We sat down with our Chief Information Security Officer, Joe Danaher, to ask him about the cybersecurity challenges businesses face today. Joe has spent his IT career navigating the HIPAA security compliance and in the past 6-7 years, as the threats from hackers have evolved, staying 1 step ahead.
What are some of the biggest cybersecurity challenges and risks that businesses are facing these days?
First, and unchanged is phishing. It is your biggest threat and is becoming more sophisticated. Hackers aim to compromised O365 accounts and send malware to you from the accounts of people you know. This makes it more difficult to spot Phishing. If something seems odd, you need to confirm with the sender prior to opening any attachments or following any links. Secure attachments are used to trick users into downloading malware and giving up passwords to sites like O365, Amazon, Google.
Joe Danaher, CISO
Second, and requiring more of your attention is increasing compliance requirements. Your business is more likely to fall under compliance or be asked to prove your security before another company will do business with you. Many states passed laws on their own that differ from each other and this can be costly for businesses to be compliant and even understand how they need to be compliant. A national compliance standard is needed for businesses handling Sensitive Data. Follow your State Chamber as they are most likely lobbying for national guidelines and against state-specific ones. I live in KY and have worked with the KY Chamber on these issues.
Unfortunately, self-assessment has not worked as demonstrated by many breaches where the companies were PCI and even SOC2 compliant. So, the bar is raising regarding the security controls that must be in place. Recently, the Department of Defense (DoD) released the Cybersecurity Maturity Model Compliance (CMMC) that is impacting all DoD contractors over the next several years and requires a third-party audit for the 3-year certification. It would not be surprising if this spreads to other Government departments and perhaps nationally.
Are the challenges different for larger and smaller companies?
Smaller companies might think they are at less risk, but they are targeted more often because their preparation and defenses are generally weaker. Although on a different scale, the basic security practices are the same for large and small companies.
How do employees put their companies at risk?
Employees are definitely a cybersecurity challenge for businesses. Employees bring their own devices onto your network. In contrast, they also use work computers for personal email or web surfing. In both situations, business protections, especially for phishing, are likely not in place.
Placing too much information about their work on social media and creating a target for hackers. One trend is to post a selfie with their company name bade on Instagram (search #newbadge).
Finally, not taking personal responsibility to educate themselves about cyber threats and ways to protect themselves, personally and professionally. An #CyberAware person makes a better employee.
Do cybercriminals keep changing tactics?
Cybercriminals are now part of well-funded, organized criminal syndicates. They reinvest in researching new exploits and continuously re-write their malware which is making traditional signature-based antivirus obsolete. They are using built-in applications like PowerShell in Windows to run their malicious code and that makes them harder to detect once they are in your network.
However, cybercriminals most often depend on exploiting the basic human traits of being helpful and curious.
What are some of the current concerns among the IT community?
Another challenge is, in spite of the rising cost and frequency of breaches, many business leaders don’t believe they are at risk so their investment in cybersecurity controls does not reflect their actual risk.
To make it more difficult for those businesses who seek to invest, there is a myriad of cybersecurity products that makes it harder for many businesses to determine where their limited budget would best be spent.
One thing that makes it easier for businesses, but is often overlooked and undervalued, is a Security Risk Assessment (SRA) to verify where their sensitive data reside; how it moves in and out of their business network; and the status of their current security controls (Technical, Administrative and Physical). This assessment would help prioritize where to invest their money most effectively.
Finally, many businesses have yet to embrace and validate the basic controls:
- Next-Generation Firewall
- Patching
- EDR or NGAV (Endpoint Detection and Response or Next-Generation Anti-Virus)
- Off-site and Tested Backup
- Employee Security Awareness Training, including how to avoid phishing and how to create a secure password
- Using Multifactor Authentications (MFA) whenever it is available
How can business leaders mitigate these risks? Can you provide some tips for our readers?
Providing an ongoing program of Security Awareness Training for your staff has proven to have a great Return on Investment (ROI). The Ponemon Institute found that the phishing email click rate improved an average of 64% following security training.
SHOW employees that cybersecurity is important to the business owners and management team by creating a culture of cybersecurity.
Perform simulated Phish testing with re-training options. Don’t be punitive to employees who get tricked by a phish and report it. Focus on education.
How often should training sessions be conducted?
Like I have said, cyber threats are not going away and have grown more sophisticated. Training needs to be ongoing and interactive and built into your company culture of safety. There is a saying, “What I hear, I forget; What I see, I remember; What I do, I understand”. Your approach to training employees needs to reflect this reality.
What kind of training programs do we offer our clients?
We have an online platform that offers broad and ongoing training to keep cyber-safe practices in the forefront to create habits that protect your company from breaches.
Yearly training and testing are reinforced weekly through 2-min micro training videos and quizzes, periodic phish testing and self-serve features to scan questionable emails, check the dark web for credentials and repeat any training, any time.
Each employee has a Security Score to use for friendly competition or rewards. Users can increase their score by completing pieces of training, keeping their credentials out of the dark web and not falling for phishing test emails.
Thank you, Joe, for all the great information. We take our own security seriously and can help guide you to make the most cost-effective decisions to boost your business’ cybersecurity maturity.