There’s never been a more important time to shore up your defenses against cybersecurity threats. Companies that do not invest time and resources into implementing cybersecurity best practices face increasing risks.
In the first six months of 2022, US companies suffered 817 data breaches, and these are just the cyber attacks that we’re aware of. In reality, there are likely many more incidents that went unreported. What’s more, the average cost of a breach stands at around $10 million, having risen since 2021.
While the United States is outside Europe's GDPR (General Data Protection Regulation), implemented in 2018, US companies can also face financial penalties for unlawful data processing and breaches.
Financial loss is not the only threat to businesses either. With so many blogs and other media outlets quick to report on a large-scale data and security breach, your company could suffer severe reputational damage from such an incident. What’s more, you could be left with significant fines.
Fortunately, your company can still benefit from quick wins in cybersecurity that are simple to implement yet will increase your defense against malicious third parties seeking to infiltrate your business and its systems and prevent cyber attacks.
What is cybersecurity?
If security is protecting yourself against potential harm caused by others, cybersecurity is essentially protecting your devices and networks from unique threats posed by the internet and cybercrime. However, as we will discuss, your organization can face other threats that don’t originate from the web. Even if you’re using the most innovative cybersecurity solutions, you can still be at risk from threats that include social engineering attacks, insider threats, cyber threats, and more. We’ll explain these risks in more detail below.
Cybersecurity Awareness Month 2022
Cybersecurity is rapidly becoming a critical personal and business issue, though it has been around for quite some time. Nearly two decades ago, in 2004, the President of the United States nominated October as Cybersecurity Awareness Month. The movement has spread beyond the borders of the US, with Europe and the United Kingdom designating the same month for a greater focus on promoting personal and corporate cybersecurity.
“See Yourself in Cyber”
Each year, Cybersecurity Awareness Month has a common theme. For 2022, the theme for Cybersecurity Awareness Month is "See Yourself in Cyber." In essence, this means two things. Firstly, while cybersecurity may seem like a complex and overwhelming subject to the uninitiated, it does not have to be. Secondly, whether you’re a business leader, IT administrator, or frontline customer service employee, you can take steps to improve your cybersecurity habits and protect both yourself and your organization from cyber threats.
While systems, software, and security practices offer a great deal of protection against cybersecurity threats, so too do the people responsible for educating others, implementing security policies, and ensuring greater visibility around the threats we face.
4 strategies the CISA and NCA recommend
We’ve spoken about how cybersecurity can be a daunting subject for many, but you don’t need technical know-how to start making proper security changes right away. The CISA and NCA recommend four key cybersecurity tips that will immediately make a difference in your organization if they haven’t yet been implemented.
Enable multi-factor authentication:
Multi-factor authentication, also known as two-factor authentication (or 2FA), provides another layer of security over traditional username and password login credentials. Whenever you receive an email or text message with a code to confirm your login, that’s 2FA at work. The best multi-factor authentication solutions use physical devices – typically, your mobile phone. Even if a malicious actor or unauthorized users succeed in compromising your username and password, they won’t be able to do anything without physically having your phone in their possession.
Use strong passwords:
While you’d expect that most people understand the importance of strong passwords, several statistics may shock you:
According to LastPass, around 50% of people online use the same password for everything.
You cannot always simply rely on education to ensure that staff is using comprehensive passwords. However, password management software provides a solution to remembering long and unmemorizable passwords that vary between apps and services. Solutions such as LastPass and 1Password can suggest and store strong passwords, while securing them all under a single master password that can be backed up by multi-factor authentication. At the very least, your organization’s network should place requirements around the length and complexity of your employees' passwords.
Recognize and report phishing:
As part of cybersecurity awareness training, you can educate your employees on recognizing and reporting phishing attempts. Organizations such as the Anti-Phishing Working Group (APWG) work to reduce phishing scams and improve awareness, so it’s important to report them wherever possible instead of simply deleting them.
Update your software:
Malicious actors are continually finding ways to exploit operating systems and other software through zero-day vulnerabilities and other exploits. Keeping your organization’s software up to date and installing security patches will help to keep you protected against the latest exploits and malware threats.
How emerging technologies are helping organizations approach cybersecurity
Emerging technologies are quickly transforming the way that organizations work across multiple industries. Cybersecurity is one area where vast benefits can be seen, improving companies' ability to protect their devices and networks.
Password-based authentication is traditionally very insecure. Just look at the above examples regarding the reliance it places on users to choose a secure password, when many do not. Passwordless sign-in provides an alternative means of user authentication that can be more secure.
Apple, Google, and Microsoft pledged to adopt this new technology as early as 2023. The premise revolves around a technology similar to blockchain that will use public and private keys. Private keys will be stored within your device, while public keys will be recorded against the application or service in question.
