In 2021, Ponemon Institute pegged the average cost of a company data hack at $4.24 million, with lost business the largest contributing factor. Breaches increased by 10% worldwide since 2014, whereas ransomware attacks increased more rapidly. Government fines per record breached can add millions to the toll. No company or individual is completely immune from especially a persistent, targeted attempt to steal your information, but there are lots of things you can do to be sure you’re not the weak link in the firewall.
Would You Rather Pay Before or After a Breach?
In “What Is The Real Cost of a Breach?” David Breg and Rob Sloan of The Wall Street Journal discuss what breaches cost, to give companies the perspective to invest in security before one happens. The Target Corporation hack in 2013 exposed 110 million customer’s private information, along with 40 million credit cards. Target was still paying the costs of the breach years later, between security fixes, legal fees, customer refunds and efforts to repair their brand reputation. Profits dropped 46% in the last quarter of 2013, and the company spent $100 million to upgrade check out registers and another $160 million on various settlements. In total, the breach cost Target $300 million and they were able to recover only $90 million from insurance. The brand damage cost another couple hundreds of millions.
What Is the Real Cost of a Breach?WSJ Video
Investigation found a small business vendor in Target’s supply chain triggered the breach; smaller businesses often make attractive targets for hackers. Large companies like Microsoft spend $1 billion for security to safeguard its assets and devices which poses a formidable challenge to hackers, points out software engineer Martin Casado in “The New Attack Surface Is Your Life.” To develop code to exploit vulnerabilities in secure networks cost hackers between $1 and $2.5 million. However, the cost to hack a Facebook account is $19.99 , or a person’s Gmail is $100, so that’s where many hackers start.
The Cybersecurity PlaybookWiley
Security professional Allison Cerra emphasizes the importance of elevating cybersecurity to a daily concern for companies in The Cybersecurity Playbook. Include it as an agenda item at every meeting and create a budget for it: Better to budget now than pay later. Cybersecurity must become an integral part of company culture. Generally, a Chief Information Security Officer (CISO) will be in charge of a company’s security posture, with support and collaboration from board members and C-suite executives. HR can do much to make employees aware of good cybersecurity hygiene, incentivize best practices and carefully vet new hires from a security standpoint. Companies should develop robust breach response protocols so they’re prepared in case of emergency.
Bad actors want you to deprioritize cybersecurity as a nonstrategic investment. Don’t give them that power.Allison Cerra
The weakest links in your defence may be human. With “phishing” schemes, rather than using code to break into a device or account, a hacker attempts to trick people into giving up their user credentials. You may get an email supposedly from a leader or colleague inviting you to click on a link or download a file, cautions Cerra. In this way, an employee may inadvertently compromise credentials, pave the way for a hacker to gain entrance to a company’s network or inject a computer virus. Another common exploit is for an attacker to pose as a bank or credit card representative and claim to want to clear up fraudulent charges on a user’s account, by verifying credential details. Although most people know not to trust Nigerian princes when they request help getting their money out of the country, Nigerian cybercriminal Oluwaseun Medayedupin was arrested in late 2021 after mining social media accounts for disgruntled employees who might be willing to infect their workplaces with ransomware for a cut of the proceeds.
The New Attack Surface is Your LifeAndreessen Horowitz
A hacker may use a fake ID to convince a person’s carrier to transfer their phone number to a device in the hacker’s control. With that access, the phisher can also access the target’s accounts, verification codes and various credentials. Casado recounts how one hacker joined a cleaning agency to get access to a target’s computer in their home and install malware.
You are a conduit to every organization that you are connected to, so many attacks will start with you in your personal life, and then move to the company.Martin Casado
Complex Technologies Multiply Cyber Risks
Cerra cautions that with each new layer of technology – from mobile to cloud to the Internet of Things – the potential vulnerabilities grow. In 2016, Domain Name System provider Dyn suffered a denial of service attack – where hackers overload and crash a server with bogus requests – which crippled Twitter, Netflix and other massive sites; Dyn was an essential vendor in their supply chain. In this case, bot networks gained access via the connected devices in most people’s homes like DVRs and baby monitors.
Unilever’s Bobby Ford Discusses How to Secure Your Digital BusinessWSJ Video
Chief Information Security Officer for Unilever Bobby Ford oversees data security at 300 manufacturing facilities. Large companies use legacy technologies, especially in manufacturing, that can’t effectively be monitored as part of its operational technologies network. These are exactly the vulnerabilities cybercriminals look for. Even so, as penetration tester Sophie Daniel recounts in “How I Socially Engineer Myself into High Security Facilities,” manipulating employees presents even greater opportunities, especially in highly secured environments.
How I Socially Engineer Myself into High Security FacilitiesMotherboard
It’s a penetration tester’s job to probe a company for security vulnerabilities. Daniel uses “social engineering” to get into secure locations. She gained access to one facility and its data center despite its security protocols, armed guards and biometric gates by manipulating a recently hired employee, Mary. She studied Mary’s social accounts to get to know her personal life and found out Mary volunteered at a maternity support center. Daniel called Mary posing as Barbara, a project manager for the facility trying to set up an appointment for the next day with an interior designer. When Mary complained about the short notice, Barbara mentioned she was due to give birth in six weeks, which made Mary immediately sympathetic. The next day Daniel showed up as Claire, the interior designer from a fictitious company. Daniel had created a website and business cards support the illusion of credibility. Once inside the facility, it wasn’t long before Daniel was left alone to wander freely. Prevent these kinds of break-ins by:
- Requiring government-issued ID for visitors.
- Emphasizing a “trust, but verify” mind-set companywide.
- Being sure visitors are always accompanied by an escort.
An employee who does their homework can ruin my day.Sophie Daniel
Adopt These Basic Cybersecurity Habits
As Quincy Larson points out in “How to Encrypt Your Entire Life in Less than an Hour,” if you use the internet, you’re vulnerable to hacking.
How to Encrypt Your Entire Life in Less than an HourMedium
Focus on deterrence by adding encryption to the technologies and services you use:
- Protect your email account with “two-factor authentication” which will require you to input a code sent to your phone for access.
- Activate “full-disk encryption” for your hard drive on Windows or Mac OS systems.
- Do not recycle passwords for various accounts: Use a password manager to keep track of difficult to crack passwords and change them periodically.
- Do not use public Wi-Fi.
- Use Signal for encrypted texting and file sharing.
- Use Tor for browsing without tracking and Duck Duck Go for search to better protect your online activities.
- Use a passcode on your phone, even if you already use biometric protection.
Other good habits include:
- Clearing it with your company’s IT security staff before accessing a tool or service in the cloud.
- Utilizing only encrypted thumb drives to transfer work.
- Reporting suspicious emails or behavior.
- Not leaving devices which may hold sensitive information unattended.
- Remaining vigilant and taking cybersecurity seriously.
- Use a network security key. Google effectively ended security breaches using these, according to Casado.
- Set up “deception devices” to attract attackers and discover potential breaches.
- Set up Red and Blue teams to play out potential scenarios of attack and probe for vulnerabilities, or hire a penetration tester.
- Store keys and master passwords in a safe.
- Utilize security checkpoints and cameras in your facility.
Read more about how to protect against cyberthreats: