This is the last week of Cyber Security Awareness Month, and hopefully you have navigated it with any incident.
Risk management plays an important role in the financial services industry. Insurers and credit providers take a serious look at risk and invest a lot of time and capital in developing models that will address the identified risk. It gives them an idea of where they are and where they need to be. Its true benefit can be seen in achieving identified deliverables.
Risk management also plays a significant role in the technology industry. However, because of the nature of the evolution of this risk, models need to be fluid and have to be extremely adaptable.
Serious complexity
Let’s revisit the financial services industry for a second. The reason why risk management plays an important role in this industry is that it is an effective way to address risk. This is only true because the risks that the industry faces haven’t changed much over the past ten years. The reason why risk management in the technology space becomes a challenge is because cyber security is seriously complex.
The article points out that consumers, businesses, and entire systems all over the world are under threat on a daily basis. Valuable personal and financial information is exposed and ready for the taking. Simple tasks like using a credit card, a phone, or a computer provide an opportunity to take our money, our identities, and your ways of life. Data breaches are capable of rendering large, powerful companies vulnerable.
As the world evolved and became more technological, attacks evolved along with the new developments.
A new window to climb through
The article points out that when humans learned to domesticate animals and grow food, larger settlements were established and societies started to flourish in multiple locations across the world.
Sedentary societies then placed value not only in food and clothing, but in things such as cattle, crops, land, houses, and machinery.
Commerce was created, value was placed on a new concept - money. Goods were then exchanged for precious metals such as gold, silver, and bronze in the form of coins and paper money years later.
The article adds that the value of money prompted societies to create impenetrable fortresses and sophisticated vaults to keep valuables away from the hands of criminals. As societies became more complex, both crime and remediation efforts evolved along with them. Before the rise of computers, trespasses were much easier to prevent. All we had to do was keep a door locked. The internet has given a new window to climb through for digital assets.
This tells us that security has also evolved alongside attacks to give rise to holistic security. Today, digital assets have the highest value. Our neighbourhood is now the entire globe. In response to this new type of cyber criminal, organizations have developed an equally evolved security system.
Be prepared!
The article points out that, because of our daily interaction with connected devices, computers, smartphones, and tablets, it’s important that everyone - from the CEO and software developers to suppliers and employees - to be aware. Everyone can play an important part in keeping information safe.
The article adds that ransomware has become a headache for businesses and individuals alike. This type of attack can hold data hostage via encryption, which is the process of converting data into unreadable code to prevent access, until the victim pays a large amount of money to get the description keys. Organizations can fall victim to ransomware through drive-by downloads and phishing emails. Millions of people around the world reported encounters with ransomware.
While attackers are finding new, innovative ways to threaten the security of an organization, holistic and complete security will give enterprises a chance to fight against any attack and protect their data.
The article points out that everyone in the company should have the following questions in mind:
- CEOs; how secure is your company? What risks are you exposed to?
- Technical Teams; how can you make data easy and accessible to your team without compromising security?
- Product Owners; at what stage do you integrate security? And
- Employees; what is your role in cybersecurity? What can you do to protect your company’s data?
The article pointed out that it is important for cybersecurity to be a company-wide approach - a combination of people, processes and tools. Organizations should develop security operation centres, which are intelligence-led and are focused on creating high-level defence, cyber hygiene, education, and awareness.
The goal? To stress-test your systems, identify, contain and remediate the negative impact fast.
Cyber literacy
When my parents were at school, my mom had to do typing lessons as a school subject. It was the same for me when I was at school where a module of Computer Literacy Classes focused on typing. Spoiler alert, I still type with a single finger on each hand looking at the keyboard the whole time.
We digress. There is a significant push for subject matter such as coding and cyber security to be included in computer literacy classes in classrooms around the world. Cyber risk literacy should be part of every defensive strategy.
The article points out that while almost 95% of cybersecurity issues can be traced back to human error, such as accidentally clicking on a malicious link, most governments have not invested enough to educate their citizens about the risks, according to a report from the Oliver Wyman Forum.
Cyber risk literacy of the population
The article adds that cyber literacy, along with financial literacy, is a new 21st century priority for governments, educational institutions, and businesses.
“Cyberattacks are now one of the fastest growing crimes globally and are expected to cost organizations more than $600 billion dollars a year by 2021,” Paul Mee of the Oliver Wyman Forum told helpnetsecurity.com.
“The situation has become even more pressing during the pandemic as our reliance on the internet has grown. Yet many citizens still lack the basic skills to keep themselves, their communities, and their employers safe.”
