What You Need to Know about Cybersecurity
Cyber Awareness Month
For the record, National Cybersecurity Awareness Month (NCSAM) was not created in resistance to Skynet, the ‘Synthetic Intelligent Machine Network’ despite the title of this blog. The National Cybersecurity Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) launched the initiative in October of 2004 in an effort to help Americans be more secure online. In this month’s blog, we focus our attention on cyber trends in business and offer a few tips from Connor’ to keep data safe.
Increasing Trends in Business
The good news is at least your business does not have it as bad as the Pentagon. The DOD receives 36 million emails full of malware, viruses and phishing schemes from hackers, terrorists and foreign adversaries per day.
The bad news is there are more attacks than ever, and the industry with the most alarming trend in recent years is business. Hackers might call small business ‘low hanging fruit’ because most have valuable data but don’t have the same level of security as the US government or a large corporation have. Here is a link to a visual from Statista showing the number of data breaches in the United States from 2014 to 2018 by industry.
This Is Happening in Austin
Here are a few headlines involving ATX:
- Austin based, Whole Foods was subject to a credit card security breach in 2017 by unauthorized software at the POS system
- Austin Based MedSpring Urgent Care had to notify 13,034 patients about a potential data breach resulting from an employee who fell victim to an email phishing scam
- These companies made the worst hacks of 2018 list and may affect Austin users: Instagram, Facebook, Google+, MongoDB, Task Rabbit, Ticketmaster, Under Armor, Adidas, FedEx, Life Lock, Reddit, and the list goes on…
These attacks are only the ones that have been documented and are well known. How many attacks go undetected or never make the headlines?
Ways to Protect Your Startup
Ashley Rose, CEO, of Living Security, a cybersecurity awareness firm based in Austin, shares 5 tips for startups to balance operational efficiency and reduce risk:
- Be in the know! Security culture thrives when people are AWARE of their surroundings, AWARE of the risks and AWARE of the good actions to take. Think: setting a cultural standard to challenge visitors on-site to show a form of ID and prove their reason to be there before tailgating into your secure area.
- Pentest your apps! A great gut-check is letting someone else try to exploit your beloved application or product. A professional ethical hacker known as a pentester can unveil many vulnerabilities in code, which may harm you down the line. Fixing them at the outset is a great way to protect your bottom line.
- Claim your turf! Home-field advantage comes when you understand your network, your online footprint, and where your data is stored. Once you track everything down and clean up the mess, enable two-factor authentication on your accounts, especially your critical assets, to ensure that you are not one bad password away from a breach.
- Use Passphrases! Typing ‘My dog muffy & me 2!” is much easier to remember than typical password gibberish. Longer is stronger! Even better, if you want to store and encrypt them out of sight and out of mind, try using a password manager among the team members.
- Re-brand fear! By nature, people already understand safety and security and lock their doors at night from rational fear. By re-branding fear as wisdom in the face of danger, you can change culture to appreciate a healthy paranoia and a good security hygiene.
Mike Roth, CEO of Evo Security, a cybersecurity company based in Austin, is a big proponent of The National Institute of Standards and Technology (NIST) framework. “One of the best ways to prevent threat actors from gaining a foothold into your system is by implementing Multi-Factor Authentication (MFA), also known as Two-Factor Authentication (2FA), which is a subset of MFA” says Mr. Roth. “NIST MFA standards outlined in 800-53 Rev. 4 are best practice for any system with sensitive information.”
If Skynet Were to Hack Your Business
Despite all the preventative measures taken, a hack can still occur. This brings us into the detect, respond, and recover part of the NIST framework where insurance can help. From an insurance perspective, please make sure you have a cyber insurance policy in place before the hack takes place. You will also want to make sure it has the correct limits to help with the response. The effects of a cyber-attack can be devastating on your business if not handled properly.
If cost is a barrier to purchasing cyber initially, ask your agent to put it on a ‘Blended Form’ with your Errors & Omissions policy. Your client’s legal team may not like the shared limits, but at least you will have something in place to protect them and your business in a claim scenario. Larger and more sophisticated clients will typically not budge on their contractual requirements for cyber and having separate limits.
Most of my clients are C-Corps with high profile executives and board members. Getting the right coverage in place is also a great way to protect the board, leadership and investors of your firm. Not having a cyber policy in place or not having sufficient limits has been interpreted in some high-profile cases as a breach of fiduciary duty. The executives and board members need to make sure they are aware of the risks, have taken adequate action to prevent, and are prepared to respond to a potential data breach.
Be aware of what data you have and your duty to protect that data. Take all required and reasonable measures to protect the data. Make sure you have the appropriate cyber coverage in place with a reputable carrier. Figure out what to do if a breach should take place.
At least until…
About Living Security
Living Security, based in Austin, is dedicated to providing game-changing security awareness training to employees through real world experiences with their Escape Room product and their new Cyber Escape training platform. Living Security’s innovative approach to security awareness training enables companies to track and measure the effectiveness of their programs and provides a collaborative and hands-on approach to reducing corporate cybersecurity risk. For more information, contact Mike Canino, Director – Security Awareness Solutions at firstname.lastname@example.org.
About Evo Security Technologies
Evo Security Technologies, based in Austin, is making NIST-level MFA cost-effective, flexible and low-touch so organizations can focus on their primary work flows. Evo is building a streamlined architecture for enterprise solutions, which will help prevent unnecessary brute force attacks. For more information, contact Mike Roth, CEO, at email@example.com.