Cybersecurity should be understandable and affordable

You’re being attacked.

Every company, every computer, every day, hour, minute is under attack. How do you defend yourself? Surprisingly it doesn’t require the trendiest cybersecurity product or a massive budget as many companies would have you believe. It just requires taking thoughtful action in three areas:

· Control and engage

· Patch and monitor

· Identity management

As a recent MIT Technology Review: Weekend Reads that focused on cybersecurity hacks stated; “Cyber threats are spiraling and the cybersecurity industry, governments, and businesses are struggling to deal with them. Think whack-a-mole - on a grand scale”. From this article (and thousands like it) we get the sense that we’re helplessly losing to the “hackers” who are mounting ever-increasing, successful attacks. 

But actually, it’s not hopeless. We don’t have to succumb to being crushed by the criminal and state-sponsored attackers, and it’s not beyond our comprehension or abilities to provide good protection in cyberspace. To get to the point where we can gain control only requires that we step back from the problem, gain a broader understanding, and then take a few basic actions.

One of the first things we have to realize is that cybersecurity is a business problem in a technology world and not a technology problem in a business world. To solve the problem, we have to understand it. At a Black Hat conference in 2014 one of the speakers estimated that the total number of people engaged in cyber-criminal activity globally was around 400 million. Given that 2020’s global cost of cyber-crime of over $2 Trillion (source: cybercrime magazine), that number has probably grown significantly over the past years. So, it’s important to recognize that cybercriminals want you to continue to believe that you have no hope and can’t do anything about them so that you don’t interrupt their ability to empty your bank account. And unfortunately, the cybersecurity industry doesn’t help because many companies sell their products using fear as a motivator, reinforcing your feeling of hopelessness. 

A January 2020 Deloitte article estimated that approximately 91% of all successful phishing attacks start with a simple malicious email. Although the article went on to enumerate potential technical solutions to prevent the attacks, the best solution that every company can use (without spending a fortune) is putting in simple email controls and engaging with your employees to report suspicious activity (or when they click on the wrong link). 

All of us receive a daily deluge of email. It’s used to market goods, communicate informally, inform you on issues via newsletters, and transact business. Attackers hide in that mix of mail. So, the first and easiest control that can be put in place is by understanding that the (e)mail doesn’t have to be delivered. You can actually put strong filters on your mail where non-business mail goes to “holding” folders where it can be examined separately from business essential email. Desired newsletters and other bulk mail can be “whitelisted” so they continue to get delivered while general spam/marketing/malicious email is shunted from the inbox. 

This action does have a downside of potentially blocking an email from a new vendor from getting into the inbox; however, by establishing a discipline where the spam or bulk mail folder is checked daily, this would only represent a slight delay. The psychological impact for you user community, however, is worth it! By just knowing that the mail folder contains potentially destructive email your users will be much more careful when examining its contents. 

The other action you can take to reduce the phishing email risk is to engage with your employees on what constitutes a malicious (phishing) email and encourage them to report anything they see as suspicious. By just giving periodic guidance on what type of phishing emails the company is receiving, what to look for in a phishing email, and to report anything they view as suspicious (or if they have opened a malicious email/link) you will be able to significantly reduce the potential damage to your company from this source. And by your engagement in this fashion, you’re also leading by example.

I’ll write about the other actions you can take (monitoring, patching, identity control, and multifactor authentication) to reduce your threat exposure in my next blog.

Until then, I wish you continued success in your digital/cyber business endeavors.

Written by: Bob Jamieson, Ed.D., CISSP (Founder & CEO, CSM International)

For more articles visit https://csm-int.com/blog