Review Your Risk Management Plan During Cybersecurity Awareness Month

October is Cybersecurity Awareness Month and a good time for businesses to review their risk management plans, especially when it comes to cybersecurity with some estimates that businesses suffered 50 percent more cyberattacks per week in 2021.

Cyberattacks reached an all-time high in the fourth quarter of 2021, jumping to 825 a week per organization, according to Check Point Research data.

“Cyber-attacks on all businesses, but particularly small to medium-sized companies, are becoming more frequent, targeted, and complex,” writes cybersecurity expert Chuck Brooks. “Because of the new digital cyber risk environment, a security strategy for risk management is imperative.”

Hackers Target Americans and Businesses Every Day

The White House’s 2022 Cybersecurity Awareness Month proclamation reminds people that cybersecurity is not limited to government or critical infrastructure, but that hackers target Americans and businesses every day.

“Cybersecurity is about protecting the American people and the services we rely on,” said President Joe Biden. “During Cybersecurity Awareness Month, we highlight the importance of safeguarding our Nation’s critical infrastructure from malicious cyber activity and protecting citizens and businesses from ransomware and other attacks.  We also raise awareness about the simple steps Americans can take to secure their sensitive data and stay safe online.”

Since 2004, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have led a joint effort between industry and government to raise cybersecurity awareness nationally and around the globe.

“The month is dedicated to creating resources and communications for organizations to talk to their employees and customers about staying safe online,” said the NCA. “Now in its 19th year, Cybersecurity Awareness Month continues to build momentum and impact … with the overarching theme for 2022: See Yourself In Cyber.”

National Cybersecurity Alliance: It’s Easy to Stay Safe Online

The NCA says that cybersecurity need not be a complex and perplexing endeavor.

“It’s easy to stay safe online. While most of the cybersecurity news articles are about massive data breaches and hackers, it can seem overwhelming and feel like you’re powerless against it,” said the NCA. “But Cybersecurity Awareness Month reminds everyone that there are all kinds of ways to keep your data protected. It can make a huge difference even by practicing the basics of cybersecurity.”

The 2022 Cybersecurity Awareness Month campaign is highlighting four behaviors that can help strengthen digital security:

• Recognizing and Reporting Phishing: Criminals using fake emails, social media posts, or direct messages use phishing to lure you into clicking on a link with malicious intent. Personal information is being directly stolen or malware is being installed on your device.
  
  
• Updating Software: Updating your software fixes general problems and provides new security patches that stop vulnerabilities that cybercriminals might exploit.
  
  
• Using a password manager and strong passwords: Strong passwords are your first line of defense against cybercriminals and data breaches. Your passwords should be long, unique, and complex.
  
  
• Enabling multi-factor authentication: Sometimes called two-factor authentication or two-step verification (and abbreviated to MFA), this cybersecurity measure for an account requires anyone logging in to prove their identity in multiple ways.

Cybercrime Could Cost the World $10.5 Trillion Annually by 2025

Cybercrime is costing businesses trillions of dollars each year with some predicting a worldwide total drain of $10.5 annually by 2025.

“If it were measured as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China,” wrote Cybercrime Magazine editor-in-chief Steve Morgan in 2020.

Morgan says that the damage cost estimation of $10.5 trillion is based on historical cybercrime figures including recent year-over-year growth, the dramatic increase in nation-state-sponsored and organized crime hacking activities, as well as the continued digital transformation around the world.

Cybercrime costs include, according to Morgan:

• Damage and destruction of data
• Stolen money
• Lost productivity
• Theft of intellectual property
• Theft of personal and financial data
• Embezzlement
• Fraud
• Post-attack disruption to the normal course of business
• Forensic investigation
• Restoration and deletion of hacked data and systems
• Reputational harm

Half of U.S. Businesses Do Not Have Cybersecurity Risk Plan

Chuck Brooks in his mid-year 2022 cybersecurity report for Forbes notes that “despite another record year of breaches including Solar Winds, Colonial Pipeline and others, half of U.S. businesses still have not put a cybersecurity risk plan in place.”

This news also comes on the heels of research that shows in 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources.

The damage that cybercriminals wreak on businesses can be devastating with the FBI reporting that since 2016, some $43 billion has been stolen through business email compromise.

“Worryingly, there has been a 65 percent increase recorded in identified global losses between July 2019 and December 2021. The report suggests that this increase can be “partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic” with many workers forced to do their jobs remotely,” reported Tripwire.

FBI recommends:

• Use secondary channels or two-factor authentication to verify requests for changes in account information.
  
  
• Ensure the URL in emails is associated with the business/individual it claims to be from.
  
  
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
  
  
• Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  
  
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match whom it is coming from.
  
  
• Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
  
  
• Monitor your personal financial accounts regularly for irregularities, such as missing deposits.

Cyber Risk Management Strategy for the C-Suite

Chuck Brooks, this time writing for Homeland Security Today, says that there are several encompassing security strategies to evaluate, depending on your business’s requirements and threat posture.

“In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach,” writes Brooks. “Executives can no longer view security, both physical and cyber, as a cost accounting item. It needs to be prioritized as an investment in people, processes, and technologies. It really needs to be part of the company culture from top down.”

Brooks recommends the following strategies for cyber risk management:

• Security by Design: This holistic approach ensures that security risk governance and management are monitored, managed, and maintained continuously. New security risks are prioritized, ordered, and addressed frequently with continuous feedback and learning.
• Defense in Depth: This security architecture principle goes both “deep” with many layers of security and “narrow” with the number of potential attack paths minimized. Cloud services and those that store sensitive data should use defense in depth.
• Zero Trust (ZT): We may all be heading to a zero trust world where the cybersecurity focus shifts from static, network-based perimeters to users, assets, and resources. Authentication and authorization, for both users and devices, must be proved and reapproved continuously.

“These three pillars of cybersecurity risk management need not stand alone. In fact, they all should be incorporated together in a cybersecurity framework strategy to identify gaps, mitigate threats, and build resilience in the case of an inevitable cyberattack,” concludes Brooks.