Technology is a driving force for organizational goals. The rapid adoption of cloud computing and the widespread availability of mobile devices and apps has moved technology from serving as simply a support mechanism to the critical differentiator in the way in which companies operate day-to-day and in how they prepare for the future.
As technology grows in its importance, so does the issue of security. Companies of all sizes consistently rate security as a top priority among all of their technology issues. Clearly businesses seem to understand the importance good security practices. But are they taking the right steps?
Companies have good reason to be concerned. The threat of cybercrime is very real and the impact of becoming a cybercrime victim is potentially catastrophic.
In its "2015 Cost of Cyber Crime Study" the Ponemon Institute found that the number of cyberattacks against governments and commercial enterprises continues to grow in frequency and severity. The average cost of a single cybercrime is $7.7 million. While this figure is skewed by large enterprises, the per capita cost for a small business ($1,388) is significantly higher than the cost for a large firm ($431).
Large or small, public or private sector, all organizations must embrace a comprehensive approach to cybersecurity that’s built on the foundation of three critical elements: risk assessment, new security tools and the human element.
Assessing risk is not a new concept for businesses, especially within firms with a strong project management mindset. But the time has come for more organizations to engage in and apply a rigorous analysis of its security practices.
Typical analysis activities include determining the probability of a risk, estimating the potential impact, and determining mitigation strategies. The time and effort involved in building mitigation is directly related to the probability and impact. A high probably/high impact risk requires much more robust mitigation than a low probability/low impact risk.
New cybersecurity tools available.
Firewalls may not be a complete security solution anymore, but they are still a critical part of the security preparedness. Companies may need to update their firewall, as their function has evolved from filtering traffic to restricting traffic.
Other new security tools to consider include Data Loss Prevention (DLP) technology, which tracks data to watch for inappropriate behavior; and Identity and Access Management (IAM) recognizes users in individual applications and gives them proper access.
Human element and training.
Research by CompTIA and other organizations consistently shows that the main cause of security breaches is human error by employees, who either don’t follow policy or haven’t received the training that would alert them to a potential security threat.
Too often, though, companies ignore the risk that’s present every day within their four walls. According to an October 2015 CompTIA-commissioned survey of 1,200 full-time workers across the U.S. titled "Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace," 45 percent say they do not receive any form of cybersecurity training at work. We can’t expect employees -- the first line of defense -- to act securely without providing them with the knowledge and resources to do so.
Complicating the cybersecurity challenge for organizations is the fact that they are dealing with multiple generations in their workforce. Baby Boomers, Gen Xers and Millennials each present unique security challenges and risks to organizations. For example, 42 percent of Millennials have had a work device infected with a virus in the past two years, compared to 32 percent for all employees. Age also factors into security awareness. 46 percent of Millennials are familiar with two-factor authentication, compared to just 21 percent of Baby Boomers.
With the wave of new workers coming into the workforce, organizations need to take extra precautions and make sure they have effective training in place. Companies can’t treat cybersecurity training as a one-and-done activity, or something that’s only relevant to the IT department. It needs to be an ongoing initiative for all employees throughout the organization.
The best security technology products and the most comprehensive policies and processes won’t work without appropriate human action and intervention. Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the CEO in the corner officer, is essential. Otherwise, organizations run the very real risk of becoming the next cybersecurity victim.