Cybersecurity Risk Management

Data is an Asset - are You Protecting It?

Cybersecurity refers to the tools, processes, and expertise used to protect computer networks from intrusions by outside parties. Data theft is a major concern for businesses, and cybersecurity analysts are tasked with identifying and defending against hacking attempts. Companies that fail to take cybersecurity seriously may suffer financial, operational, and reputational damage.

There are many reasons someone would steal sensitive information, from identity theft to corporate espionage. The list of companies recently targeted by hackers includes household names from the retail and finance sectors. Building a robust cybersecurity framework has become a priority for businesses that collect or distribute sensitive information. In today’s digital economy, that encompasses both corner stores and multinational corporations.

How Cyber Threats Affect Businesses

Hackers are adept at uncovering system and software vulnerabilities that allow them to access or disrupt business networks. The risk of an intrusion is very real. Here are five common types of cyberattacks and how they can affect a business:

Malware

Malicious code, such as a virus, is introduced to a network through an email, a link, or a physical upload. The malware can wreak havoc on internal systems, stealing data, erasing files, or blocking access for authorized users. Malware that infiltrates a point-of-sale system, for example, can monitor credit card swipes and expose businesses and customers to identity-theft risks.

So-called ransomware attacks are a variation on this theme, with hackers demanding payment in order to repair the damage they’ve done.

Malware spans three risk categories: operational, financial, and reputational. In many cases, computers infected with malware become very expensive paperweights. Businesses often lose access to customer files, inventory records, and other electronic documents. When a company’s ability to operate is disrupted, financial damage is all but assured. Finally, news of hacks can cost a business customers or expose it to lawsuits.

Phishing

A common tactic of hackers, phishing allows unauthorized parties to collect login credentials. Phishing schemes can take several forms:

• An attacker impersonates a legitimate user and sends an email or message to an employee seeking a username and password. The real employee thinks they’re helping a colleague but instead ends up abetting the scheme.
• The hacker creates an official-looking bogus website for a company system or account. They then send a message asking an employee to login to the site, often to verify details. Once the attacker has collected the employee’s login information, they use it to gain access to the real website.

Once an unauthorized user has access to a business account, they can steal customer details, access proprietary information, and cause all manner of problems. Depending upon how long the scheme goes undiscovered, the company can suffer severe financial and reputational damage.

Network Eavesdropping

A Wi-Fi network is compromised, allowing unauthorized people to collect unencrypted data broadcast over company routers. Wi-Fi eavesdropping generally requires the intruder to be in close proximity to the network. Wi-Fi encryption can help prevent this, so long as attackers don’t gain access to router login credentials.

Access to a Wi-Fi network can be a goldmine for hackers. They can collect financial information, employee records, or any other sensitive files transmitted over the network.

Distributed Denial-of-Service Attacks

The goal of a DDoS attack isn’t to steal data, but instead to overwhelm a network to the point of collapse. Attackers will often release malware that hides itself on unsuspecting people’s computers all over the internet – until given an order to begin accessing a website. The server hosting the site suddenly receives a spike in requests from all those infected computers, causing it to “seize up” and deliver error pages.

What does a hacker gain from a successful DDoS attack? Usually nothing more than the temporary disruption of a business’s website. But this can have severe consequences if a site is pulled down during a peak time for the business, such as Black Friday or Cyber Monday. DDoS attacks have also been used to briefly silence political organizations or government agencies. Many so-called “hacks” of internet sites are DDoS attacks.

DDoS attacks present an operational risk, and extended outages can cause financial pain. There are fairly simple steps businesses can take to harden their defenses, but many companies are blind to the threat until it’s too late.

Device Theft

Traditional theft may not garner much media attention these days, but when an employee laptop, smartphone, or USB drive is stolen, it can be a formidable threat to the employer. Many people use multiple devices to do their jobs, and each piece of hardware contains a treasure trove of data that can simply “walk out the door” in the hands of a thief.

Device theft can expose a business to a broad range of risks depending upon the nature of the stored data. Confidential documents might contain sensitive financial details or reveal a company’s strategy for taking on competitors. If customer information is leaked by the theft, there can be legal ramifications and reputational damage. Taking measures to safeguard devices is essential to building a strong cybersecurity framework.

How to Prevent Cyberattacks

Cybersecurity experts must protect networks against attacks on multiple fronts. New viruses and security vulnerabilities are discovered daily, but businesses can adopt best practices to help shield themselves from cyberattacks:

1. Educate employees about malware and phishing. Many people have at least a passing familiarity with the idea of computer viruses. Explaining how common attacks occur, including how to identify suspicious communications, can provide a good first-line defense against hackers. Ask employees to forward these messages to your IT team for further analysis. Network administrators may be able to block senders from delivering more messages.
2. Ensure that communications are encrypted, and install software patches as early as possible to bolster security controls. Virtual private networks (VPNs), WPA2 and SSL encryption, and security updates from software publishers can all work together to make your network more resistant to hacking. Many attacks used by hackers are already known to cybersecurity experts, and these professionals have written code to protect against the threats. Take advantage of software patches as they become available.
3. Establish strict data security policies. All employees should understand what the company expects in regards to data and device security. How should people log on to company systems when working remotely? What are their responsibilities when taking laptops or USB drives outside of the office? Most importantly, explain reporting standards that should be followed when an attack is suspected. Don’t wait until after an information security incident to consider the answers to these questions.

Cybersecurity Risk Management and Your Vendors

Many businesses share data with third-party vendors. Cloud-storage solutions may house customer information on servers owned by another company. As a result, a business depends upon another company’s cybersecurity risk management framework to secure data. Management must perform their due diligence when entrusting sensitive files to another party.

The cybersecurity threats discussed above can also affect your business partners. What can a company do to manage risks to data stored externally?

1. Research potential vendors and existing partners. Learn all you can about their business, including data breaches that may have affected them in the past. You can consult business information databases and media reports to help uncover such incidents.
2. Ask your partners about their data security infrastructure and policies. A business has every right to know how a vendor will safeguard their information. Pursue answers to your questions until satisfied that the other company is doing all they can to protect your data.

The battle between cybersecurity professionals and hackers will persist into the foreseeable future. Cybersecurity risk management can help businesses take steps to protect their digital resources from hackers.

View Dun & Bradstreet’s risk management tools for businesses.