Artificial intelligence and machine learning
Artificial intelligence (AI) and machine learning (ML) represent two of the fastest-growing areas of research and innovation in the technology sector. These concepts are increasingly being harnessed to transform cybersecurity software and thus defend against malware and other cybersecurity threats.
AI has already transformed cybersecurity and how vendors utilize it within their software. It can already be used to automate network security tasks and make automated decisions in real-time at a rate far quicker than any employee could manage. It can also analyze unusual network discrepancies and user behavior more quickly and en-masse.
Meanwhile, ML can be instrumental in other areas, such as fraud detection. By studying historical fraud patterns, financial services organizations can harness the power of ML to detect new instances and block or refer them for human evaluation.
Top emerging cybersecurity companies
The scope of potential for AI, ML, and other emerging technologies means that the industry is constantly seeing new start-ups and more-established companies focus on data and network security. Here’s a snapshot of several cybersecurity companies that are seeing success in addressing the sharp rise in cybersecurity threats:
Hook Security: Hook Security focuses on psychological security training to improve employee awareness of cybersecurity threats. In addition, the company's Phishing Testing uses automated phishing simulations that are integrated into your workforce's day-to-day duties. These help you identify vulnerabilities among your staff and ensure that they receive targeted educational videos where needed.
Red Sift: Red Sift's cloud solutions are also geared toward protecting employees and organizations from phishing attacks. Analyzing and learning from your emails in real time provides a visual indicator of communications that could threaten your organization’s cybersecurity.
Island: Island is changing the way that cybersecurity is integrated into the day-to-day experience of workers around the world. For a long time, cybersecurity tools were designed to work in the background, and security professionals would only see the exceptions or alerts. With the Enterprise Browser, Island has built the security control layer into the web browser itself. Now Island is giving security experts the tools they need, and we’re delivering a much better end-user experience. Instead of security by exception, this is secure by design.
Titaniam: With the implementation of GDPR and the associated penalties for improperly processing user data, Titaniam is the tool you didn't know you needed. It is currently one of the "most advanced data protection and privacy platforms," which can be deployed across your network in several ways, providing NIST FIPS 140-2-level security. In addition to reducing the likelihood of costly customer data breaches, it’ll protect your organizational data too.
Drata: Drata's vast library of integrations automates the compliance and security of your organization across your whole tech stack. Their solutions streamline the ISO 27001 certification, in addition to SOC 2, HIPAA, and more.
Abnormal: Abnormal is a cloud email security platform that utilizes the power of AI to protect your organization against external attacks. Their solutions can block social engineering and phishing attacks, detect compromised user accounts, and manage and process companywide emails in a number of other ways.
Cequence: Cequence Security offers end-to-end API protection that utilizes the largest API threat database in the world. Their software compiles a complete inventory of all APIs within your tech stack, flagging risks and detecting threats in real time. Deployment requires zero changes to your existing cloud and on-premises infrastructure.
Sevco: Sevco is a Cyber Asset Attack Surface Management platform. Hosted in the cloud, it can identify gaps within your existing cybersecurity strategy. You'll be able to close security holes and improve your incident response and remediation time without deploying any agents.
Cyberhaven: Cyberhaven protects your most important data across cloud and devices from insider threats in real time. Combining the functionality of data loss prevention, insider risk management, and cloud app security tools, we protect data that these tools can’t see, from threats they can’t detect, across exfiltration vectors they can’t control. With Cyberhaven Data Detection and Response you can not only detect insider threats to data, but stop them.
Best practices for evaluating cybersecurity companies and their tools
In this fast-changing industry, new cybersecurity SaaS vendors are constantly popping up. Keeping up-to-date on the latest trends in the industry is difficult, and you may be left questioning which tools are suitable for your organization.
The security market is crowded with vendors making bold claims, and many security practitioners understandably have a healthy degree of skepticism about what vendors say. Talking to peers using these technologies and piloting the technology in your own environment is the best way to understand how the product works in the real world. - Cameron Coles, Head of Product Marketing, Cyberhaven
Determine what level of support you need
Cybersecurity is a broad and ever-changing field that underpins both small and large companies. The protection needed by a large-scale enterprise will not be the same as the requirements for a smaller start-up. For example, a family-run business can immediately benefit from adopting antivirus software, a VPN (Virtual Private Network), and a password manager. An organization employing thousands of staff requires a more customized and detailed level of protection.
Adopt a risk-based attitude
When evaluating potential cybersecurity companies, consider whether the software or services offered will reduce your organization's most significant risks. For example, are you rapidly growing in an area that requires the storage of large volumes of user data, but equally aware that your data storage is outdated? It’s important to consider where best to spend your budget in a way that reduces cybersecurity risk.
