10/5/2018
BY: JEFF WILLIAMS
The number of cybercrime victims grows by
2.7 million every day, or 1,861 victims a minute. The total global cost of cyber-attacks in 2018 so far exceeds $600 billion, with organizations spending $8 billion a year on ransomware alone. It is clear that the risk of cybersecurity continues to grow, with a variety of agencies from the
Department of Defense to the
Automotive Industry Action Group mandating new industry-wide standards for cybersecurity. As businesses of all types and sizes are vulnerable to these attacks, the time is now to establish safe cyber practices to ensure companies can operate securely in the increasingly technology-dependent business landscape.
As seen in the infographic here, cyber-attacks can have devastating impacts on companies – especially smaller businesses. While the risk of cybersecurity is clear, the ways to avoid such catastrophe are not as obvious. Fortunately, there are ways that leaders of organizations can effectively manage risk associated with cyber threats through safer business practices, including:
- Know your information. Everyone has something worth protecting, even if you don’t always realize it. Such valuable information could vary anywhere from technical drawings to specific intellectual property to key marketing campaigns. The first step to protecting this information is to actually know what it is and what its loss could mean for your organization.
- Understand how the information is used and who can access it. Once we know what information we want to protect, the next item we need to understand is why we have this information and what it is used for. Historically, many companies operated based on the concept of “you can never have too much information,” holding on to old documents and data in case it is needed at some point in the future. While that might have worked in the past, the idea of “keeping everything” should remain there – in the past. We now live in a time where every bit of information we have could potentially be used (or stolen) by others. The best, most effective way to protect something is to simply not have it. This is especially true in light of recent restrictions and requirements placed on the handling and storage of personal information. Start by asking yourself, “Do I really need this information?” If the information is truly something you need to have within your company, as business owners and decision makers you then need to take a hard look at who has access to this information. Consider the following questions:
· Do I know who has access to the information I deem worthy of protecting?
· Is this information stored in an area that all employees can access simply?
· Do all current employees with access actually need access as part of their job, or is it as a side effect of our current business practices?
- Document company and system policies. While it is important to document all company policies and procedures, it is equally as important to ensure all team members are aware of the policies. For example, if one of your policies prohibits sending emails with specific types of documents, yet this information is not known throughout the company, how can you be sure that employees are not breaking this rule? If employees do not know what information you are trying to protect, and what practices you have in place to protect it, they will be unable to prevent breaches from happening or notice once a breach has occurred.
- Create an Incident Response Plan. In the world of information security, it’s not a question of if a breach will happen, but when. Preparing your company for the worst is essential, and it is best to complete these preparations before an incident occurs. Ask yourself this: If you were to be attacked by ransomware, would you know how to recover your data without paying the ransom? Or: If you were asked to show the extent of damage a breach created, would you be able to? Who do you need to notify if a breach occurs? What steps do you need to take to reduce further damage? These are all questions that would be answered in an Incident Response Plan.
- Audit your policies periodically and update as needed. Business changes every day. This also is true for cyber criminals and the methods they use to attack. Tactics and policies that work to prevent attacks today might not work tomorrow. Additionally, changes within the organization might call for new or updated cyber practices. Perhaps you take on a new business venture that has additional information in need of protection. Perhaps you replace your infrastructure or bring on new staff or equipment. Without reviewing your policies periodically, there is no way of knowing if they are still adequately protecting your information.
While it may be impossible to completely eliminate risk associated with cyber-attacks, business leaders who follow these steps to establish safer practices and policies within their organization stand a better chance of avoiding disaster down the line.
To gain additional insights about cybersecurity, be sure to read our upcoming blog, which will outline IT-related steps to safeguard your company from cyber threats.
MEET OUR EXPERT
Jeff Williams, Program Manager, Cybersecurity
Jeff Williams is a Program Manager for The Center’s cybersecurity team, leading our efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyber-attacks. One of his main areas of focus relates to the cybersecurity requirements outlined in NIST Special Publication 800-171, designed to protect the information security systems of contractors working with the Department of Defense. In addition to serving Michigan’s manufacturing community, Jeff also is involved with training other Manufacturing Extension Partnership (MEP) centers across the U.S. This effort will enable those centers to provide cybersecurity services to manufacturers in their states.
Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.
Categories: Cybersecurity