The US Department of Homeland Security defines Cybersecurity as:
The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
The concept of security is not absolute. There is no way anything is ever really 100% secure. Imagine your home, you have a front door, a lock, and an alarm system. You put the sticker on your front glass and the sign in your lawn that your home is being monitored by a burglar alarm company, which lets criminals know that IF they were to break in, the sirens start going off and they only have a certain amount of time before the cops up.
All these precautions you’ve taken might deter a casual criminal, but a criminal that is up for the challenge still might attempt to break down that door. Knowing that there are some sophisticated criminals out there, we (probably) subconsciously as human beings still have a measure of security even inside our homes. We don’t leave wads of cash near the front door, or the expensive Cartier bracelet that you just got for your anniversary thrown on the kitchen counter. No. You might have a safe in a closet upstairs, possibly not even in your master bedroom. Why? Because if the criminal was smart and quick enough to make it thru the front door and now has 90 seconds to gather things as much of value as possible- where are they going to go? Looking for the rings, Rolex’s and expensive purses in the master bedroom.
Well, the same thing goes for your digital home. You can mitigate the casual attacker but the sophisticated and more advanced attacker, that has nearly inexhaustible resources to continue attempting the attack until they are successful, will do just that. Two important questions that you have to ask yourself is:
- How quickly can you determine that they’ve broken down that digital front door? In physical life, if it takes you twenty minutes to find out a criminal is inside your home, consider everything a loss. Bye-bye. Imagine having a cyber criminal with access to all your information for weeks and you don’t know it? How much damage can they do?
- How compartmentalized are the things in your digital home? Think about your Cartier bracelet, your Rolex, and your Berkin bag. If you go on vacation and these items do not go with you- are you leaving them all in the same spot in your home, right on the foyer table? Probably not. Some measure of security is still attempted by you. It is necessary so that everything cannot be stolen at once. The same needs to be done with the data that your organization collects.
CIA Triad: Foundation of Cybersecurity
The CIA Triad is a security model that has been developed to help people think about various parts of IT security. Confidentiality, Integrity, and Availability are at the core of everything in cybersecurity. Let’s review the three in detail.
Confidentiality – It is perhaps the most obvious aspect of the CIA triad when it comes to security; but it’s also the one most overlooked. It is the principle of applying rules that limit access to information from unauthorized users. If authorization is given to a specific user, it is for a specific purpose. Here is a simple example to understand it:
Steve having authorized access to the ticket system, is an example of maintaining confidentiality.
Steve having unauthorized access to get customers credit card numbers, you can no longer vouch for the confidentiality of the database.
What are some ways that you can keep the confidentiality of your data?
- Data Encryption
- Two – Factor Authentication (2FA)
- Biometric verification (fingerprints)
Integrity – involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle. You have to be able to guarantee that information has not been altered in an unauthorized manor. How is this achieved? This is monitored by establishing a set of controls and safeguards to be able to determine if something unauthorized has happened. Checksums, version control, and digital signatures for evidence of logins, messages sent, electronic document viewing are a few ways to help track the integrity of the data.
Availability – information needs to be consistently and readily accessible for authorized parties. Authentication mechanisms, access channels and systems all have to work properly for the information they protect and to ensure it’s available when it is needed to not impact productivity in the business. What happens when employees run into authorization issues daily? They stop caring about the cybersecurity culture of the organization? They find a loophole to access the data they need, and leave a pathway for a cyber criminal to enter your systems under the radar.
How to Protect Your Business from Cyber Threats
Now that we’ve gotten the foundation of what cybersecurity is and the goal of maintaining the confidentiality, integrity and availability of your data, how can you begin successfully protecting your data from data breaches?
Here are four steps you should begin taking immediately:
- Encrypt your data- Data encryption is a process that transforms sensitive data into complex code. This way, if an attacker steals the data, they won’t be able to use it. It’s great practice to encrypt all the information while in transit or in storage.
- Back up your data regularly- One of the best proactive measures you can take is to back up all of your data and store it elsewhere. This will allow you to have access to your data if your systems are taken offline, or hackers steal your data and hold it for ransom.
- Educate your workforce- Team member errors/negligence is one of the leading causes in most data breaches- especially when it comes to phishing attacks. Taking time to educate your workforce on best practices, how to identify a possible breach, what to do if they make a mistake and whom to contact in the event of a mistake is one of the most powerful steps you can take toward protecting your environment.
- Secure hardware systems- Every device on your network – from computers to printers, mobile phones or Internet of Things (IoT) devices -represents another endpoint that can be exploited by cybercriminals.
According to the Ponemon Institute’s Cost of a Data Breach global report, in 2020, data breaches on average cost $3.86 million. The United States has the highest country average cost equaling $8.64M. How would your business survive if you were the victim of a data breach?
Cyber Liability Insurance is Not Optional
Cyber liability insurance is a policy designed specifically for data breaches, malicious attacks, ransomware, and many other cybersecurity threats. While the primary goal of cyber liability is to protect the business buying the policy, it can also extend to the clients that interact with your business. There are two types of cyber liability coverge:
- First-party coverage: Covers financial losses incurred directly by the business, such as loss of income during a shutdown, cost of repairing hardware/software, coverage for response and remediation costs associated with a breach, extortion money required by a hacker, reputation management expenses after a cyberattack, and much more.
- Third-party coverage: Covers losses resulting from other people affected by the cybersecurity incident, such as a customer suing a business after identify theft, costs you are responsible for arising out of regulatory fees and penalties, etc..
- Preventative and Reactive coverage: Some cyber liability policies will include risk mitigation services to help prevent cyberattacks. Some will include coverage for credit monitoring and fraud prevention before/after a cybersecurity incident occurs. They also offer a hotline for customers affected by a breach.
As a business owner, it’s common to feel overwhelmed by the amount of insurance policies that you have to purchase and potentially never have to use. However, none of the other policies that you have in your insurance portfolio will cover a loss due to a cyber incident to your business. For example, most General Liability policies exclude a loss from a data breach or incident. You might have a “coverage extension” that was added onto the policy but that is not true Cyber Insurance coverage.
How The Bunker Can Help
At The Bunker, we can perform a risk-free Cyber Assessment on your business through one of our agency partners. With only a few questions we can give you a Dynamic Loss Prevention report that breaks down the information into a weighted measure of overall cybersecurity, ratings for each of the eight risk groups that compromise the score, a peer benchmark compared to others in your industry, and clear recommendations on opportunities to fix vulnerabilities, prioritized by the potential impact on overall security. Give us a call at 954-239-7346, so we can help your business move from danger to a safe place!