Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
Another company falls victim to ransomware. As these attacks become more sophisticated, threat actors are data mining their victims to find other vulnerable companies within their supply chains. Your business partners can present an ever-increasing level of cyber risk, depending on their adherence to cyber security regulations, guidelines and best practices.
The US-based company, Gyrodata, a 40 year old energy services firm, suffered a ransomware attack and potential loss of sensitive information of current and former employees; as did organizations within their supply chain.
There were over 1,000 cases of data breaches in the US in 2020, exposing over 764 million records. And, this was no freak occurrence; there’s been a trending increase in data breaches in the past 15 years. Also, the successful attacks weren’t limited to small businesses – the affected included globally respected and renowned brands.
So what do these stats mean if you’re a customer/supplier of a small or big business? They mean that you should be mindful of what data of yours is stored by the business and what measures are in place to protect that data. Here are some things to look for when evaluating the level of data protection of a company:
- Cyber security policy. A well-known and clearly defined cyber security policy is the first indication that the company is serious about data protection. It means that employees have standard operating procedures to follow under normal circumstances and unusual events, like a data breach. The more detailed the cyber security policy, the better. For instance, a good policy could be one in which each department has its cyber security training based on its specific requirements.
- Two-factor authentication. Research shows that many working adults use the same one or two passwords for all of their accounts. This can be a cyber security issue, especially if that password is a weak, generic one. Two-factor authentication is a better way to protect employee accounts.
- SSL protection. SSL (Secure Socket Layer) is the standard for encryption between a web server and a browser. If you make online transactions with a given company, then ensure that their website has an SSL certificate: SSL is displayed as HTTPS at the beginning of the webpage’s address.
- Cyber security training. Ensuring the security of the company is a team effort, requiring the participation of all employees, including executives. The benefits of having a cyber security policy and using security software/ solutions can only pay dividends if the employees are receptive to these measures.
Research shows that most organizations in the US host cyber security workshops at least once per year. This should increase to at least weekly cyber hygiene updates to create muscle-memory in employees online behavior. Also, 50% of big organizations (10,000+ workers) spend at least $1 million on security every year. But, the quality of information is just as important. In case you’re dealing with a business that doesn’t provide the right training or any training at all, here are some training-related suggestions to make to said business.
Employees should be trained in keeping an information inventory. Cloud storage and portable devices, like USB drives and laptops, make it easy to store information, but they also increase the risk of data falling into the wrong hands. To avoid any mishaps, employees should be trained in storing customer and other company data in secure locations and keeping track of their storage activities.
These days, many companies have a Bring Your Own Device (BYOD) policy. Employees can connect their personal devices to the company’s networks and systems. While this may reduce the learning curve and costs of licensing and maintaining software/hardware, it can also create security challenges. The use of a personal device may cause a data breach if the device is stolen. Another scenario is where an employee leaves the company and takes the clients with him/her.
The cyber security learning should include the importance of using security software on personal devices and reporting missing/stolen devices ASAP.
For more information about cyber security awareness, click here.