The modern threat landscape has evolved enormously in the past few years. Cybercriminals launch increasingly sophisticated attacks, and these attacks have only gotten worse since the arrival of the COVID-19 pandemic and the move to remote work.
Think about all the sensitive information and critical assets that organizations store and handle as part of their business operations: personal information on your customers and employees, intellectual property, proprietary material, financial information, and so much more. This data is incredibly valuable for savvy cybercriminals.
Recent examples of high-profile cybersecurity breaches
In the past year alone, cyber attacks have devastated organizations across many sectors. Consider the companies that have been the target of some of the biggest ransomware and malware attacks since January 2020:
- Kaseya VSA: In July 2021, REvil, a well-known ransomware-as-a-service (RaaS) group, exploited zero-day vulnerabilities in the Kaseya VSA platform and deployed the REvil ransomware to thousands of their customers.
- Colonial Pipeline: In May 2021, the DarkSide ransomware group launched a ransomware attack against Colonial Pipeline, which led to a shutdown of Colonial’s operations and loss of millions of dollars.
- Zoom: At the height of the COVID-19 pandemic, more than 500,000 Zoom accounts were put on sale on the dark web; the accounts were obtained from previous data breaches.
- Magellan Health: In 2020, eight Magellan Health entities and more than 365,000 patient records were compromised as a result of a social engineering phishing attack where cybercriminals used an employee’s login credentials to access the server with personal health information.
Why is Cybersecurity Important for Companies?
Today’s cybercriminals are smart, savvy, and sophisticated. They aren’t targeting companies purely for financial gain; many aim to simply create chaos and plant a seed of distrust within society.
Furthermore, the COVID-19 pandemic has driven increasingly targeted cyber threats, especially against the healthcare industry. Cybercriminals have taken advantage of reduced staff, emotional distress, and remote work to develop careful phishing and ransomware campaigns — campaigns that lure victims into downloading malicious software and gain access to a company’s internal networks.
Every company is a potential target for ransomware and malware attacks, and the consequences of these cyber threats are significant. Aside from financial losses, there may be legal penalties and loss of customer loyalty and reputation, which will degrade your business over the long run.
Moreover, when a business has been compromised by a data breach, board members and investors often demand that those in charge of cybersecurity resign. When Target suffered a data breach in 2014, both Beth Jacob (CIO) and Gregg Stienhafel (CEO) resigned months after the attack.
It’s evident that ignoring cybersecurity to reduce costs is a luxury no business can afford. Business leaders must be able to educate their employees to be more aware of good cybersecurity practices, and provide opportunities for learning.
The Relationship Between GRC and Cybersecurity
Governance, risk management, and compliance (GRC) offers a strategic approach to businesses as they develop their cybersecurity programs, by providing an opportunity to ask questions such as:
- “Do we need to provide training for our employees?”
- “Which policies and protocols should we implement to reduce cyber threats?”
- “Are there any regulations that my business must comply with?”
Cybersecurity governance, however, poses a heightened challenge for security teams due to increasing cyber risk, management of cybersecurity policies, and compliance with a growing number of cybersecurity regulations and industry frameworks.
Cybersecurity policies must map to the company’s individual risk profile and the future desired state. Then the IT and security teams, along with the C-suite, must monitor the performance of the policies put into place.
From a risk management standpoint, it’s critical to understand that every sector comes with its own challenges based on the type of data assets organizations in that sector use and their customer profiles. So you must identify the specific cyber risks that pertain to your organization and define a mitigation plan for those risks.
Lastly, there are a number of cybersecurity regulations such as the General Data Protection Regulation (GDPR) or industry frameworks such as the Cybersecurity Maturity Model Certification (CMMC) that certain organizations must comply with. As a result, you must thoroughly understand which compliance directives apply to your organization, and how you plan to achieve compliance.
Cybersecurity Considerations for Enterprise vs. Small Business
When cybercriminals target large enterprises, they typically use attacks that are well-orchestrated and designed to gain entry into highly secure environments. Enterprises have to keep in mind threats such as supply chain attacks, advanced persistent threats, and insider threats when establishing their cybersecurity programs.
That said, small businesses are not immune to cyber threats. In fact, the 2019 Ponemon Institute report stated that 76 percent of small to medium-sized businesses were attacked the prior year, up from 55 percent in 2016.
This is likely because small businesses tend to rely on outdated technology with less secure networks, making them easy targets for cyber attacks. Additionally, small businesses may not have the financial resources to provide corporate devices such as laptops and mobile devices to their employees, and may rely on cheap platforms for cloud storage (such as Google Drive or Dropbox). This leaves small businesses vulnerable to today’s highly-sophisticated cyber threats.
10 Cybersecurity Best Practices for Businesses to Prevent Cyber Attacks
Regardless of the organization’s size, certain cybersecurity best practices must be implemented to reduce cyber risk, such as:
- Educate employees to recognize phishing emails through rigorous cybersecurity training.
- Test employees with social engineering tactics on a regular basis and report the results to senior leadership and all employees for added transparency.
- Enable multi-factor authentication (MFA) for all corporate accounts so that even if cybercriminals get a hold of login credentials, they cannot successfully gain access to the account.
- Implement the use of virtual private networks (VPN) to mask the IP addresses and locations for corporate devices, especially as employees continue to work remotely due to the COVID-19 pandemic. Remember, using VPN is not restricted to laptops; if your company provides mobile devices to employees, a VPN can still be used.
- Always backup sensitive data and test the backups on a regular basis.
- Ensure that your company complies with any industry frameworks that apply (such as the NIST framework) and that compliance is maintained.
- Establish a cybersecurity-aware culture and lead from the top down. If employees see senior leaders follow the cybersecurity policies being set, they’re more likely to as well.
- Patch all vulnerabilities as soon as they are discovered, especially if your company uses legacy software applications or systems.
- Ensure that all corporate devices have some form of antivirus software installed.
- Set up a firewall between the external traffic and internal data to protect your critical data assets. Go a step further and provide employees with the means to install a firewall on their home networks, especially if your plan is to embrace hybrid or remote work even after the COVID-19 pandemic is over.
Cybersecurity Best Practices for Employees
Employees are widely regarded as the weakest link in the cybersecurity chain, and rightly so. A few recommended cybersecurity best practices for employees include:
- Never use the same password for multiple corporate accounts. Choose unique, strong passwords and use a password manager if necessary to remember them.
- Learn how to spot phishing emails. Watch out for poor grammar, improper punctuation, conveyed sense of urgency, and typos in the sender’s email address.
- Follow the protocols established by your company’s security team for reporting malicious emails.
Although a company can improve its cybersecurity posture in multiple ways, success usually comes down to whether or not employees are empowered to practice what you’re preaching. An organization can do its part to implement all the cybersecurity best practices it wants, but if employees don’t do their part, then the company still becomes an easy target for cyber attacks.
Prevent Cybersecurity Attacks With ZenGRC
Reciprocity’s ZenGRC all-in-one platform provides businesses with the ability to stay ahead of the threat curve by gaining deeper visibility into their networks.
Security leaders can easily assess risk across various threats and vulnerabilities, detect, monitor, and remediate any risks found with real-time updates, and continuously monitor regulatory compliance of third-party vendors.
In addition, ZenGRC allows businesses to conduct self-audits across a wide array of industry frameworks such as NIST and HIPAA, and keeps track of any potential issues with compliance.
At the end of the day, cyber threats are inevitable, and the reality is that organizations can do everything right, but still become the next target of a ransomware attack.
Schedule a demo to learn how ZenGRC can help your organization minimize the harm of cyber attacks.