The Best Practices in Cyber Security For Small-To-Medium-Sized Businesses
As cybercrime grows in prevalence and sophistication, many large companies are upping their security game as a result. Small businesses need to do the same, however, as “’cyber criminals don’t discriminate’” and smaller companies might even be “’easier targets because their defenses are often not as advanced as those of larger businesses,’” as SnoopWall founder Gary S. Miliefsky says. Forbes contributor Kate Harrison discusses the need for small businesses to prepare for cybersecurity threats and incidents and highlights Miliefsky’s “must-do” best practices, including creating and enforcing corporate security policies, training employees in security practices like acceptable use and setting strong passwords, and encrypting data and confidential information. Additionally, Miliefsky discusses the importance of performing self-assessments and documenting cybersecurity progress.
Boards Still Struggle With Cybersecurity Management
A recent KPMG survey revealed mixed results regarding businesses’ cybersecurity postures. On the positive side, for example, the survey showed that 49 percent of businesses consider cyber risk a top concern compared with other risks (an increase from 29 percent in 2014), boards are more likely to “explicitly set their appetite for cyber-risk than in previous years” and the percentage of boards who “have a very clear understanding of where key information/data assets are shared with third parties” has grown from 2014 to 2015. However, boards continue to struggle in terms of getting good information on cyber risk in their companies; only 21 percent of respondents reported receiving helpful, comprehensive cyber-threat management information, with 17 percent receiving “very little insight.” According to KPMG’s David Ferbrache, boards often make their decisions based on “’incomplete and partial management information.’” Ferbrache stresses that board members should take shared responsibility for cybersecurity and “’consider it in every aspect of the business’” to protect their organizations effectively.
Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities
Healthcare IT News
According to “Hacking Hospitals,” a two-year study of healthcare and healthcare data as well as healthcare technology platforms and medical devices, healthcare provider organizations are “generally failing at securing their organizations from today’s increasingly sophisticated criminals,” with a too-narrow focus on protecting patient records and security measures that only defend against blanket attacks and unsophisticated cybercrime. According to Virtue Security founder and CEO Elliott Frantz, healthcare organizations should focus more on managing intrusions than preventing them and spend more resources preparing for cyber incidents. Healthcare IT News interviewed cybersecurity experts to discuss the most pressing cyber issues in healthcare IT, identifying and explaining five key concerns: the growing threat of ransomware, the rising use of whaling (sophisticated phishing attacks targeting high-level executives), the need for better security education of C-level executives, the importance of application security and the concerns regarding medical device security in a growing Internet of Things.
SEC says cyber security biggest risk to financial system
U.S. Securities and Exchange Commission (SEC) Chair Mary Jo White, in remarks at the Reuters Financial Regulation Summit, said that many Wall Street organizations do not have the proper cyber policies in place to manage their risks. According to White, the SEC is pointing out instances in which organizations do not have “policies…tailored to their particular risks.” Tom Kellermann, chief executive of Strategic Cyber Ventures LLC, called the remarks “a historic recognition of the systemic risk facing Wall Street.” Reuters reporters Lisa Lambert and Suzanne Barlyn discuss some of the SEC’s initiatives, including “broken windows” (cracking down on small violations to discourage larger ones), White’s remarks on companies using non-Generally Accepted Accounting Principles (non-GAAP) and responses to the remarks.
NTT Com Security’s latest Global Threat Intelligence Report revealed that nearly 80 percent of organizations “remain unprepared for and without a formal plan to respond” to cybersecurity incidents. Additionally, nearly 21 percent of the vulnerabilities detected were more than three years old, with more than 12 percent being more than five years old and more than 5 percent being 10 years old or more. Additionally, the report showed that the retail sector leads other sectors in incident response and that breach investigations jumped from 16 percent to 28 percent in 2015. NTT Com Security made recommendations for incident response in the wake of these results, including preparing “run books” to “address how common incidents should be handled in their environment” and compiling comprehensive, accurate details about networks.
Are businesses overlooking risks away from cybercrime?
As the costs and risks associated with cybersecurity threats rise, businesses are paying more attention to cybersecurity concerns. For example, the Bank of England’s Systemic Risk survey revealed that respondents’ concern about cyber attacks rose dramatically from the last six months of 2014 (10 percent were worried about an attack) to the second half of 2015 (46 percent were concerned). Ben Rossi argues that, while concern about cyber threats is important, it’s also valuable to adopt a “holistic view of the business…to ensure the right judgment calls are being made” and that companies do not become vulnerable to other potential risks in focusing strongly on cybersecurity. Rossi advocates for a comprehensive view to ensure that all business risks are prioritized and handled appropriately.
Employee Negligence The Cause of Many Data Breaches
Experian recently surveyed more than 600 data protection and privacy training professionals, and the survey revealed concerns regarding “dangerous user behavior” in the workplace putting businesses’ data at risk. Sixty-six percent of respondents said staff “are the weakest link in their efforts to create a strong security posture.” Despite these insider risks, however, only 35 percent of respondents said that senior executives at their companies prioritized employee education and training on security concerns, and 60 percent said employees were not knowledgeable about cybersecurity risks at their companies. Additionally, only half of the companies agreed that their existing training succeeded in reducing “noncompliant behaviors,” less than half of companies made training mandatory for employees and 60 percent of companies said their companies didn’t require employees who didn’t pass training courses or tests to take additional actions. Experian Data Breach Resolution Vice President Michael Bruemmer emphasizes that the responsibility for protecting company data and security should start with upper-level management and boards. Additionally, Bruemmer makes recommendations for structure and planning to improve businesses’ cybersecurity.