It’s that time of year when those of us who are concerned about skin damage slather ourselves with products that advertise protection from the sun’s harmful UV rays. Way back when SPF was first introduced, SPF 15 was about the strongest level you could find on the store shelves. Walking through a drugstore these days, it’s not uncommon to see products labeled SPF 100. Now, I love being out of doors in the summer, but an SPF 100 begs the question:
Do I really need all that protection?
It’s the same question a lot of business leaders ask when we walk them through their network security options. In this post, I will take you through the thought processes behind determining the right level of protection for your organization. In a follow-on post, we’ll get into how to layer on the protection if your organization is one of those that needs it.
What’s your business' security risk?
If you’re fair skinned, and you spend long hours in the sun, you’re clearly going to need more SPF in your sunblock because you’re at higher risk. The same is true for businesses that are at a greater risk from today’s sophisticated cyber threats. Here are a few of the business characteristics that raise your security risks:
1. Regulatory requirements
This one should be no surprise. Businesses with the most confidential data, e.g., credit card numbers, birthdays, social security numbers, etc., often have the greatest regulatory requirements and for good reason. Data that is regulated is usually highly confidential. One of the most common mistakes we see businesses making is thinking that because they’re small, they can fly under the radar of the regulatory agency. Not a good risk to take, and not just because you might get a visit from an agency auditor.
2. Nature of your data
Don’t limit your thinking just to the confidentiality of your data. Businesses in highly competitive fields also need to worry about corporate espionage both from internal and external sources. Incidents of sabotage are also making the news; the NotPetya attacks seem to be the most recent example. I know espionage and sabotage sound like the premise of a thriller novel, but the threat is real.
Some industries present more attractive targets than others. You might think financial services or retail would be at the greatest risk due to the financial information they store. However, in 2015, healthcare topped the list of the most cyber-attacked industries, with manufacturing coming in second. Healthcare also “earned” the top three spots on the list of the seven largest breaches that year.
4. Size of Company
If you think your company is too small to draw the attention of cyber attackers, you’d probably be wrong. In their 2016 Internet Security Threat Report, Symantec reported that 43% of all cyber-attacks were on small businesses with 250 or fewer employees. In fact, since 2011, the percentage of attacks on small businesses has been rising steadily, whereas the percentage of attacks on the largest businesses has been dropping.
However, if your business is growing, your security challenges multiply every time you add a new person to your staff. Emails were the attack vector of choice in 2016, with one out of every 131 emails containing either attached malware or links to malware. I’m not sure how many emails the average person gets a day, but with those statistics, most people in your organization probably have at least one would-be cyber attack waiting in their inbox.
5. Technology adoption
Technology is a competitive weapon for many of today’s businesses. Gartner predicts that there will be 20 billion devices connected to the internet by 2020. This includes everything from smart phones, to security systems, to intelligent controllers in industrial equipment. A single employee could use four, five, or more devices during an average day.
But, this competitive weapon has turned out to be a double-edged sword as each of these devices also represents a potential portal for attackers. In 2016, Symantec connected unprotected devices to the internet and then measured how long it took for them to be attacked. It took all of two minutes.
6. Technology focus and skills
Clearly, today’s threat landscape is complex and getting even more so. If security never seems to make it to the top of your list of priorities, or you just can’t hire and retain the right people to manage security, you’re going to be at a higher risk.
Know Thy Enemy
In Sun Tzu’s The Art of War, he said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” The first part of this post was all about knowing yourself. We’ve written many times about the enemy, so we won’t go into detail here, but here are a few posts you may want to refer to:
Immediate Actions to Take in Response to NotPetya Malware
Immediate Actions to Take in Response to WannaCry
4 DDoS Trends You Need to Know About
Multi-Layered Attacks Require More Sophisticated IT Security
What is Ransomware and How to Protect Against It
In our next post, we’ll look at how layering your security efforts provides greater protection. In the meantime, you can reach out to us here if you have questions or would like to chat with one of our security experts about your specific security challenges.
Heather Sweigert, Compliance Analyst at TierPoint, is responsible for maintaining regulatory standards throughout the company. As a key contributor to the TierPoint Security team, Heather assists in setting standard security protocols and communicating updates and audit findings.