In 2016, the average organization faced 106 targeted cyber-attacks, with one in three of these assaults resulting in a security breach. At least, those were the findings of Accenture after conducting a comprehensive survey that pulled together responses from 2,000 executives operating in 12 industries spread across 15 countries.
Even more troubling, more than half of respondents — 51 percent — admitted that their business typically doesn’t identify a successful security breach for months, and 17 percent don’t make the realization until “within a year.”
And according to the Ponemon Institute, the average data breach now costs a company roughly $4 million.
Worried about what outside network intrusions could mean to your business? Read our e-book: Data Breach Disasters: How to Prepare for the Worst and Respond at Your Best
Time For a Change
Despite this alarming rate of successful attacks, 75 percent of respondents to the Accenture survey were still “confident” that their business was employing the right security strategies. They unironically made this claim even though internal security teams uncovered only 65 percent of effective breaches — the remainder being flagged by employees, law enforcement, and other “white hats” (e.g., ethical hackers).
The frequency of these breaches coupled with the challenge of effectively identifying a security incident make it clear that current methods are not sufficient. Rather than focusing solely on compliance, your business needs to rethink how it can best approach cybersecurity to identify, frustrate, and prevent these attacks before they can occur.
And to accomplish this goal, you need to think like a bad guy.
What Can Your Company Do?
While channeling your inner felon, consider what areas of your business would be most valuable to hackers. Yes, your organization should place adequate protection around its financial systems, but are there other likely targets?
Different businesses and industries offer unique opportunities for criminals. For example, healthcare organizations frequently host patient files that contain a treasure trove of personal data that can be sold and used for identity theft. Similarly, any organization with a large employee base will store an equally large number of employee tax records — files and directories that are routinely ignored for most of the year.
By creating a tiered network architecture, your company can more economically focus cybersecurity systems, offering greater protection for high risk targets.
Why would a criminal waste time on a brute force attack when a well-phrased email could bypass all of the time, money, and effort your IT department has put into protecting critical systems? According to data trends, since 2015 cybercriminals have relied on social engineering techniques as their primary exploit for bypassing network security.
To combat attacks such as phishing or baiting your employees need to be well educated and prepared. With proper training, your staff will cease being an avenue of attack and instead can be conscripted in the ongoing fight against cybercrime.
In addition, per the Accenture study, employees were the most commonly cited detection method outside of designated cybersecurity teams. When your staff know what suspicious behavior looks like, they can more quickly report it.
Beyond simple naivetÂ€_Ã¥Â©, employees can also pose a direct threat to your company’s cybersecurity. In the Accenture survey, more than 50 percent of respondents indicated that malicious insiders could have the greatest cybersecurity impact, but only one-third indicated confidence in their organization’s ability to monitor for internal breaches.
By implementing internally-focused monitoring tools and by limiting rights access to critical and confidential business systems, your company can mitigate the havoc that these rogue employees can cause.
Practice makes perfect
To quote Mike Tyson: “Everyone has a plan until they get punched in the mouth.”
It doesn’t matter how much you’ve invested in cybersecurity or how thoroughly you’ve trained your staff if these measures don’t work. And the only way to verify that these security investments and training are useful is to fight off an attempted breach.
Obviously, you don’t want to post an online invitation to the local hacker community, but there are a number of strategies your business can use to test your company’s cybersecurity in a real-world setting.
Work with outside consultants or ethical hacker groups to test security penetration. Have your cybersecurity team send out fake phishing emails to staff — including senior leadership — to verify that they’ve been sufficiently prepared.
The Next Step
Stopping every potential threat is impossible, but by making criminals and scammers work harder to penetrate your systems, you encourage them to move on in search of an easier mark.
To learn more about how our security awareness courses can help your business build a security-minded culture, request a demo today.