Written By: Diana Bailey, Columnist, International Director
When it comes to cybersecurity, a common misconception is that small and medium-sized businesses areattacked by cybercriminals less often than big corporations. Yet, statistics show that all kinds of organizations, big and small, public and private—from a wide range of industries—are prone to cyber-attacks. In fact, statistics for March 2018 show that individuals are the category most prone to suffer the largest percentage (around 22.4 percent) of cyber-attacks. What’s more, the United States House Committee on Small Business found that 71 percent of cyber-attacks targeted businesses with less than 100 employees.
No organization is immune to such threats, regardless of its type of activity. And oftentimes, the cybersecurity defenses of an organization are not enough to fend off relentless attackers. They need to have a large arsenal of measures to deal with those attacks—before, during and after they happen.
Cyber-attacks vary in their underlying motivations. They can be for the purpose of espionage, warfare, hacktivism or crime. Their techniques also vary. Attackers can target accounts, use SQL injection, spread botnet infections or take advantage of applicationvulnerabilities. They use multiple attack vectors such as malware and DDoS (distributed denial of service to intended users). Attackers adapt to implemented security measures, and thus cybersecurity defenses need to constantly evolve at a faster pace.
The NIST cybersecurity framework
To address this issue, the National Institute of Standards and Technology (NIST) developed a framework for cybersecurity to provide guidance on the issue and unify defense fronts. The framework’s approach is flexible, resilient and prioritized, and it aims to protect infrastructure and other sectors from malicious cyber-attacks. The main five functions advised in the framework are: identification of threats, protection against those threats, detection, response and recovery after the incident. Each function includes plenty of actionable advice to help managers manage cybersecurity risk. The framework can be useful also for organizations located outside of the United States.
The advantage of the framework is that it aims to address cybersecurity risk at all levels, from micro to macro. Organizations can benefit from implementing the program and benchmarking against the best-in-class, and sectors benefit from sharing information related to risk-management information, assumptions and requirements up, down and across supply chains. As a result, entire economic ecosystems are more immune to cyberthreats.
Rules to abide by for optimizing cybersecurity
For individuals and companies looking for simplification, there are some straightforward rules that can be followed to enhance security.
To begin with, the most vital programs and applications should be able to record all activity in a protected activity log. The log should be detailed enough to enable detection of any security issue caused by the program and/or happening to it. This helps to identifythe timing of the attack and perhaps its source.
Second, use advanced encryption methods according to the desired level of security. Encryption is the first layer of security against threats, and it should be among the strongest defenses. The advanced encryption standard devised by the National Institute of Standards and Technology can be a good reference point.
Third, use prevention as much as possible. This is a more proactive approach, in which protocols are used to prevent bad incidences as much as possible. This can include firewalls, intrusion prevention systems (IPSs), content filters and endpoint-protection suites. Those tools can fend off most common threats to operations.
Fourth, do not forget about the threats that cannot be prevented. Even with prevention against attacks, some malicious attackers will still manage to access systems. At this point, a quick response will be required to control damage and prevent data loss. A common loss-prevention tool used is the security information and event management system (SIEM). The advantage that this system offers is that it collects logs from all applications used across an organization and identifies unwanted activity. The system is efficient in that it can gather large amounts of data from all applications and programs and use data analytics to identify harmful activity.
Fifth, have a contingency plan. The after-the-attack plan of action is a relatively passive responseafter prevention and damage control havefailed. The details of this plan should be set in place—such as how to report incidents, and what external sources to use.
The probability of suffering a cyber-attack is ever increasing in today’s knowledge economy. And preparedness is the key to protecting digital assets. Prevention is the most effective cybersecurity strategy, but if that fails, it is important to limit the damage and have a contingency plan in place for serious threats.
Your defense lines should be customized based on the value at risk. If this value is high, you can seek insurance to transfer the risk. When considering the value at risk, you should also consider the cost of not only losing your assetsbut the cost of disruption to your business and the time it will take to recover your losses and resume operations (indirect losses). And most importantly, stay up-to-date on the recent approaches of attackers in order to be alert about what types of attack to expect.
The bottom line: Prevention works much better than treatment. It is also far less costly.