The Five “P’s” of Guarding Against Cyberattacks
To reduce the heightened chances of data breach, companies must take proactive measures to safeguard their data. As companies assess their data protection strategies, here are five tips to keep in mind.
Protect Employees from Sophisticated Phishing Attacks
Phishing attacks—attempts by cybercriminals to install malicious software and/or steal information—are increasingly sophisticated and target a wider swath of people. As we saw with Target, cybercriminals can gain access to critical systems by stealing login information from third-party vendors. By targeting contractors and vendors as well as employees, criminals increase their chances of gaining access to proprietary or sensitive data. According to Verizon’s 2015 Data Breach Investigations report, "a campaign of 10 emails yields a greater than 90 percent chance that at least one person will become the criminal's prey."
The attacks are also increasingly targeted. Several years ago, about 10 percent of users opened phishing emails on average. But Verizon found that 23 percent of recipients opened phishing messages last year. Additionally, low volume and narrow breadth of attacks makes it harder to detect a breach. Phishing attacks can be executed in minutes, but could take weeks or months to be detected.
Prevent Data Privilege Abuse
Verizon reported that more than half (55 percent) of insider incidents involved the exploitation of privileges. It’s tempting to grant broad access to data rather than go through the effort of applying different permission levels relevant to one’s responsibilities. However, this is a loophole that criminals are readily targeting. It’s critical that companies assess the permissions that are granted to employees and vendors and ensure that the proper safeguards are in place to limit access to data and systems to those who only “need to know.”
Prohibit Cybercriminals from Deepening Their Roots
The majority of data exploitations often take place more than a year after the breach occurred. Once they gain access to a database, criminals can move deeper into the system and wait until the right time to leverage the data. Therefore, organizations must be vigilant in monitoring all critical accounts and systems so that when a breach does occur, it can be identified quickly. The longer a criminal has been on your network, the deeper their roots will grow and the longer and more expensive it will be to ultimately weed them out.
Provide Employee with Best Practices
In addition to building a strong defense-in-depth strategy which includes technological solutions at different layers of the network, the weakest link in the security chain continues to be the end user. As such, employee awareness is critical. Providing employees with best practices for keeping data secure and alerting them to how to identify potential cyberattacks is an important part of any data protection strategy. Such training is also a requirement for many facets of regulatory compliance. Additionally, be sure that you are holding your vendors and contractors to the same high data protection standards that you hold your employees to and review data-sharing policies with them.
Publicize and Communicate Cybersecurity Policies
While implementing policies to mitigate risk are important, once you make it difficult for them to do their jobs and conduct the company’s business, users will look for ways to get around those protections. This can lead to less visibility into user behavior and leave companies vulnerable to attacks. It’s important that those responsible for cybersecurity measures maintain a dialogue with executives and managers. You can introduce an advanced protection strategy, but if users don’t think it’s important or executives feel as if your controls are too restrictive, you’ve lost the battle.
At the same time, it’s impossible to have a bullet proof data protection strategy. That’s not to say we should give up, though. Maintaining a balance of protection and prevention measures as well as a plan for detecting and containing a breach can greatly mitigate the impact of compromised data. Data breaches are inevitable, but that doesn’t mean organizations are powerless against them.
Like this? Subscribe to our blog here.
Also, check out the most recent issue of our eNewsletter.
Blog Post: Healthcare’s Cybersecurity Conundrum
Article: Three Types of Advanced Analytics for Operators