FINRA's BrokerCheck

Making cybersecurity an asset in your business

Cybersecurity is “mission critical” because of its profound effects across a business. In some industries, it means everything. And for C-level tech executives, cybersecurity can make or break a career.

So, it’s surprising to see how many businesses aren’t prepared for attacks.

According to the Hiscox 2018 Cyber Readiness Report, 70 percent of U.S. companies aren’t ready for an attack. Clearly, cybersecurity is more liability than asset for many companies.

However, that can change. Cybersecurity can become a strength at your business.

Correct the blind spots

First off, protection is not absolute. Businesses spend millions on cybersecurity, and attacks still occur. The defensive efforts undoubtedly help, but hacks happen.

So, organizations must be proactive in protection and nimble enough to detect incidents and respond quickly. If not, they could find themselves out of business.

But in practice, cybersecurity is a blind spot for many businesses. They aren’t ready, and it’s evident in their tools, policies and organizational behaviors.

Most businesses do some things to protect themselves and respond to events. But, it’s grossly underpowered for what could happen.

Highest stakes

If cybersecurity goes wrong, severe reputational and operational harm can ensue.

Too often, businesses are lulled into believing they’re not vulnerable, or they’ve had near misses and avoided repercussions. So, they’re unwilling to invest in cybersecurity protections.

But if a severe attack occurred, the investment in information technology (IT) security may seem negligible compared to the financial losses absorbed. And while difficult to quantify, reputational harm can be even more punitive because it’s longstanding. Ultimately, a big enough hit can sink a business.

However, when cybersecurity goes right, it’s a strength.

In banking and government, cybersecurity is institutionalized throughout people and practices. Yes, attacks still happen. However, an infrastructure exists to handle them. And more issues are avoided or handled than we hear about in the news.

Effective security programs

What does effective security look like?

It starts with people. They interact with the technology, so they should be the frontline of cybersecurity. Supporting people should be policies, tools and behaviors. These protocols should be in use constantly, maintained regularly and reviewed often.

Policies

Used to inform and guide, policies should cover everything from everyday use to crisis reaction measures. Here are some policies every business needs:

 

Policy Benefit
Security Outlines proper IT security measures
Acceptable use Dictates acceptable technology use
Data protection Sets rules around company data, its use and safety
Response plan Details how to recover from IT breaches
Business continuity plan Identifies operational contingencies in the event of an attack 

 

 

 

 

 

 

Technology

The hardware and software that protects data and communications are the “blocking and tackling” of cybersecurity. They’re employed at some level by nearly all organizations, including these “must have” technologies:

 

Technology Benefit
Firewall Allow only acceptable network activity, prevent unauthorized access
Nightly backup Safely maintain copies of current data
Filtering Remove spam and unwanted content 
Anti-virus Keep technology safe, operational and free from malware

 

 

 

 

 

 

 

 

Advanced practices, known as “managed security services,” offer a higher level of cybersecurity. They’re often provided by a dedicated outside cybersecurity partner.

 

Managed security services Benefit
Phishing testing Detect and respond to fraudulent access attempts
User awareness training Educate on best practices
Dark web scanning Monitor and detect illicit use of company data
Intrusion detection Secure network connections
DNS layer protection Filter unwanted content and network activity
Advanced endpoint security Automatically detect, stop and recover from attacks
Security information and event management (SIEM) Real-time analysis of security infrastructure for quick response and recovery 

 

 

 

 

 

Best practices

Again, cybersecurity starts with people. Diligent users and an alert, proactive IT team promote good overall security.

On the technology side, regular maintenance and cybersecurity infrastructure assessments are vital. That means ongoing patching and security log monitoring, as well as less-frequent macro-level analysis.

For instance, conduct an IT risk assessment every year. If a big change occurs — a new location or an acquisition, for example — do an assessment then. Any big variation can alter your security posture and introduce new risks.

Published in Cybersecurity