Effective cybersecurity demands organization-wide commitment
The role of IT in both the public and private sectors has evolved dramatically in recent years. Arguably the single most significant development in this area has been the expansion of IT application use and reliance among individuals throughout a given organization. Driven by the advent of cloud computing and mobile technology, services that were previously limited solely to the IT department are now essentially universal, making entities more efficient, productive and capable.
As positive as these developments have been, there's a major drawback: the growing risk of cyberattacks and data breaches. The more widespread IT technology and data have become, the greater the chances that an organization will experience a cybersecurity incident. With both internal and external threats becoming increasingly common and dangerous, organizations need to adopt robust cybersecurity policies and strategies. One of the most important aspects of successful efforts in this area is ensuring that cybersecurity is an organization-wide issue. Often, though, firms come up short in this regard, suggesting the need for third-party assistance.
"Many continue to underestimate just how effective and damaging hackers can be."
There is a growing awareness of the threat that external cybercriminals and cyberattacks pose to public and private sector organizations, but many continue to underestimate just how effective and damaging such hackers can be.
A noteworthy example highlighting this danger is the Anthem data breach. Hackers were able to access Anthem's database, compromising as many as 80 million current and former customers and staff members' records in the process. The information stolen included names, Social Security numbers, income data and more. This represents one of the largest health care-related data breaches in history. Speaking to the St. Louis Business Journal, industry expert Dan Nelson estimated that Anthem will ultimately incur costs of between $100 and $200 per record, with total damages of $8 billion to $16 billion.
In this instance, the primary cause of the breach was a lack of encryption, along with a stolen employee password, The Wall Street Journal reported. The source explained that in many cases health care providers are not required by law to encrypt such data. Encryption can prove both costly and inconvenient in terms of employees' day-to-day responsibilities, and so a large number therefore decide not to invest such efforts.
This incident demonstrates that even one of the country's largest insurers, which regularly handles and stores sensitive information, can be targeted by cyberattackers if it does not make cybersecurity a priority. Such efforts need to start at the top – executives must understand the risks that cyberthreats pose – but they must also continue throughout the organization. After all, employee resistance to the inconvenience of cybersecurity protocols was likely a major factor that dissuaded Anthem from investing in these tools, and it was a stolen employee password that served as the immediate catalyst for the breach.
This leads to the question of insider threats. Far too often, organization leaders overlook or undervalue the significance of these threats, but effective cybersecurity efforts need to address and account for the potential damage insiders can do.
There are many examples demonstrating this threat, but perhaps the most significant is the billion dollar string of thefts from 100 major financial institutions based in 30 different nations, including the United States and Russia. Detected and reported by Kaspersky Lab, these attacks began in 2013 and continued until 2015. The cybercrime group responsible used a variety of methods to obtain its targeted funds, including gaining control of ATMs and rerouting funds to their private accounts. In all of these cases, though, the thefts were possible thanks to poor cybersecurity behavior among employees. The cyberattackers used spear-phishing tactics to trick personnel into opening malware-laden emails, which granted the cyberthieves access to the financial firms' systems.
"Automated defenses must be supplemented by best practices and a commitment to cybersecurity at every level."
From banks to insurers to government agencies and multi-national corporations, the rule for effective cybersecurity remains the same: It must be universal. Automated defenses need to be in place, but they must be supplemented by best practices and a commitment to cybersecurity at every level. This makes cybersecurity education and training essential for every employee, not just IT professionals. Additionally, information assurance needs to be prioritized in order to limit the potential opportunities for data loss or exposure. Building information assurance and cybersecurity into every level of the organization is the only way to truly protect entities of all kinds from both internal and external threats.
To this end, third-party assistance will often prove critical. Many organizations simply lack the resources or expertise to design, deploy and maintain all of these various components of a successful cybersecurity effort. They need guidance, oversight and hands-on training. By choosing the right cybersecurity and information assurance services provider, any organization, regardless of its size or sector, can immediately improve its defensive posturing immeasurably. To reach this point, though, leaders need to recognize the true value of such defenses.