Fifty geographies were assessed, including the European Union, on the present cyber risk literacy of its population, and the nature of related education and training available to promote and enable future cyber risk literacy.
The article points out that the index measures five key drivers of cyber risk literacy and education: the public’s motivation to practice good cybersecurity hygiene; government policies to improve cyber literacy; how well cyber risks are addressed by education systems; how well businesses are raising their employees cyber skills, and the degree to which digital access and skills are shared broadly within the population.
How are assessed countries doing?
The article added that Switzerland, Singapore and the UK topped the list because of their strong government policies, education systems and training, practical follow through and metrics as well as population motivation to reduce risk.
Switzerland, the number one ranked country, has a comprehensive implementation document that lays out specific responsibilities along with what national or provincial legislation is required. Specific milestones are set, and timelines are assigned to ensure accountability regardless of who oversees the government.
Singapore, which is ranked second, has prioritized cybersecurity education efforts from early childhood to retirees. It established the Cyber Security Agency of Singapore to keep its cyberspace safe and secure. Its cyber wellness courses occur over multiple grades and focus on social and practical safety tips such as understanding cyber bullying.
The article pointed out that The UK ranked third, has the most integrated cyber system because it incorporates cyber risk into both primary and secondary education. The UK’s National Cyber Security Strategy of 2016-2021 is also one of the strongest plans globally. The US ranked 10th.
Countries that rank lower lack an overall national strategy and fail to emphasize cyber risk in schools. Some countries in emerging markets are only beginning to identify cybersecurity as a national concern.
“Governments that want to improve the cyber risk literacy of their citizens can use the index to strengthen their strategy by way of adopting new mindsets, trainings, messaging, accessibility and best practices,” Mee told helpnetsecurity.com. “With most children using the internet by the age of four, it is never too early to start teaching your citizens to protect themselves.”
Problematic issues
Another article by helpnetsecurity.com pointed out that cybersecurity is failing due to ineffective technology.
A failing cybersecurity market is contributing to ineffective performance of cybersecurity technology, a Debate Security research reveals.
The article pointed out that, based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, the research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.
The report supports the view that efficacy problems in the cybersecurity market are primarily due to economic issues, not technological ones. The research addresses three key themes and ultimately arrives at a consensus for how to approach a new model.
Cybersecurity technology is not as effective as it should be
The article pointed out that 90% of participants reported that cybersecurity technology is not as effective as it should be when it comes to protecting organizations from cyber risk. Trust in technology to deliver on its promises is low, and yet when asked how organizations evaluate cybersecurity technology efficacy and performance, there was not a single common definition.
Pressure has been placed on improving people and process related issues, but ineffective technology has become accepted as normal – and shamefully – inevitable.
The underlying problem is one of economics, not technology
The article added that 92% of participants reported that there is a breakdown in the market relationship between buyers and vendors, with many seeing deep-seated information asymmetries.
Outside government, few buyers today use detailed, independent cybersecurity efficacy assessment as part of their cybersecurity procurement process, and not even the largest organizations reported having the resources to conduct all the assessments themselves.
As a result, vendors are incentivized to focus on other product features, and on marketing, deprioritizing cybersecurity technology efficacy – one of several classic signs of a “market for lemons”.
Coordinated action between stakeholders only achieved through regulation
The article pointed out that, unless buyers demand greater efficacy, regulation may be the only way to address the issue. Overcoming first-mover disadvantages will be critical to fixing the broken cybersecurity technology market.
Many research participants believe that coordinated action between all stakeholders can only be achieved through regulation – though some hold out hope that coordination could be achieved through sectoral associations.
The article added that, in either case, 70% of respondents feel that independent, transparent assessment of technology would help solve the market breakdown. Setting standards on technology assessment rather than on technology itself could prevent stifling innovation.
Defining cybersecurity technology efficacy
The article pointed out that participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy.
To be effective, cybersecurity solutions need to have the capability to deliver the stated security mission (be fit-for-purpose), have the practicality that enterprises need to implement, integrate, operate and maintain them (be fit-for-use), have the quality in design and build to avoid vulnerabilities and negative impact, and the provenance in the vendor company, its people and supply chain such that these do not introduce additional security risk.
“In cybersecurity right now, trust doesn’t always sell, and good security doesn’t always sell and isn’t always easy to buy. That’s a real problem,” Ciaran Martin, Advisory Board Member at Garrison Technology told helpnetsecurity.com.
“Why we’re in this position is a bit of a mystery. This report helps us understand it. Fixing the problem is harder. But our species has fixed harder problems and we badly need the debate this report calls for, and industry-led action to follow it up.”
