Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
Another company falls victim to ransomware, but as these attacks become more sophisticated, threat actors are data mining their victims to find other vulnerable companies within their supply chains. Who you do business with has ever increasing risks, if their cyber security isn’t up to standard.
US based Gyrodata, a 40 year-old energy services company working with critical infrastructure, suffered a ransomware attack & potential loss of sensitive information belonging to current & former employees, in addition to organizations within their supply chain.
There were over 1000 cases of data breaches in the US in 2020, exposing over 764mn records. And, this was no freak occurrence; there’s been a trending increase in data breaches in the past 15 years. Also, the successful attacks weren’t limited to small businesses – the affected included Microsoft (280mn+ records), Estee Lauder (440mn records), MGM Resorts ( 10.6mn+ guests), and other leading brands.
So what do these stats mean if you’re a customer/supplier of a small or big business? It means that you should be mindful of what data of yours is stored by the business and what measures are in place to protect that data. Here are some things to look for when evaluating the level of data protection of a company:
- Cyber security Policy
A well-known & clearly defined cyber security policy is the first indication that the company is serious about data protection. It means that employees have standard operating procedures to follow under normal circumstances and unusual events, like a data breach. The more detailed the cyber security policy the better. For instance, a good policy could be one in which each department has its cyber security training based on its specific requirements.
- Two-Factor Authentication
Research shows that many working adults use the same 1 or 2 passwords for all of their accounts. This can be a cyber security issue, especially if that password is a weak, generic one. Two-factor authentication is a better way to protect employee accounts because with it, the password is only part of the required information. The other piece of information is usually a code that’s sent to the mobile phone of the employee.
- SSL Protection
SSL (Secure Sockets Layer) is the standard for encryption between a web server and a browser. If you make online transactions with the company, then ensure that their website has an SSL certificate: SSL is displayed as HTTPS at the beginning of the webpage’s address.
- Cyber security Training
Ensuring the security of the company is a team effort, requiring the participation of all levels of employees. The benefits of having a cyber security policy and using security software/ solutions can only pay dividends if the employees are receptive to these measures.
The company should offer cyber awareness training to all employees. The presence of initial and repeated training is an indication that the company takes cyber security seriously.
Research shows that most organizations in the U.S. arrange cyber security classes at least once per year; this should increase to at least weekly cyber hygiene updates to create muscle-memory in employees’ online behavior. Also, 50% of big organizations (10,000+ workers) spend at least $1 million on security every year. But, the quality of information is just as important. In case you’re dealing with a business that doesn’t provide the right training or any training at all, here are some training-related suggestions to make to that business.
Employees should be trained in keeping an information inventory. Cloud storage and portable devices, like USB drives and laptops, make it easy to store information, but they also increase the risk of data falling into the wrong hands. To avoid any mishaps, employees should be trained in storing customer and other company data in secure locations and keeping track of their storage activities.
These days, many companies have a Bring Your Own Device (BYOD) policy. Employees can connect their personal devices to the company’s networks and systems. While this may reduce the learning curve and costs of licensing and maintaining software/ hardware, it can also create security challenges. The use of a personal device may cause a data breach if the device is stolen. Another scenario is where an employee leaves the company and takes his clients with him.
The cyber security learning should include the importance of using security software on personal devices and reporting missing/stolen devices ASAP.