Cybersecurity is top of mind for all C-suite executives. Why? Almost 1 in 3 companies will experience a major breach within the next 24 months - and at an average of $3.86M per incident. Beyond the cost, most executives find the real price tag comes in reputational losses.
“Protect your reputation, because that’s usually the hardest aspect of a breach to fix. Software can be reinstalled. Data can be restored from backups. However, once you’ve lost your reputation, people might not want to do business with you anymore,” says Professor Jonathan S. Weissman, Senior Lecturer, Department of Computing Security, Rochester Institute of Technology and the RITx Cybersecurity MicroMasters® program on edX.org.
Weissman teaches and trains professionals across the world on mitigating and defending against the biggest – and smallest – issues in cybersecurity, which evolve daily. What doesn’t change? Weissman says the weakest link in any cybersecurity program always remains the same – humans.
“Humans are, and always will be, the weakest link when it comes to cybersecurity. Even worse, attackers know this to be true,” says Weissman. “Cybersecurity through technology is important, but so is dealing with your employees. Education, corporate training and constant testing of employees is vital. See if they actually click on links, download and open files, or respond to questions and requests that they shouldn’t respond to. Studies show that most breaches and attacks come directly from phishing.”
Here are Professor Weissman’s top 5 tips to enhance your organization’s cybersecurity:
Engage a bug bounty program. Leverage the expertise of white hat hackers by engaging an online bug bounty program. Weissman suggests using an organization, like HackerOne, to send freelancers your way. These hackers/researchers will try to find and exploit any existing vulnerabilities. They will be paid a reward based upon the level of vulnerabilities that they find and exploit.
Go all the way. Many companies undertake penetration testing to meet compliance requirements, but don’t actually implement all suggested security measures, or continue to actively monitor their networks. This “check-the-box” mentality leaves business with a false sense of cybersecurity, and tons of vulnerabilities. Don’t be like these companies.
Correlate and communicate. Organizations tend to treat attacks as isolated incidents, putting out fires and then moving on. However, efforts to surface correlations between incidents can help prevent the next big attack or breach. At the same time, businesses don’t share or collaborate with each other post-attack, in large measure because of concerns that doing so will bring proprietary, confidential, or embarrassing information to light. Conversely, the norm among cyber criminals is to share knowledge, both as a form of recognition as well as to decrease chances of being exposed. This knowledge sharing gives them a decided advantage. Corporate cybersecurity efforts will be much stronger when the good guys collaborate at the level that the bad guys do.
Transfer your risk to cyber insurance. The average cost of a cyber attack (for example, unauthorized access) is approximately $1M, while a data breach (for example, personally identifiable information stolen) is $3.86M, as noted above. Cyber insurance can help transfer some of this risk by providing a breach response program, which covers the cost of deploying a forensic investigation, notification compliance, and a privacy attorney. Certain policies even cover business interruption costs.
Hackers use AI/ML. You should, too. Hackers use artificial intelligence (AI) and machine learning (ML) to find and exploit your vulnerabilities, prioritize what to take first, create and modify malware, automate communication between devices, and make social engineering more believable. The good guys should be leveraging AI/ML, too, to detect anomalous behavior in networks, when it experiences user deviation, or when users undertake new or unfamiliar actions. Cybersecurity specialists can also use AI/ML to assess levels of risk, identify different types of attacks, and even specify response actions to attacks.
Staying ahead of what’s next in cybersecurity may seem impossible, but Weissman says passion is the answer. “Cybersecurity is a high-stakes, high-pressure, ever-changing industry, which requires you to constantly reinvent yourself. If you want to be successful in cybersecurity, you need passion as your driving force.”
About Jonathan Weissman
Jonathan S. Weissman is a senior lecturer in the Department of Computing Security at Rochester Institute of Technology, where he teaches graduate and undergraduate courses in networking, cybersecurity, systems administration, ethical hacking/penetration testing, digital forensics, malware reverse engineering and more. Professor Weissman developed multiple courses for the edX RITx Cybersecurity MicroMasters program, which he currently teaches to more than 100,000 students in over 200 countries.