While cybercriminal markets have been flooded with billions of personal records, criminals have improved their business model by using technology and extortion. Now, rather than steal and try to sell an organization’s data, criminals will simply deny access to an organization’s data via so-called ransomware scams.
US law firms, accounting firms, construction companies, universities and colleges, hospitals, municipalities, government agencies and more have all been victims of this type of online extortion, and incidents have been on the rise globally.
In some cases, when criminals don’t receive payment or the amount they feel they deserve, they’ll often threaten to leak stolen data to media organizations or the general public to cause reputational harm to their victims. Regardless of the scenario, cybercriminals are able to monetize your investments in devices, data, applications and process automation.
How Cybercriminals Get In
If you consider the number of employees, customers, suppliers and third parties that digitally interact with your organization via email, purchases, supply arrangements, contracts, services, payments, and so on, each instance and point of contact represents multiple points of entry into your organization for a cybercriminal. Cybercriminals know you are unable to secure every device, network or online interaction that touches your organization. They find the weak links and exploit them. Research has shown that, nine times out of 10, the weak link is via an unsuspecting human. This is why security technology alone can’t solve the problem.
“The total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 20151. Can your security team deal with 65% growth in just a single cybercriminal tactic? How are you mitigating the risk?”
Focus on the Cause Not the Effect
The breadth of your organization’s human attack surface is well beyond the scope of any technology-centric security program. Instead, a prudent and strategic step is for you to quantify the source and nature of unknown human risk then take steps to measure, manage and monitor the risk.
Once known, management of human-centric risk becomes a key input into business priorities, processes and security technology investments. Further, following the adage, “what gets measured is what gets done,” tangible measures enable leaders to take actions based on risk insights which drive improvements in effectiveness and efficiencies of security processes.
Mitigate Your Risk - The Three 'M's (and an I)
According to a research report commissioned by FICO2, “cyberrisk insurance has a vitally important role to play” in addressing the cybercrime problem. The same research report also found “organizations need a holistic cybersecurity strategy that involves all areas of the business,” and, “to improve their cybersecurity status, organizations must take care to objectively measure it.” The three ‘M’s—measuring, managing and monitoring risk—are a key part of the strategy to ensure all areas of the business are accountable for cyberrisk and to provide the means to effectively reduce it.
This bulletin was written by David Shipley, CEO of Beauceron Security. Beauceron offers an affordable, secure cloud-based platform to automate many of the routine tasks needed to help educate people, move individuals from cyber-unaware to cyber-aware and to help entrench ideas of accountability for individuals, managers and senior leaders. For more information, visit www.beauceronsecurity.com.