“Company boards are well aware that cybersecurity poses potentially existential risk, but are generally not well equipped to provide oversight on matters of technical detail,” John Cryan, Chairman Man Group told helpnetsecurity.com.
“Boards are much better equipped when it comes to the issues of incentives and market dynamics revealed by this research. Even if government regulation proves inevitable, I would encourage business leaders to consider these findings and to determine how, as buyers, corporates can best ensure that cybersecurity solutions offered by the market are fit for purpose.”
“As a technologist and developer of cybersecurity products, I really feel for cybersecurity professionals who are faced with significant challenges when trying to select effective technologies,” said Henry Harrison, CSO of Garrison Technology told helpnetsecurity.com.
“We see two noticeable differences when selling to our two classes of prospects. For security-sensitive government customers, technology efficacy assessment is central to buying behaviour – but we rarely see anything similar when dealing with even the most security-sensitive commercial customers. We take from this study that in many cases this has less to do with differing risk appetites and more to do with structural market issues.”
Be cyber smart
Cyber security is advancing at a rapid rate. Companies are no longer able to keep a constant eye on their employees and offer the protection that they need. a measure of this responsibility rests on the shoulders of those below board level.
Use a strong password
The article points out that having to manage a large number of applications and software, the easiest option for most users would be to pick a password that is easy to remember, and then apply it across the board.
While this might be a convenient option, it is definitely not the safest. Cybercriminals these days use tools that sniff out passwords reused on other sites to make their work easier and to make the stolen passwords and data more lucrative on the dark web. Hence, it is recommended that you choose strong passwords, using different alpha-numerical combinations, as well as change them periodically.
Opt for two factor authentication
The article adds that the rule of thumb should be when creating any digital account, always set up two-factor authentication (2FA).
It’s a common practice to login to accounts using multiple devices, most often of colleagues, or people we trust. Just trusting the person is never enough. It is their machines that you must trust. In case, you have logged into a network on a PC with malware, you are essentially letting cybercriminals access your data. In such cases, having 2FA, helps to prevent egregious attacks where a cybercriminal tries to login to your account and steal your data.
Safeguard your entry points
The article points out that all it takes is one weak entry point, to allow a cybercriminal access to your entire network.
By forgetting to close down the access points that are not being used, this can be an open door for hackers to enter, and place malware on to your network.
Lookout for signs of a scam
The article points out that phishing attacks have become increasingly common these days, and are using several tactics to target vulnerable users. At the same time, there are often several tell-tale signs of a scam in the making, which you can easily spot, if you keep a sharp lookout for them. For example, emails with improper grammar, and spelling mistakes are one of the biggest giveaways. Additionally, links that promise freebies and then request you to enter card details too are illegitimate.
Frequently update your system
The article adds that inexpensive home internet devices are prime targets for hackers. A best practice is to update these frequently, and apply all security patches quickly. In the case of older devices, which no longer receive firmware updates, they should be immediately switched out for newer models, to prevent hackers from controlling traffic through routers, and implementing various attacks.
Cybercrime is advancing at a rate which we can no longer afford to take lightly, or ignore. No organization or user today can be considered too small to be a potential victim, hence there is a strong need to create awareness on phishing or targeted attacks. Furthermore, the increased dependence on technology to stay connected, and ensure business continuity, has opened the floodgates to a whole new set of potential cybersecurity vulnerabilities that users must be conscious of. By practising these simple tips and maintaining good IT hygiene, we can be cybersmart, and safe on the internet.
There are other helpful, yet simple, tips to follow:
- increase your online privacy. Protect your online accounts by implementing multifactor authentication and using strong passwords, which consist of letters, numbers and special characters. Individuals should also refrain from accessing banking information or making online purchases when connected to an unsecured public network;
- stay secure while you work. As more employees work virtually during the COVID-19 crisis, they should be more vigilant about internet scams and online fraud. Business and personal information should be treated with the same care; avoid sharing it with unfamiliar parties or over unsecured networks. It is important to keep the security software on your business devices up to date, because only one employee needs to be compromised for an entire organization to experience a data breach;
- use social media responsibly. Social media is a great way to connect with friends and family, but it can also allow scammers and cybercriminals to target you. Only accept friend requests from people you trust, avoid clicking links in messages from strangers, and refrain from posting your personal information online. Remember to be careful about what you share. Remember, there is no “delete” button online.
“The responsibility to fight cyber crime is upon all of us. We cannot stand back and say that it should be an issue that needs to be tackled at board level. We are all exposed and we can all take a stand against this. Simple interventions, and being aware, can definitely go a long way to address this. Are you going to play an active role?” asks Craig Tarr, CEO of GTconsult.