The effect of news reports about illegal cyberactivity is scary for technical and non-technical people alike. The key is for this information to be just that — informative. In many instances, when organizations lack protections, the sophistication of attacks is low. Therefore, breaking down the threats and implementing appropriate and often basic safeguards will help deflect most would-be cyber breaches.
The good news around cyber-intrusion is that experts say the majority can be avoided by organizations that have implemented basic controls. One report says as many as 80% of ransomware attacks could be avoided by instituting and following best practices.
Prevention can be divided into two main categories: technical and human. There is also another category: retaining consultants and/or coaches, which is a means of ensuring a regulator can implement safeguards in both technical and human realms.
Though IT staff or contractors are needed to implement or improve most technical cybersecurity measures and monitor technology updates and threat trends, it is helpful to have a basic understanding of how risk is approached.
Some implementations (the people, processes, or technology used to reduce risk) include:
- Automatic updates to existing software.
- Security patches.
- Two-factor (or multi-factor) authentication.
- Anti-virus software.
- Anti-phishing programs, such as those that capture suspicious emails.
- Mandated password changes for staff, and more.
This is also an area where regulators will increasingly rely on third parties to assist with their cybersecurity. Many regulators outsource a certain portion of their cybersecurity to technology-based companies to protect data in the cloud. Many move their business processes and IT systems to cloud vendors precisely to reap the rewards of relying on otherwise cost-prohibitive experts. This also presents partnership opportunities to increase technical knowledge in-house.
However, even when regulators use a third-party vendor for certain technology-based operations, such as licensing, other vulnerabilities remain, and regulators must still undertake due diligence. Further, some cloud solutions are highly complex and require high-level expertise. If a regulator does not have any in-house expertise on this subject, it may be necessary to contract certain services to ensure the appropriate minimum amount of protection is in place.
The first step is to review, identify, and classify the different types of information being collected, how they are being stored, and for how long. Following this, regulators must review, identify, and evaluate any existing safeguards and conduct a risk assessment. This will assist in planning and executing any further cybersecurity implementations.
Even for non-technical individuals, much can be done to prevent cyberattacks and breaches, particularly around social engineering attacks. A social engineering attack, as discussed above, preys on human emotions and requires a reactive and emotional human response to work.
There are some basic signs to look for when cybercriminals are attempting a social engineering attack, and when staff learn how to recognize the signs, risks become more manageable. Continual reminders are needed, and organizations often test staff with fake phishing emails to probe people’s uptake and understanding of the training information provided.
Data-Breach Incident Response Coach
If knowing where to start or what to do first is a big part of the challenge in confronting the issue of cybersecurity, particularly for small regulators, help is available. Regulators can call on a data-breach incident response coach to help them assess what their needs are and help create a plan of action. Many cybersecurity consulting companies can also help simulate how to respond to incidents and/or breaches, which leads us to the next section.
With cyber-intrusion on an exponential rise, nothing is foolproof and, therefore, mitigation tactics are essential. Many organizations now develop a cyber-incident response plan that includes prepared procedures defining responsibilities, activities, and partnerships that are activated before and during incident detection.
Of course, it isn’t possible to have a written plan for every situation. If you want to know how prepared you are, schedule a workshop and discuss common scenarios. These workshops can be presented by qualified experts in the field if the regulator lacks in-house expertise. If you do not feel your team is prepared after this workshop, do something more to secure your environment.
Another common mitigation strategy is cyber insurance, which is becoming increasingly commonplace. This goes beyond general coverage and involves its own application and review process. In fact, going through the process of applying for insurance can be very instructive for regulators as it directs questions at what type of safeguards the applicant has in place. And, just as with any third-party technology vendor, an insurance agent in this space can be a resource to call on when needed.
A recent AGCS report suggests three out of four organizations do not meet AGCS requirements for obtaining insurance, so they must work with insurers to meet the criteria and threshold for insurance. Insurance may not be critically necessary for firms with strong controls, but since few companies are ready for rare events, insurance is a valuable add-on for relatively low cost.
The way in which organizations view and integrate cybersecurity into their operations is under increasing scrutiny. Regulators big or small should consider cybersecurity as a governance issue as well as an everyday operational issue. With cyber-intrusion on the rise, it is important that all stakeholders, including staff, feel informed and involved in the solution.
Many statistics illustrate a gap in effective communication about threats and risks. This does not mean that non-cybersecurity experts need to suddenly become experts, but it does mean that leadership needs to better integrate cybersecurity measures into everyday business and ensure the right skills and expertise are being leveraged in the right positions.
Many of the recommendations made by experts in this space do not necessarily exclude even the smallest of organizations and many of the suggestions are scalable according to an organization’s resource availability. By making cybersecurity a more prominent issue, regulators can take control of the issue, identifying where shortcomings exist and where further assistance, guidance, and investment are needed.