November 21, 2016
Cyber risk is like your aunt making awkward comments on your Facebook page—it’s one of those unfortunate parts of the modern world that we all have to deal with. But unlike our aunts on Facebook, we can’t just block out cyber threats with one simple click. Cyber threats are constantly evolving, so companies need to be vigilant about their online security.
Cyber risk is the chance of anything going wrong with your IT systems that can cause a disruption to business or financial losses. It’s basically the probability of management needing to curse at the tech department. Cyber risk includes things like outages that grind things to a halt, intrusions that leave your systems vulnerable and data breaches where your information is stolen. Even the poor souls who manage to live their lives without Wi-Fi can’t escape cyber risk. If their bank or government is hacked, their private data could be leaked and used for all kinds of nefarious purposes.
Modern companies need to be alert to their cyber risks because so much data is kept online. Although this provides the world with great convenience and accessibility, it also means that there are huge vulnerabilities unless adequate and correct security precautions are taken. With many communication systems also running over the internet, a business can be severely impacted if the risk is not managed properly.
Managing and keeping track of a company’s networks and systems.
Where internet security and business practices converge. With strong cyber resilience, policies and procedures are clearly outlined in advance so that a business can still operate when under attack.
A way that an attacker might try to access your system or network. This is normally a malicious act aimed at stealing data or distributing malware.
The theft or public exposure of a company’s data. This could include credit card numbers, email addresses, records and more.
The collaboration between software developers and other IT workers to produce faster and better services.
A tool that is designed to abuse a vulnerability within a system. This is usually done with malicious intentions.
A threat from within the company, such as a dissatisfied or angry employee.
An attack from outside of the company.
The process for updating a company’s systems and software to cover up any vulnerabilities.
An attacker may attempt to trick company employees into divulging confidential information, often on the phone.
A previously unknown vulnerability in a system or network. Because the developers are unaware of the flaw, zero-day vulnerabilities are a serious threat.
This is an attack in which an unauthorized party gains entry to the network but the breach isn’t discovered for a long time period. APT’s are generally used to steal information, not cause immediate damage to the network. These attacks are a big concern to organizations with extremely valuable information, such as financial institutions and governments.
These are malicious attempts to take down a company’s network for a period of time. Distributed-Denial-of-Service (DDoS) attacks are similar, but they use multiple computers in coordination. DoS attacks can be costly to a brand’s reputation, but they don’t normally involve any theft.
These are unintended downloads that leave malware on a user’s computer. This can happen simply by visiting a website.
Malware is short for malicious software, programs that are designed to disrupt or harm a user’s computer. Malware is commonly distributed through software downloads or email attachments. Trojans, bots, viruses and worms are all different kinds of malware.
Malicious advertising uses online ads to spread malware. Malware is downloaded to the user’s system when infected ads are clicked on.
MitM attacks involve someone intercepting data in the middle of two parties. These attacks can be used for eavesdropping or intercepting passwords between users and their banks.
This type of fraud involves the attacker tricking users into giving up valuable information. It’s commonly done through phishing emails, where someone will pose as the user’s bank or other service and attempt to get them to give up their personal details.
These programs present themselves as virus removal tools that ask a user for money in exchange for removing a virus. They often introduce malware to the system instead.
Hackers can be anyone, from that greasy computer nerd in their mother’s basement to the modern day James Bond, a suave government spy uncovering state secrets from the safety of their desk. They can operate by themselves or as part of a network. There are three main types that businesses need to worry about, depending on their industry.
The first type of hackers are cyber criminals. All they care about is making money, whether it is from individuals, small businesses or huge corporations. One of their main objectives is to steal private information or intellectual property that they can sell or use fraudulently.
These are politically motivated hackers, such as the group Anonymous. Rather than seeking money, they launch attacks that are aimed at causing as much damage as possible to organizations that go against their political ideology.
State-sponsored hackers are one of the most fearsome security threats a company can face. Warfare has made its way onto the internet, and with the backing of a country’s budget, these hackers have the resources to do serious damage. They are known for stealing valuable intellectual property and seeking out state secrets.
Unless you run the Pentagon or a controversial, high-profile company, it’s unlikely that your business will be specifically targeted by any of these types of hackers. The majority of attacks that the average firm will face are purely opportunistic. They are usually performed by bored people who are just looking for something easy to exploit. If it looks like it will be a lot of work to hack into your company, they will simply move on to an easier victim.
Picture hackers as burglars scouting a street for somewhere to rob. If they see a house with a 10-foot wall and rabid guard dogs, they will probably keep walking down the street until they find someone with a Shi Tzu and an unlocked door. In the same way, if you want to protect your business, you don’t need to make it impenetrable, just more difficult than other targets.
There is no single thing that you can do to protect your business. Adequate security is multifaceted and requires you to:
To protect your company from cyber threats, you need to understand the risks it faces. The most common risks that firms will have to deal with include malware, attacks from outside the company and simple user errors. Other key points of cyber risk include the misuse of operating systems, insider threats, service provider failures, and the theft of physical equipment.
Only when you are aware of the risks your business faces can you begin to take protective measures. Not sure about your risk factor or security readiness? Try out our assessment tool–if anything it will serve as a great starting point for determining your current security posture.
Protecting your company from threats requires a solid and actionable plan. Once you have identified the key risks that your business faces, it is important to develop the right strategies, processes, and management systems to deal with them. And if your workforce is remote, or uses their own devices (increasingly common these days), make sure to take those into account when crafting your policies. Good security policies bring control back to your organization and allow you to be proactive about keeping your organization safe. Not sure what makes a good policy? We’re here to work with you throughout the process.
Preventing attacks is important, but it is also necessary to have a plan on how to recover in the event that something does happen. A good recovery plan will reduce your downtime and minimize any damages that occur during an attack. This can be the difference between a minor breach and a devastating event for your company. Don’t have recovery plans, we can help with that too.
Unfortunately, people aren’t as perfect as some of us might think we are. As humans, we are prone to making mistakes, whether they are simple errors or catastrophic blunders. This is readily apparent in cyber security, where small mistakes can lead to vulnerabilities and attacks that have severe impacts on business. The good thing is that, with the right training, these problems can be significantly reduced.
Cyber risks are constantly evolving. As new security measures are put in place, there are already counter attacks put in place. Keeping on top of these risks is a full time job and probably something that isn’t core to your business. Our team is here and ready to help you ensure that you can continue to focus on your core business, not the business of keeping your business running smoothly.