How To Solve Your Organization's Biggest Cybersecurity Threat
According to Baker Tilly senior manager Mike Cullen, the most common misconception about cybersecurity among his clients is the idea that cybersecurity requires "solely technological solutions." In doing so, they overlook the biggest weakness in any organization: people. (If New Year's resolutions teach us anything, it's that people are weak.) Whether it’s employees, contractors, vendors or visitors, heavily consider the parties you give access to, as they're the ones who can cause the most damage, intentionally or not.
"You have to look at cybersecurity holistically and not just as a technology problem," Mike tells Bisnow. "That includes securing the human component to make sure that they’re doing the right thing as much of the time as possible.”
To truly implement an effective cybersecurity management program, Mike says, you first need to know what you're trying to protect. Few organizations have the time and resources to completely protect every little scrap of data, so knowing what data is the most valuable and important (both to you and potential attackers) can set a strong foundation. A good example of this valuable data would be the financial and credit card information of Target's customers, which was stolen and then sold on black markets, costing the chain millions.
The criminal element—which can include everything from hacking groups to crime syndicates moving in on the digital realm—is just one of three external threats that your organization has to worry about. You also have foreign nations—China, North Korea, others; and hacktivist communities like “Anonymous” that don't have financial motivations.
"These people are looking for data and information or sometimes they’re just looking to see who’s the weakest of the bunch so they can embarrass you," Mike says. "Companies need to realize that when they connect their systems to the Internet at large, they open themselves up to external threats from all over the globe."
These threats are even more prominent in DC, with the higher concentration of government contractors, nonprofits and non-governmental organizations (NGOs). Not-for-profits and NGOs, Mike explains, have information about donors and members and can have a huge target on their back if they have politically charged missions or the work they're doing is controversial. Government contractors, on the other hand, are main targets for criminal organizations because they have access to sensitive government data.
Mike insists the biggest threat continues to be the humans inside the organization. Even if they're not out for nefarious purposes, the mistakes they make, such as falling for phishing emails, can still cause irreparable damage. When asked if there's a way to reduce this internal threat, Mike admitted that it's a challenging and ongoing process.
“It’s not a one-time thing or an annual thing," he explains. "It’s a continual education and communication process to make sure the employees in your organization—and any contractors and vendors that you have—are also aware of this. You need to make sure they understand and are on the lookout for threats. I think one of the best ways an organization can do that is to approach it on a personal level with the employees."
Giving concrete examples of how ridiculous falling for phishing is ("It's like if a stranger came up to you on the street and asked for your car keys to make sure your car works."), making sure employees know the consequences of a cyberattack, and how it would affect them personally, will make this information stick in employees' minds.
There are other steps you can take to protect your data, including creating business continuity plans, the process by which an organization looks at its business operations and asks what it can do if there’s an incident, and data recovery strategies. In both tactics, organizations become more proactive as opposed to reactionary. Being reactionary when an attack or other incident does come, Mike says, can cause huge losses in data, information and money. Finding a level setting that works for your organization and the environment you find yourself in makes all the difference. Going too extreme or over the top will waste just as much money and time as being too lax.
With all these fixes, organizations can not only make themselves more secure, but also more efficient, which has been—incorrectly, Mike notes—seen as a trade-off.
“More and more organizations are realizing that they need to think about things not as mutually exclusive, but as working together, because there are a lot of things that a company can do to be secure while making sure that they are spending their resources, time and money effectively. By outsourcing payroll and other financial operations to a trusted third party, for example, you not only save yourself the security risk of having all that information on your own servers, but you save the time, effort and stress of managing all of the security practices yourself."
At the end of the day, as with anything dealing with technology, cybersecurity is constantly and rapidly evolving.
"We now have computers in our pockets, on our wrists and in our cars," Mike says. "There’s more and more technology around us that ends up causing more potential avenues of attack and potential threats and vulnerabilities, so maintaining or keeping up with that is very challenging."
Unfortunately, Mike solemnly notes, you’ll never be able to anticipate and stop everything, and in the cyberworld, it's not a question of if you'll get attacked, but when. But, by making all these changes, as well as hiring a chief information security officer or team who can protect information while sticking to the organization's business and goals, you can keep developing strategies to protect your organization and looking ahead at potential threats and new, emerging risks.
"You’re never going to be 100% ahead of the game, but you have to have resources dedicated to maintaining and staying up with the current situation as best as you can.”
To learn more about our Bisnow partner, click here.
