Cyber security isn’t just a matter of IT. Adequate security relies on system-wide coordination among people and processes, touching every aspect of IT administration.
Every company should consider what they can do to better prepare their employees, leadership, and infrastructure for a potential event in terms of mitigating the impact and dealing with any fallout.
According to a survey from Allianz Risk Barometer, most business respondents (44%) agreed that the risk of cyber incidents was the most pressing concern facing their companies. The risk of more generalized business disruption came second at 42% of respondents. The data illustrates that cyber security hasn’t fallen by the wayside in terms of priorities; companies are more aware of the dangers they face and what’s at stake when they’re unprepared to act.
Most Common Threats You’ll Encounter
Cyber security threats come in various forms, but most attacks fall under one of several common categories. Familiarize yourself with this list as a starting point in your security preparation:
Malware
Malware is a broad term that encompasses a variety of attacks, most often referring to viruses, spyware, worms, or other illicit tracking tools. Malware is often deployed surreptitiously and left to run on the victim’s machine in the background. However, more insidious versions (like Ransomware) may disrupt the system until remediation is found.
Phishing
A form of social engineering, phishing attacks trick unsuspecting users into revealing sensitive account information. This is often done via spoofed email or social media. Typical phishing attacks involve sending mass emails to a group, while more targeted “spear phishing” involves a direct, personalized attempt to steal credentials from a specific company or user.
Poor Password Hygiene
Nearly every company will need to contend with this is an all-too-common vulnerability. Weak, recycled, or out-of-date passwords are a common exploit for threat actors looking for an easy way into a system. A company's employees are often the business's most significant vulnerability, whether through data left, social engineering, or another exploit. For adequate security, good password hygiene (including regular updates and multi-factor authentication) is necessary.
Man-in-the-Middle Attacks
Hackers can leverage exploits in a company’s security infrastructure to wedge themselves between a switch and an endpoint, intercepting information that passes through the connection. This attack is insidious as affected users will likely have no idea of the threat, believing they’re communicating with the legitimate endpoint.
Denial-of-Service (DoS) Attacks
This attack involves overloading a system with traffic requests to the point where it can’t handle the burden. The system may be taken down temporarily during the attack, preventing legitimate users from accessing functions.
Internet-of-Things (IoT) Attacks
Due to the fast growth of IoT devices in business use, IoT attacks have become commonplace. These attacks target connected devices (many of which lack essential security features) to gain access to a system. A notable example of this attack occurred in 2017 when a Las Vegas casino experienced a cyber attack through its internet-enabled fish tank!
SQL Injections
This attack occurs when a hacker inserts malicious code into a system using a server query language (SQL), often through search or comment boxes. This issue exploits vulnerabilities in system code and must be addressed through more secure coding practices.
How Training Can Save Your Company
The above is just an overview of a few common cyber threats a business may encounter, though new exploits always appear. And even if you have a cybersecurity program, don’t assume your system is safe!
By some estimates, on average, cybercriminals can break into 93% of business systems, with penetration of the company’s network occurring in just two days. The research also notes that attacks on business systems can be devised quickly, putting businesses in a challenging position.
The best way to establish ironclad cyber security at your company is to commit to a multi-pronged approach built around the CIA triad: Confidentiality, Integrity, and Availability. Each of these elements represents a critical part of cyber security, but here, we’re focusing on confidentiality and the role that user training plays in a security system.
Many of the above cyber threats directly result from employees unknowingly exposing their company to elevated risk. Issues like email phishing or password hygiene may seem small but represent real vulnerabilities that can lead to catastrophic damage. While employees are often the weakest link of a security chain, the good news is that they can be taught to tighten up their security practices and eliminate these vulnerabilities.
Streamline Your Security Plan
We recommend establishing a formalized cyber security training program for employees. This program should follow several steps:
-
Define program scope and goals
-
Engage stakeholders and establish representatives for action
-
Plan a security education program with hands-on instruction on best practices
-
Implement, measure, and optimize the program over time to iron out emerging vulnerabilities
Examine the above issues and make sure the most common threats are covered. Teach employees the basics of password hygiene and business email management. Warn them of the dangers of using unapproved or unsecured devices for business purposes, and be extra mindful of how IoT endpoints may add additional risk to a system.
And, of course, every cyber security training program should include a full rundown of disaster recovery planning, including which tools will be used to coordinate recovery efforts when a critical event occurs.
It can be a lot to cover, so our team at HipLink put together a resource called 10 Secrets to Improving Cyber Security. We discuss a few essential things to know about creating a business security plan and the importance of covering all the bases when devising ironclad system security.