Managing Cyber Risk

Jun 4, 2020 | Blog

According to industry experts, cybercrime is on the rise and it’s costing business across North America dearly in terms of monetary impact, business disruption, diminished reputation, customer loss and potential legal damages. Cyber criminals are creative, persistent and patient as they look for vulnerabilities in computer networks to breach your company’s computer security.

Cyber attacks represent a leading risk to all organizations and can attack computer information systems, infrastructure, computer networks or personal computer devices, using myriad tactics to compromise your operations and cause serious disruption. Despite the increasing risks, many senior decision makers believe they are unlikely to be targeted and moreover, don’t have a cyber protection plan in place. How can your organization protect itself?

1. STAY CURRENT. Make sure you’re aware of the current threats. Some of the most common include:

Adware: displays ads on your computer that come with free tools installed by undesirable sources.

Malware: software that is designed to cause damage to a computer, server or computer network. These types of attacks can include spyware and remote administration malware which gives attackers access to everything done on your device including login credentials and sensitive personal or business data.

Ransomware: a type of malware, this occurs when your device is locked or your data is held for ransom until the attacker receives payment to return it to you.

Social engineering attacks: this tactic relies on manipulating people to gain information that can be used later to get into private protected systems or networks (often executed using Phishing) in order to steal money or financial data.

Phishing: a prevalent tactic with emails, text messages and websites that appear to be from trusted sources in an attempt to collect personal, financial and other sensitive information such as credit card or bank account details. Messages may include links to illegitimate websites or attachments that load malware onto your computer.

Web attacks: hackers may attack vulnerabilities in websites giving them the opportunity to steal customers’ information such as medical records, personal data, or credit card information.

Flood attacks: networks are ‘flooded’ with traffic leading to service failure and inaccessibility by valid users or employees and held for ransom.

 

2. TAKE OWNERSHIP. Ensure you’re clear that cybersecurity is not an issue for your IT team to manage. It belongs to the senior leadership team in tandem with your IT personnel and everyone else in your organization. Any employee or system could prove to be the weak link leading to an attack, so it’s important to take a multi-faceted, holistic approach to cybersecurity. Experts point to best practices most of us should consider:

  • Daily data and file back ups that can be retrieved in case your information is held for ransom
  • Retrieve backed up data as if you needed it to ensure it’s actually accessible and intact
  • Install and regularly update anti-virus, network firewall, and information encryption tools
  • Have a schedule to regularly monitor and scan any device connected to a computer system or network
  • Don’t allow USB drives to be used in company computers
  • Ensure your teams are given regular training on cybercrime and show how easily we can all be duped
  • Allow employees to access only the specific information and folders that they need for their job
  • Hold ‘fire drills’ and tests to see if employees know how to spot a scam, particularly ‘phishing’ emails, and regularly test networks and applications for vulnerabilities
  • Ensure employees’ passwords are secure and you know who has access to them
  • Consider whether or not your organization has the internal expertise to protect your IT infrastructure or whether you need to tap an expert for customized solutions

 

3. HAVE A PLAN. Your organization should have a cybercrime prevention plan in place…now. Consider protecting your organization from cybercrime the same as you do from fire, theft or other situations. Today, it’s table stakes. Planning ahead is the best way to survive a breach since no one wants to find themselves negotiating with a criminal to release its systems and information while the business hangs in the balance. According to the PwC 2018 Global Economic Crime and Fraud Survey, 49% of global organizations say they’ve experienced economic crime in the past two years and of the remaining 51%, a certain percentage don’t even know they’ve fallen victim. Here are some of the key elements of a cyber protection plan:

Identify
Conduct a vulnerability and risk assessment and identify your digital assets, stored data and intellectual property.

Assess
Determine the likelihood of risk exposure, and the security and safety impact of exploited vulnerabilities.

Safeguard
Protect your organization by undertaking best practices and implementing appropriate policies, procedures and employee training.

Observe
Detect a breach when it occurs by proactive and ongoing monitoring of your IT infrastructure.

Respond
Follow your incident response plan upon discovery of a breach to mitigate risk and initiate communications.

Recover
Implement your business continuity and disaster recovery plan, manage communications, and amend the plan for the future.

 

Dealing with cyber threat is a complex challenge, and it varies by business and sector. Managing cybersecurity risk is critical for every organization and should be incorporated into the overall risk management landscape. Staying one step ahead of cyber criminals and their evolving tactics requires an ongoing commitment and an integrated plan including people, processes and technology. Despite the risks, many companies are slow to identify their vulnerabilities and develop a risk mitigation strategy and roadmap for the future. Don’t be one of them!