Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or about 10 million records a day, a 164% increase. Another study found that since 2013, a sample of company breaches had led to over $52 billion in shareholder losses.
Organizations can easily improve their security by blocking unnecessary websites, applying appropriate filters to incoming emails, and themselves implementing multifactor authentication. More systemically, companies are increasingly joining the federal agencies that are implementing the NIST Cybersecurity Framework. It has been predicted that by 2020, 50% of businesses will be utilizing it.
Putting It Into Practice: Companies should consider the following steps:
- Block websites that your employees don’t need access to for their work purposes, but that can be the hosts or portals for cyber attacks.
- Apply strong and effective filters to incoming emails to remove obvious phishing and other malicious correspondence.
- More systematically, consider joining the federal agencies and other companies that are implementing the NIST Cybersecurity Framework. It has been predicted that by 2020, 50% of businesses will be utilizing it, and as that happens, it will more and more become the standard by which corporate cybersecurity is judged.
- If you handle sensitive information (either yours or that of your clients), and particularly if you do work for the government, look into coming into compliance with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. If you have contracts with the Department of Defense you may already be required to do so, and the rest of the federal government is expected to require it for sensitive information within the next year.
- Improve and accelerate your patching and updating: Several recent major breaches resulted from the fact that a company had not (yet) patched software that not only had a known vulnerability, but for which a patch was available. On sophisticated systems, patching is not simple or instantaneous, but companies should consider devoting more attention and resources to patching and updating quickly.
- Replace outdated computers and servers: Companies often fail to replace their IT assets until they fail. However, manufacturers cease to provide updates and patches after machines reach a certain age. Those machines then become vulnerable, making a company’s entire system vulnerable, if those machines sit on the network. Companies need to be aware of this issue and act on it.