The following is one of several insights available in the newly released Women Corporate Tech Executives in America Report from the WBC
In several foreign countries there are office buildings filled with intelligent, highly trained people whose jobs it is to infiltrate, disrupt, and extort western businesses. Cybercrime is an organized global threat that operates across the dark web, with sophisticated tools and even franchise opportunities. With a more political bent, hostile government cyber agencies have become highly sophisticated, focusing on disinformation, propaganda, espionage, and destructive attacks.
Whatever you do, you’re using tech in so many ways. This brings cybersecurity challenges and responsibilities that most organizations are simply not equipped to address adequately.
Technical hacking is only part of the challenge. According to “Cybersecurity for Dummies,” 80% of all attacks involve compromising an employee’s credentials. Sometimes contact is simply over the phone. Almost always these intrusions involve an employee who thinks they’re doing the right thing or being helpful. It takes just a single response to a phishing email for an attack to be successful. No amount of technical security will keep your business safe if you don’t train your people to recognize all the ways an actor might trick them into sharing their login credentials.
Whatever your size or type of business, if your security isn’t good enough, you risk compromising your customers and vendors. If you don’t know how to verify the practices of your partner firms, you risk letting them compromise you.
Be prepared and increase organizational vigilance
- Create, maintain, and exercise cyber incident response, resilience, and business continuity planning.
- Create disaster recovery plans and rehearse them.
- Engage experts to hold a tabletop simulation with your leaders about individual responsibilities and actions in the event of a ransomware attack.
- Don’t think it can’t happen to you; expect that it will, and don’t plan to figure it out on the fly when it does.
Talk about it
- Start and maintain an open dialog with your customers and vendors about their systems, products, standards, and training.
- Think through the supply chains you are part of. Discuss. Learn from each partner’s evolving needs, requirements, and cyber efforts.
Enhance your cyber posture and implement cyber best practices
- Identity and access management.
- Protective controls and zero trust architecture.
- Vulnerability and configuration management.
- Utilize strong passwords, MFA, and password managers.
- Install software updates regularly; prioritize known vulnerabilities.
- Stay current on Russian, Chinese, and Eastern European threat updates.
Increase cybersecurity awareness for employees and standardize
- Integrate cybersecurity training and awareness internally until it’s part of your everyday culture, not something that’s reserved for occasional meetings.
- At board meetings, the first thing discussed should be Cyber Risk & Readiness, especially in public companies.
- Apply the same security standards, training, product choices, and behaviors everywhere across your business. A weakness anywhere is a weakness for the whole company.
Pace your effort, plan your pace and track your performance
- Think of a marathon, not a sprint, only more so: you’re never going to be done working on this.
- Think through what to measure that will drive improvements.
Suspect you have already been compromised
- Invaders usually don’t act right away; they wait for a more destructive moment.
- An example is when you, or your customer who has been compromised through you, announces an acquisition or intent to be acquired. A ransomware attack at that moment on any party usually kills the deal altogether.
Maintain backup systems that are not available online
- Literally anything connected to the internet can be hacked.
- Since an intrusion can go undetected for months or years, there’s also a risk of backing up the intrusion, then restoring it in a crisis and immediately letting the hackers back in.
- Make sure your online backups have versions going back in time.
Avoid thinking any solution element is the final answer
- Next month may be different, and next year surely will. Keep learning and keep thinking.
Schedule regular external reviews and engage the right security partner or master service provider
- Even smart people can create an internal echo chamber and miss important things.
- Enlarging existing job descriptions to fully cover this complex and constantly changing topic is a non-starter. Even a large company can’t cost effectively maintain in-house all the kinds of expertise that are needed. The right service partner would operate a (SOC) Security Operations Center 7×24 to manage, detect, and respond to threats.
Think of cybersecurity awareness and readiness as an ongoing investment to PROTECT. You’re protecting your people, your operations, your data, and your reputation. It’s hard to price the value of that.