Waiting until your company’s most vulnerable information has been compromised by cyber criminals to mount a defense against the incursion is a losing game plan.
Make no mistake. Your company’s computer systems are constantly under attack by hackers. And that situation is never likely to change. It’s what you do about it that is the difference between keeping your stored information private and facing a breach that will cost you big bucks — maybe a financial wound that proves fatal to your company.
Lt. Nate Toll, deputy operations officer, Cyber Protection Team, U.S. Coast Guard, was a panel member at yesterday’s “Cyber Risk Management: 2021 updates for the towing industry” webinar sponsored by the American Waterways Operators. He said a good place to start is “understanding what your cyberspace looks like.”
Brian Moynihan, CEO, Bank of America, told CBS’s Face the Nation in April 2020 that 80% of businesses have less than 10 employees and 95% have less than 100 employees.
According to internet security company Trustwave, 67% of small and medium-sized businesses fail to survive a cyber breach, 56% of organizations that suffered a breach can trace it back to a third party, and the average cost of a data breach is $3.92 million.
“You have to create a culture of readiness,” Lessie Longstreet, global director of outreach and partner engagement for the Cyber Readiness Institute (CRI), said during AWO’s webinar.
CRI develops free content and tools to improve cyber readiness of small and medium-sized enterprises, convenes senior leaders of global companies and value chain partners, and shares cybersecurity best practices and resources. The information is free because the institute is financially supported by PSP Partners, Microsoft, Mastercard, Global Enterprises, Principal Financial Group, GM, and ExxonMobil.
CRI’s approach includes the following:
- Focus on human behavior — authentication, patching, phishing, and USB use. (Multi-factor authentication passwords can prevent 99% of account compromised attacks, 17% of people use their favorite sports team and the current year as their passwords, 60% of breaches in 2019 were linked to a vulnerability where a patch was available but not applied, 91% of all cyberattacks start with a phishing email, 81% of companies that fell for a phishing email attack lost customers, and 80% of companies’ employees use non-encrypted USB devices, such as free USBs from conferences.)
- Incident response and resilience.
- Guidance and tools on prevention measures and practical incident responses using the organization’s cyber readiness program and remote work resources.
- Create a cyber readiness culture.
- A cyber leader drives the execution of the plan.
- A small business advisory group provides input.
Many compromises can be avoided by concentrating on what you’re doing,” said Longstreet. Sometimes problems are caused by “people who are distracted by life.”
There are five stages to CRI’s Cyber Readiness Program:
- Get started: Prepare organization and select a cyber readiness leader.
- Assess and prioritize: Remember the four key issues are authentication, patching, phishing and USB use. Prioritize what to protect. Establish baseline metrics.
- Agree and commit: Access and modify policy templates so they are practical for organization. Develop incident response plan from template.
- Roll out: Introduce the program to workforce. Access training and communication kit and distribute workforce commitment letter.
- Measure success: Re-do baseline metrics to measure impact. Earn certificate from CRI.