It seems that companies are reporting breaches of their networks almost daily. This is because the bad guys don’t take days off. They consistently look for ways to take advantage of companies and try to steal data they can then sell on the dark web’s black market pages. From identity theft to medical fraud, to stealing loads of data, to ransomware, the one goal the threat actor tries to achieve is to make money. The cyber defenders work hard to ensure their network is secure, but there is always a hole in the defenses: the employees. People are the weakest link in any security chain, and that hole cannot be fully closed using technical measures.
In October, Bed, Bath & Beyond was hacked and the threat actors gained access to data on at least one networked computer, if not more. This breach occurred as a result of an employee clicking on a phishing email. A number of other high-profile companies recently experienced breaches as well. So, the question becomes, how do we defend against cyber threats? First, we need to realize that everyone is susceptible, no matter who they are. This means it may be only a matter of time before a company is faced with a breach.
Second, we need to ensure there are technical measures and policies in place to limit the damage that can be done if a hacker gains access to a device. Making sure systems are patched; ensuring that people use VPNs when not on-site; and using complex passwords and multi-factor authentication are just some of the things that can be done to protect data. Companies should design their networks in a hierarchical manner, which segments sections of the company and network from other areas. This helps ensure that if a breach occurs, the damage can be limited to one section of the network.
Third, every employee must take ownership of being a good steward of company data. People are complex, multifaceted beings and, as such, they are prone to making mistakes. This is especially true when you factor in various behaviors that affect one’s cognitive ability and decision-making process. If someone is distracted, they are more likely to click on a link in a phishing email. If they are not paying full attention, the risk of becoming an open port for the hacker is high.
The current method of defending against phishing attempts, and other social engineering attacks, is the annual information awareness training. Although this training does a great job of explaining the risks and threats, it does nothing to actually change an employee’s behavior. Companies need to ensure there is a security-minded culture in their organization. When an employee feels as though their efforts make a difference, they are more likely to go the extra mile to protect the organization. Employees who feel responsible for the company’s data and network will work harder to protect it. They take ownership of the security posture and want to see it succeed.
Employees also need to be emboldened to report a potential security breach, without fear of reprisal. Fear is not an effective tool in defending a network. Don’t click on links from emails you do not expect. Be suspicious of any email that comes in from outside your network.
If a breach occurs, containment is the number one priority. Containing the breach to the smallest area of the network helps limit the possible damage a hacker can inflict. Companies need to deploy tools such as intrusion detection systems (IDS) and security information and event management (SIEM) tools to help detect breaches early. The sooner a breach is detected and shut down, the less damage a threat actor can do.
Companies need a good data backup plan to recover from an incident. Backing up to a cloud provider can allow an organization to recover from a breach faster. The best — perhaps the only — defense against ransomware is a good backup. Paying the ransom is never something a company should do. If you pay the ransom, there is no guarantee that you will get your data back. Certainly, there might be a small amount of data lost when a company recovers from a backup, but that loss is small compared to paying a ransom and then getting a key from the attacker that doesn’t work.
Companies must ensure they are hiring the right talent for their organizations. Not every information technology person knows cybersecurity, so it is important to make sure that the members of the cybersecurity team are qualified. Don’t simply throw money at the problem — that won’t fix it. Hire a qualified team, led by a qualified chief information security officer, and then follow their guidance on where to spend money and how much.
Cyber breaches are not going to stop. As long as we store our data electronically, we will have the threat of a breach. It is up to everyone on a network to ensure the network is safe by applying good information security practices every day, all day.
Henry Collier is a professor and the program director for Norwich University’s online Master of Science in Cybersecurity program.