Contents
Why is cybersecurity becoming a personal concern for businessmen, what are the key threats to enterprises and what should leaders do who want to protect themselves and their organization?
About the expert: Rustem Khairetdinov, Director of Growth at BI.ZONE, a strategic digital risk management company.
Business owners and senior management are a coveted target for cybercriminals, because such victims give access to sensitive information, not to mention the accounts of the organization. The results of a survey conducted by MobileIron confirm this: 84% of employees in senior positions (C-level), by their own admission, almost became victims of a cyber attack in the last year.
Why Senior Executives Worry About Cybersecurity
Even a single incident can lead to serious financial and reputational losses. The authors of the Accenture Third Annual State of Cyber Resilience report found that for an organization with a standard level of cybersecurity (KB), the average damage from an attack is $380. Moreover, in a survey conducted by McAfee, 92% of respondents reported non-material losses from cyber incidents. Among the negative effects most often mentioned were performance losses and forced downtime (up to 18 hours) – on average, it costs the business $ 6 million. However, pauses can be delayed: for example, IT solutions developer Kaseya, who fell victim to the to recover files only after 19 days.
Sometimes it is enough for a CEO to open one link to destroy the company. So, in September 2020, one of the founders of the Australian hedge fund Levitas Capital accepted an invitation to a Zoom conference. The link turned out to be malicious: the attackers penetrated the corporate network and tried to withdraw about $8 million to their accounts. And although most of the funds were saved, the company closed because one of the key partners of Levitas Capital refused to invest in the compromised business.
In the context of digital transformation, data protection and business continuity is becoming a strategic concern. At the same time, 83% of companies do not have specific business recovery plans in case of an emergency. Against this backdrop, it is up to leaders to take the lead on digital security issues and improve the cyber resilience of the organization. However, to do this, you first need to do your own cyber literacy.
What digital risks threaten companies in 2021
Hacking IoT Devices
We are surrounded by “smart” gadgets – from smart speakers to traffic lights that allow buses to move faster around the city. According to Microsoft, back in 2020, the share of companies that implemented at least one IoT device was 83%.
For businesses, connecting office devices like light bulbs and air conditioners to the Internet of Things means more potential vulnerabilities for attackers to attack. At the same time, the compromise of even one of them promises unpredictable consequences for the entire corporate infrastructure. For example, by hacking a smart camera on the perimeter of an organization, criminals can access codes from the premises or find out the working hours of the security department.
It is worth remembering that attackers will purposefully attack the personal devices of company owners and executives. At the same time, the reliability of consumer IoT technology raises questions, given that even pacemakers are hacked.
Data Fraud
Analysts at the World Economic Forum believe that information theft is one of the ten most likely global risks. In 2020, they discovered over 15 billion stolen credentials on shady forums. Among other things, there were logins and passwords of accountants and system administrators. In this context, the spread of digital identity technologies that use passport, biometric and behavioral data to identify users creates additional threats for businesses.
Fraudsters’ favorite methods are phishing and social engineering. CEOs are especially vulnerable to such attacks and traditionally become the main target of criminals. In The State of Email Security Report, prepared by Mimecast, 40% of respondents responsible for the development of IT in their companies said that their CEOs are weak links in the organization’s cyber defense. You can understand the interviewees: according to Help Net Security, 76% of senior executives asked for exceptions in mobile device security policies.
Using new technologies in attacks
Cybercriminals are not afraid to experiment. In 2019, cybercriminals stole €220 from an energy company using deepfake technology. The criminals synthesized the speech of the chief executive of the parent German company and convinced the head of the British branch to transfer money to their bank account. The insurance company covered the losses, but its representatives admitted that this was the first time they had encountered such a case.
Ignoring security in the company’s transformation strategy
It is important to remember that in addition to external threats, there are also internal ones. Gartner analysts predict that spending on cybersecurity and risk management worldwide could exceed $2021 billion in 150. Despite this, many companies ignore these aspects when developing a digital transformation strategy. According to the Ponemon survey, 82% of companies suffered from data leaks related to the incorrect construction of this process. Mistakes made in the early stages can lead to significant costs in the future, such as fines from regulators, the need to rebuild systems and processes, or change the finished product.
How to Minimize Digital Risk in Seven Steps
Protecting a business is a difficult but important job, largely dependent on personal initiative on the part of the head of the organization and top management, as well as their own cyber literacy. However, the observance of simple rules simplifies this task.
Use original passwords for each service
If you have one password for mail, social networks, work accounts and other accounts, one leak is enough for attackers to crack everything. Install a password manager with a password creation feature, such as 1Password. Do not store key combinations on slips of paper or notebooks. Scale this practice to the entire company: instruct IT staff to monitor the regularity of updating passwords among employees. It is considered good practice to change key combinations every three months.
Transfer data only through secure channels
Even a strong password can be intercepted by attackers. This is especially applicable to public wireless networks in airports, cafes or business centers. Use a VPN connection when working with business documents, communicating with partners or logging in to personal accounts. The same can be deployed within the company: oblige employees to connect to the organization’s servers through secure channels to avoid data leaks. However, remember that the information you transmit over a VPN connection can be viewed by the ISP, so use the services of trusted companies.
Learn and teach cyber literacy
Learn the basics of cyber hygiene to avoid becoming a victim of criminals. Invest in cyber literacy, such as anti-phishing and sensitive data protection training. Involve not only senior management, but also employees at all levels in this process: no one knows exactly where the attackers will attack. Such measures pay off: according to our data, regular trainings increase the resilience of employees to phishing by nine times.
Prepare guides for any occasion
Develop scenarios with employees for high-risk situations, such as urgent transfers of large amounts and the provision of important documents. Come up with secret words to confirm such operations – we remember that criminals are mastering deepfake technologies, so a standard call with repeat instructions is no longer enough. Practice these scenarios with colleagues and try to follow them yourself.
Install updates
This tip applies to all devices and programs you use. In new releases, developers often fix vulnerabilities. The newer the software on your computer, smartphone, watch, and even car, the lower the risk that you will become a victim of a cyberattack. Imagine how many vulnerable points there are in a company that even has 20 computers – and that’s not counting servers, routers and other equipment. Updating software in a company is the best prevention of hacking.
Don’t store work documents on personal devices
Viewing quarterly reports on the road on a laptop is generally a sound idea, as long as it’s a corporate computer. If you upload work data to your personal tablet or smartphone, do not forget to delete it, otherwise, in case of theft, thieves will get not only a brand new gadget, but also your trade secrets. For security, set a password or biometric unlock on all devices. Another way to make it harder for attackers to access your corporate mailbox is to ask your IT department to allow only those who are connected through a VPN tunnel to log into work email accounts. In a pandemic, separating an office and a home has become much more difficult, but you can transfer business processes to cloud services: they are slightly better protected than employees’ personal devices.
Design systems with security in mind
Any IT projects, from setting up a mail server to digital transformation, should be based on the principle of security by design. It lies in the fact that security should be an integral part of the system and built into all its components. Compliance with this principle requires well-structured processes and the participation of competent specialists. It is better to turn to third-party contractors: their awareness of cyber threats will be higher than that of the average KB department, and the final cost of services will be lower. At the same time, you will not overload regular employees with additional work. There are enough companies on the market that specialize in such tasks – they will take into account the specifics of your IT infrastructure and help you build a digital bastion to repel even advanced attacks.