By Tony Spurlin, Chief Information Security Officer, Windstream
It seems like every few months we hear about a major hack or data breach affecting millions of people. This summer, it was Capital One and some 100 million Americans whose personal data was harvested. Increasingly, it’s small and midsize businesses who are the target of cyberattacks, and because these attacks are growing in number and sophistication, many businesses face an existential threat in light of the consequences.
Each October, the U.S. Department of Homeland Security marks National Cybersecurity Awareness Month. It’s a time for government and public-private partnerships to encourage business data security, and at home, cyberattack defenses that begin by recognizing you have digital assets.
Data breaches, denial-of-service attacks, ransomware, phishing and other digital dangers may not feel urgent to anyone who is as yet unhurt, but cyberattacks are almost exponentially more numerous in the United States than in any other country. And, almost two-thirds of the victims aren’t the Wall Street credit card companies we hear about, but the Main Street businesses we drive past.
In counselling business data security, the discussion often begins with misconceptions around vulnerability, the nature of cybercrime agents, and the liability businesses may face in the event of a cyberattack.
Misconception #1: My data (or the data I can access) isn’t that valuable. Begin with the premise that all data is valuable. Do an assessment of the data on hand – routinely collected, filed, accessed and transmitted – and inventory it, giving weight to its sensitivity. Most companies have client and customer business data assets that, if compromised, would impact trust and future business.
Misconception #2: Cyberattacks arrive without anyone’s permission or knowledge. A cyberattack can occur over any internet connection, but increasingly, it begins with a correspondence. Phishing – and Vishing and SMishing – is a request for access that requires an initial response. Spear phishing, in which a communication arrives ostensibly from a customer, friend or contact, is particularly insidious.
A first-line cyberattack defense is managers’ choice to train around these introductions.
Misconception #3: Cybersecurity is an advanced technology game. True, the average IT specialist can’t write effective antivirus software exclusive to the small-to-midsize business any more than the average motorist builds her own car. What is also true is that security is best approached as a mix of business solutions and employee training, along with clear policies and protocols guiding company culture.
Training should emphasize small security thresholds employees can meet at any time:
Employees should be shown what phishing scams and other opening gambits look like. Be suspicious of …