The number and scale of hacking attacks continues to grow exponentially, with cybersecurity trying to leapfrog ahead of increasingly sophisticated attacker techniques. Companies like yours are realizing how vulnerable they really are, even if the hackers are three guys in a basement halfway around the world. There’s nothing you can do that will make you totally safe, but you can certainly take action to improve your odds.
Businesses are under assault like never before from hackers. An estimated 43% of businesses (almost half!) incurred cybersecurity breaches within the last 12 months. Even more alarming is a revelation in Ponemon Institute’s 2018 study for IBM that the average time it takes to identify a data breach is 196 days. That’s more than six months!
Cybercrime is metastasizing for the same reason online services have become so popular: increasingly accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and proliferation of off-the-shelf attack software available across the dark web. The shrewdest crooks are selling turnkey hacking tools to criminal wannabes.
Improving your company’s digital resilience to cybercrime involves a multi-faceted approach along three major fronts:
1) Protecting Your Family Jewels
The personal and financial info you have in your databases is crack for criminals, which has led entrepreneurs to devise a dizzying array of options for defending against cyberattacks, data breaches, proprietary information loss and basic denial-of-service attacks.
Proactive security solutions (patching systems or running anti-virus software on endpoints) can fix vulnerable code and stop viruses or malware from infecting your systems. Make sure you install these software updates promptly. It’s also a good idea to reevaluate anti-virus and firewall offerings every year given the flood of new technologies coming to market (like intelligent firewalls that use AI to enhance machine learning and thwart intruders).
To prevent ransomware from interrupting access to records and payment systems, make sure your system backup/restore plans are bulletproof. And be sure to verify your offsite storage vendor has adequate security measure and encrypts your data as well. The Financial Industry Regulatory Authority (FINRA) has a definitive cybersecurity checklist on its website – it’s a great planning resource.
Good password hygiene and two-factor authentication will help combat fraudsters who hack login credentials or buy the data breaches of business and consumer email accounts from the dark web. As more data is stored in the cloud, restrictive data permissions take on added importance. Limit the information you share with vendors and suppliers as much as possible.
2) Defending Your Digital Flanks
As your IT infrastructure distributes more processing outside the central computer room, more attention should be paid to every end-point in the network. Take your POS terminals, for example. How often are they inspected to prevent tampering? Are you employing end-to-end data encryption and virtual private networks to keep financial transaction data from being pilfered? If you accept mobile payments, are you using a dedicated (versus a multi-purpose) device to mitigate risks? It all adds up.
Speaking of mobile devices, smartphones have become central to our lives, which makes them glitter like gold to fraudsters. About 60% of fraud now comes from mobile devices. Smartphones can be infected any number of ways – malware embedded in a downloaded app, email/text phishing schemes, etc. Once a cyber criminal has access to your mobile device, all of the apps that make it easy for you to buy things make it easy for someone else to do the same.
One of the best ways to gain insights into hackers’ evolving tactics is to follow announcements from the Black Hat and DEF CON security conferences. Every August, these twin hacker cons cover a vast range of hacking research and are good predictors of new trends emerging in the cybercrime communities.
Right now, there are three big trends to watch: Over the next few years, we can expect to see more sophisticated attacks targeting smartphones, internet of things devices (which roll off assembly lines with weak, if any, built-in security) and voice-based systems (Amazon Echo, for example). These will be harder to defend against, so it’s important to recognize the vulnerabilities inherent in these devices. One more thing to keep in mind: The majority of smart devices are connected via external networks. If the router you’re using doesn’t have decent security protection, you could be open to cyberattacks.
3) Circling The Employee Wagons
Most hacking attacks are waged one of two ways, neither of which involves a high level of technical sophistication: An employee clicks on a phishing email link (a 2018 Verizon report estimates a whopping 30% of phishing emails in the U.S. are opened), or someone steals an employee’s login credentials and gets access to the company network.
Training your employees to know what to look for is VITAL for maintaining the security of your IT systems and data. And not just with phishing schemes. Email, text and live chats with customers can also be hacked – employees should never be sharing confidential or credential info on these platforms. This kind of training isn’t a one-time thing you do with new-hires. It’s an “all the time for everyone” thing that far too few companies are actually doing.
Ensuring employees follow protective password practices, use secure internet connections, don’t share confidential personal info online, etc., needs to extend beyond office cubical walls, too. Malware can easily be transported from an infected home computer or cell phone to your company network via flash drives, Dropbox and emails.
Companies that once thought they could defend themselves against this cyber onslaught are now realizing that resistance is, if not futile, certainly a wager where the odds are not stacked in their favor. Which is why having reactive plans in place to manage incidents as they arise is every bit as important as proactive plans to detect and deflect intruders.
CISO to the Rescue
There’s a chasm within companies between the awareness of cyber threats and the readiness to address them. A recent IBM/Ponemon survey of 2,400 security and IT professionals found that 75% don’t have a formal cybersecurity incident response plan across their organization.
The key to handling cybersecurity incidents – everything from a data breach to a stolen laptop – is having a clear communication strategy and chain of command. When an incident occurs, there’s no room for confusion about who’s in charge. Which is why Chief Information Security Officers (CISO) are possibly the hottest jobs in the C-suite today.
Smart companies treat hacking threats like other existential risks to their business (recessions, terrorist attacks, natural disasters, etc.) and plan accordingly. Having an empowered CISO onboard is pivotal in maintaining readiness.
You are – and will continue to be – a prime target for hackers, because you have information that’s worth its weight in Bitcoins on the black market. Given how central IT integrity and data security are in the resort casino industry, it’s hard to imagine how a company could ever be accused of investing too much in cybersecurity.
Op/ed column submitted by Ann Nygren, President of Key Consulting Software. KCS is an IT consulting company focused on gaming and hospitality applications ranging from Agilysys (LMS/Stratton Warren/Infogenesis), Infinium (AM, AR, FA, GL, GT, HR, IR, PA, PL, PY, TR), Bally’s (CMS, CMP, ACSC & SDS), and interfaces with Aristocrat, IGT and Micros to Transitioning properties during purchase, sales, or merging of properties. KCS provides IT Departments with assistance in installation & upgrades, customization, interfacing and creation of unique client-specific software. Ann can be reached at firstname.lastname@example.org.