All businesses are at risk for a cyber attack. And in these uncertain economic times it is expected that the risk will increase. The past has shown a correlation between recession and cybercrime. During and before the 2008-9 Great Recession, fraud on the internet increased by 33 percent. Today’s increased digitization makes data more vulnerable than ever.
The harsh reality is that the financial sector is the biggest target for cyber attacks because these firms hold large volumes of personal and financial data. They are a single access point to data from multiple organizations, which is incredibly valuable to cyber criminals.
These attacks come in many different forms. The top three threats a financial firm should worry about are ransomware, phishing attacks and loss of sensitive data. The ransomware business alone is a multi-billion-dollar business that is built on holding data from networks for ransom. All these threats open the door to impeded workflow, liability and loss of clients.
According to a report from Boston Consulting Group, cyber attacks have hit financial services firms 300 times more than other companies. Forbes reveals that 25 percent of all malware attacks are targeted at financial and accounting firms, with cyber attacks costing $18 million per firm compared to $12 million per incident in other industries. Fortunately, by being vigilant about protection, 97 percent of breaches can be prevented.
Understand the Myths
Many myths surround cybersecurity. Consider these:
- “I’m too small. Why would anyone want to target me?” Most ransomware and other attacks are indiscriminate. They are carried out at volume and are completely scalable. The attackers blast hundreds of thousands of emails. They think in terms of conversion rate. They don’t know, nor do they care, who it is.
- “I can’t afford enterprise-grade security.” Cybersecurity doesn’t have to be expensive. An organization can invest only $20-30 a month per device and get some of the same technical controls, administrative procedures or administrative controls, and other tactics, techniques and procedures that the Department of Defense and Fortune 10 companies use. Considering that the average ransomware payout is more than $100,000, and victims who paid the criminals only recovered 65 percent of their data, that is a small investment.
- “Antivirus is good enough.” The cold, hard truth is that antivirus can only react. It works by checking files against a list of known viruses and comparing the two. If a virus is new and yet unknown, there is nothing to compare it to, and the user will be infected.
- “We’re covered because we have cybersecurity insurance.” Like all other insurance, this is the last thing you want to rely on to make your company whole. After a breach, insurance is not going to make your reputation whole. In fact, 60 percent of small businesses that are victims of a cyber attack go out of business within six months.
- “Cybersecurity is an IT issue.” It’s not. It’s a security issue. IT and information security are two different disciplines that require two different skillsets.
By understanding that these are myths and the cyber attack risk is real, companies can adequately protect themselves and clients from harm.
5 Steps to Cybersecurity
A layered security approach with multiple best-of-breed tools and constant vigilance is the most effective line of defense. By taking the following steps, companies can put in place a comprehensive, ongoing cybersecurity program:
1. Realize that cybersecurity is not an IT issue. There is a difference between information security and IT. IT specialists ensure that networks are safe, secure and running smoothly. A skilled team of information security specialists live and breathe cybersecurity 24/7. They keep up with the changing cyber threats. They reveal current risks and vulnerabilities and develop a plan to put security controls in place. And they orchestrate the controls, tools, plans, policies and procedures.
2. Don't rely on antivirus. In today’s cyber environment, antivirus software is ineffective. Antivirus looks for malicious code; malicious logs must already be known, so they typically are three to six months old. Instead, enable an endpoint detection and response (EDR) tool and eliminate antivirus. EDR tools monitor, analyze and find threats for malicious activity and anomalies in real time.
3. Learn the importance of encryption. Disk encryption is built into most mobile devices and almost all iPads and phones. This technology protects information by changing it to unreadable code and should be enabled for all devices.
4. Multifactor authentication (MFA) is necessary. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack. MFA should be required for remote access to a desktop, server or any data. It is also good practice to use MFA wherever it is available, including bank accounts, social media and e-commerce sites.
5. Create and foster a security-first environment from the top of the organization down. Employees are your first line of defense against a breach. Everyone who has access to any kind of computer or device on a network must have security awareness training continuously. No one is exempt.
Tying it all Together
Cyber risk is constantly evolving. As the dependence on digital technologies in the business world increases, so does the scope of cyber risk. Cyber threat actors are active adversaries, constantly adapting their tactics, techniques and procedures to cause harm.
Cyber risk can never be eliminated, so organizations need to adopt new methods of understanding, measuring and managing cyber risk on a continuous basis. A combination of cyber insurance and best-in-class cybersecurity practices can reduce this risk and provide some peace of mind for leaders.