennia: build a defensive perimeter and sit safely behind it.
As the threat level increases, replace wooden stockades with stone castles, and so on. In the modern day, organizations strengthen technology perimeters with firewalls, secure websites with strong passwords and dual-factor authentication, and protect employees with anti-phishing software and by preventing access to sites of a dubious nature.
A Proactive Approach to Cybersecurity
IN THE MODERN DAY, castles are obsolete, either ruined or converted to stately homes. What of the approach to cybersecurity? While no one proposes that organizations abandon their perimeter defenses, they need to look both inside and outside them for weaknesses that criminals can target and exploit.
No castle ever proved to be impregnable and this may be equally true of cyber defenses. Companies should assume that someone will break in at some time. Once this point is conceded, it follows to invest in detecting breaches and implementing measures to slow down and thwart infiltrators. Without detection technology in place, a breach can go unnoticed for many years as recently evidenced by one hotel’s discovery their guest reservation database has been exploited for the last four years.
In the middle ages, travel between castles was always hazardous and so it is in the digital world. Data in transit needs to be made secure, whether it’s traveling by email, mobile device or memory stick.
Data Security Requires Diligent Partners
It’s impossible to do business without sharing data with third parties, but can organizations afford to simply trust that they will take good care of it? Companies assess suppliers on how well they perform their services. Should businesses not also consider how well their data is being protected?
Businesses have evolved beyond the use of simple websites, into the use of digital platforms and cloud solutions. These technologies often rely on software from a variety of suppliers. How can companies be sure that none of the suppliers have had their code compromised? One airline’s recent cyber-attack provides an example of how much damage the insertion of 20 lines of malicious code can do.
Controlling what happens in the outside world can be a daunting task. The temptation is to say no data leaves this organization without an armed escort! Fortunately, the answer is to do what business have always done when faced with a threat to the way they operate: make an assessment of the risks faced and implement protective measures proportional to the level of exposure.
THIS IS A WELL-ESTABLISHED APPROACH for dealing with financial risk: check credit ratings, put cash under lock and key, put mechanisms in place to detect fraud, encourage staff to report suspicious behavior, and so on. Businesses need to evaluate cyber risks in a similar way and ensure they operate in a way that minimizes exposure to cybercrime. This requires a whole-company approach. The cybersecurity specialists in the IT department can’t do this by themselves, but need to work closely with the rest of the business. An organization working together is always stronger than the sum of its parts, and this is as true in the fight against cybercrime as it is in any other business endeavor.
Meeting High Standards for Cybersecurity
In preparing to fight against cybercrime, it helps to have clear guidance on where activities should be focused. Fortunately, the New York Department of Financial Services recently introduced a first-in-the-nation cybersecurity regulation. This requires companies to take a risk-based approach to IT security and governance to minimize the threat of cybercrime. It is a good standard, and one that all companies would be wise to meet.
COMPANIES MUST CONTINUE TO EVALUATE their cyber exposure and to invest in technology, training and awareness to keep customers’ data safe. As the technology continues to evolve, so must an organization’s approach to combating cybercrime. It can be a costly business but no CEO wants to be in the position of one airline executive who had to explain to customers and the media how details of 9.4 million customers were leaked. Reputation is everything in business and its loss can be rapid following a cyber breach. How much an organization values its reputation should be reflected in how much it invests in managing its cybersecurity.