Find a company with an established reputation
Time in the market is no longer a guaranteed way to vet a company's reputation, especially with so many cybersecurity companies appearing. Instead, it's important to research a prospective company and its track record in the industry. This could be through word-of-mouth referrals, business or user testimonials, or the quality of their online presence.
Consider both human and automated solutions
Cybersecurity software is becoming more powerful and feature-rich, but it still can't match the creativity and intuition of humans. The best approach utilizes both, with staff on-hand, to detect malware or other threats that may evade automated systems.
The critical role of people in cybersecurity
Malicious actors are constantly finding ways to thwart cybersecurity software and wreak havoc on businesses, sometimes for financial gain and other times simply for "fun."
Educating staff to make intelligent cybersecurity decisions:
Responsibility cannot simply be limited to employees working in an IT or cybersecurity role. You should endeavor to provide cybersecurity awareness training to all employees within your business. These programs teach staff about the most common methods malicious actors use to attack businesses, including social engineering and phishing attacks, and provide critical cybersecurity best practices.
External threat actors are constantly trying to get your sensitive data, but your employees already have access to it. Whether an employee quitting to join your main competitor, or someone who mistakenly shares something with the wrong person, the human element is often overlooked but critically important to protecting your most valuable data. - Cameron Coles, Head of Product Marketing, Cyberhaven
Trusting IT leaders to make efforts to keep companies as secure as possible:
People are the most important, for any endeavor. When it comes to cybersecurity, it’s important to think about human psychology and emergent patterns. For example, you might be tempted to require frequent MFA challenges to improve your security posture. But there’s a real danger in an emergent pattern forming where users are conditioned to complete the MFA challenge without thinking — exactly the conditions required for a malicious MFA spoofing attack. Collect real feedback, both qualitative and quantitative, about the end-user experience to make sure you’re not creating negative emergent patterns. - Tad Johnson, Product Marketing, Island
Equally, you need to be able to trust those in charge of your company’s networks and systems to stay up-to-date on continuous professional development and emerging technologies. Where gaps in cybersecurity policies are identified, you must be able to rely on your IT leaders to remediate them and reduce risk while following up on any unusual employee behavior. Even those in non-IT roles, such as office management, can ensure that non-technical cybersecurity risks are avoided, such as allowing visitors to tailgate through secured entrances.
What are quick cybersecurity wins for business leaders?
For business leaders looking to immediately take steps to combat cybersecurity threats, aside from adopting new software, these are some of the quick wins you can score immediately:
Work on understanding and knowing your network:
Most enterprises are facing a simple, foundational security crisis: they cannot protect what they cannot see. It’s a problem that stems from the uncertainty of enterprise inventory – the attack surface – and the complexities around securing a growing number of IT assets. Over the past few years, there have been lots of changes to our business environments – from the migration of IT environments to the cloud, to transitioning whole workforces to a work-from-anywhere structure – that have contributed to real complexity around asset inventory and security. Before we tackle the next new security fad, we need to see organizations re-establish security foundations. That means taking pause and reverting back to the basics of security by making an earnest attempt to gain a real understanding of the assets that organizations currently have in order to inform the security protocols needed to protect sensitive data, devices and employees. This will have the most significant impact on security programs and set them up for success in the future. - Ken Liao, VP of Cybersecurity Strategy, Sevco
You should have an understanding of all of the points of threat to your organization’s network. If any gaps exist in your cybersecurity strategy or security policies, you’ll need to plan and budget for the tools required to close those gaps. You also need to ensure that whoever’s responsible for managing that network has sufficient experience and qualifications to back them up.
Be mindful of third-party access:
You should limit, wherever possible, the number of third parties who have access to your network, both remotely and in person. The more users that gain access to your network increases your risk from another possible angle of attack. This doesn’t have to be intentional either, as third parties can also be attacked. You can’t rely on that device or organization’s cybersecurity software or habits when you have no control over them.
Make an incident response plan:
Earlier, we discussed how the average cost of a data breach had reached around $10m in the US. These costs can continue to rise with every day that passes from the breach until the day it is resolved. Thus, you should create an incident response plan that clearly defines how cybersecurity breaches will be dealt with. This will ensure that everyone involved knows who is responsible for investigating, remediating, and, where necessary, reporting the breach.
Continuously educate your staff on cybersecurity:
Depending on your staff turnover rate, your workforce will likely change continuously, and many may not have in-depth data security knowledge. Organizing a single cybersecurity training session won’t be enough to ensure that your staff is up-to-date on the latest cybersecurity threats and habits. Tools such as those provided by Hook Security, outlined above, can help to instill an environment of continuous learning within your organization.