Cybersecurity is often described as a 360-degree threat. That term refers to the fact that cyberattacks can come from any direction, in hundreds of different forms — many of them unfamiliar and unexpected.
At this point, it’s unrealistic to expect 360-degree protection. The cybersecurity landscape changes so quickly as hackers adapt new techniques. Last year Cisco’s annual cybersecurity report went so far as to describe adversaries striking an organization as inevitable and recommended ways to reduce rather than eliminate risks. That’s because businesses suffering security breaches are becoming a commonplace occurrence, and while you cannot omit all cyberthreats, you can minimize the damage.
When companies must literally guard against every angle at once, risks inevitably get overlooked. No company wants to leave itself exposed. But with hackers using every resource to disguise their attacks and exploit unknown loopholes, it’s almost impossible to be perfectly protected.
For most, cybersecurity is urgent yet incomplete
Companies should identify the most glaring oversights in their existing cybersecurity strategy and direct their resources there. Hackers typically target low-hanging fruit — that is, assets that have few or no cyber protections in place. Therefore, any amount of additional security is a powerful deterrent even if it doesn’t provide ironclad protection. The focus needs to be expanding protections broadly instead of deeply.
According to a recent U.K. government study, 78% of businesses consider cybersecurity to be a high priority. Despite that consensus, it can often be a struggle to get leadership to authorize the time, staff, and resources necessary to enhance protections. That attitude is shortsighted given the likelihood of an attack and the damage (both financial and reputational) that can follow.
The first step to stronger cybersecurity is to address the risks that most often go overlooked. The vulnerabilities they pose are consequential, but for various reasons, they tend to be downplayed. Instead of accepting those risks, extend your cybersecurity efforts to strengthen these three areas.
1. Your people
Your employees are the front line of your company’s cybersecurity. If they are not trained on how to identify and respond to threats, they will accidentally enable them instead of defending against them. “Your employees play a key role in ensuring the security of your computers and networks, because they are the people using them every day,” explains Shahmeer Amir, an ethical hacker and cybersecurity researcher. “So it’s crucial that they understand their roles and responsibilities in protecting sensitive data and your business resources.”
At the very least, company-wide cybersecurity training should address best practices all users need to follow. That includes avoiding unsafe downloads, using strong passwords, backing up important information, and recognizing phishing attempts. Proper practices should be detailed in company policies, then reinforced through your onboarding procedures and ongoing training.
Educate your team on the vital importance of good cyber hygiene habits. For instance, you could have a quarterly tech housecleaning day when you encourage your team to do things like update applications because old versions can contain loopholes for hackers. It may also be a good practice to test your systems and policies from time to time to identify your company’s vulnerabilities. Testing gives you an idea of what resources and education your team needs most regarding various areas of cybersecurity. When education efforts are done well, your employees can become the linchpin of your cybersecurity strategy.
2. Employees’ personal devices
Mobile devices like smartphones and tablets are now essential business tools, which is why a lot of employees bring their own devices to work. The problem is that each of these devices becomes a repository of sensitive company information subject to few if any cyber protections. Hackers know this and have been developing more techniques to gain access to smartphones, such as SMS phishing and using false sites to collect user data when someone is using a mobile device.
In addition, Symantec’s Internet Security Threat Report last year noted a 54% increase in the number of new malware variants for mobile devices. Still, employees can use their own devices to boost their productivity without compromising the company’s cyber protections. For example, to improve security in a bring-your-own-device (BYOD) environment, FNBC Bank worked with email encryption provider Zix to provide its employees with an app that allows them to access corporate email accounts through a secure portal.
“Before, if employees were to leave the company, they had to give their personal phone to the IT department to have it wiped. They would lose all their contacts, photos, and personal information,” notes Heather Bogard, the bank’s security officer. Instead, if security becomes an issue for any reason, administrators can simply disable the app. This can only help. After all, if a device is compromised or falls into the wrong hands, it could provide hackers with a treasure trove of your company’s information.
3. Unsecured connected devices of all kinds
Cybersecurity concerns now apply to a wide range of connected devices — everything from industrial control systems to “smart” home speakers. These devices themselves may not be particularly valuable targets, but each one potentially offers access to the company’s broader network and all the data within. Remember, for instance, that the 2013 Target data breach began when hackers filched login credentials to an internet-connected HVAC system. Eventually, they stole data on 41 million Target shoppers.
With more connected devices coming online all the time, both at work and at home, hackers are finding a lot of new entry points. Lessons from both the previous points apply here. Adopting policies and best practices helps ensure that remote workers are not, for example, sharing company information on public Wi-Fi networks and that they have passwords set up on their smart home devices when working remote. Disabling universal plug and play on IoT devices in your office or the homes of remote employees can further protect your network. That feature allows IoT gadgets to more easily find and connect with other devices. By disabling it, you create another barrier for hackers looking to gain access.
Working through virtual private networks (VPNs) can also eliminate a lot of these concerns. That’s because a VPN places a barrier between personal content and work information on your employees’ personal devices. Endpoint security in the form of firewalls and antivirus filters is likewise important because if apps have security measures installed, it provides a last line of defense against vulnerabilities in the network.
Overlooked cyber risks are like windows left open or doors kept unlocked — entirely foreseeable and generally preventable threats to a company. Once you’ve addressed these risks, your cybersecurity will come a lot closer to all-encompassing.
Published August 21, 2019 — 17:18 UTC