FOCUS on TECH – YOU are the Risk
Anytime you hear about a CyberAttack, it is a chance to reevaluate your situation. Even though you may not have been directly affected by whichever attack in the news catches your attention – it is an opportunity for you to think through whether or not…
• Your family/loved ones
• Your Organization
…would have fallen prey to this very attack had it been directed towards you or your Organization.
How do you perform this kind of evaluation?
The first step towards protecting ourselves is understanding your risk.
How do you do that?
There are two components that you need to be able to identify if you are going to correctly evaluate your risk. Or, in this case, specifically your Cyber risk. There are:
Threats and vulnerabilities have a directly correlative relationship. If you don’t have a vulnerability in a particular area then you have low risk. If you DO have a vulnerability in a particular area, then you have high risk.
First, what are the threats?
• We call what is out there the “Threat Landscape” – this includes every way to attack your systems and resources that currently exist today.
• You can’t control these threats – they are always there and they aren’t going away. They are environmental and systemic.
Examples based off of 100,000s of cyber attacks in 2019:
• 70% of attacks are from external actors.
• 30% of attacks are from insiders. This means it is coming from someone close, someone with access. Perhaps, even someone on your payroll.
• 55% of the external attacks were from organized crime units – sophisticated attacks. Think of these as being from ‘Dark Silicon Valley’.
• 45% of the external attacks were hacking attacks – meaning from sophisticated individuals. Think of these as being from ‘Dark Start-Ups’.
• 86% of all attacks were financially motivated. This is organized crime after your money.
• 22% involve PHISHING – we read about phishing attacks all the time (this number seems low to us – we think it may be closer to 90%). Phishing is a social engineering attack to steal credentials which allow access to anything vulnerable.
Understanding these threats is important. These threats are a substantive part of the environment you are doing business in today. Pretending they aren’t there, or not taking them seriously won’t make them go away.
Let’s move on to the vulnerabilities.
What are the vulnerabilities?
• Any asset you have which can be accessed over the internet is a potential vulnerability. This can be anything from money in your bank to access to valuable or exploitable information. Sometimes information you have is just a pit stop on the way to exploiting someone else.
• Your setup can be a vulnerability. Setting up the right security precautions into the way that you access anything valuable is the most important first step.
• Your greatest vulnerability is the culture in which you operate. If your company culture normalizes convenient short-cuts to save seconds while accessing potentially vulnerable information and systems – your risk skyrockets. In this type of situation, it isn’t a matter of ‘if’ – it’s a matter of ‘when’.
For a more concrete example:
• If you have money in your bank that you can access in some way over the internet – you have a vulnerability.
• Are you protecting that bank account with not only a password but also with 2FA? If you say no to 2FA, then you have a higher risk.
You may not be able to analyze your cyber risk yourself because this gets pretty sophisticated pretty quickly. You may want to engage a third-party outside IT consultant that has experience in understanding this reality to help you arrive at the right decisions around your specific situation. Correctly identifying your vulnerabilities will help you make the right decisions to lower your risk. There is no one-size-fits-all solution to Cyber Risk.
To close: Cyber crime is relentless. Cyber crime is not stopping. To responsibly access our own resources we need to do the right thing. Take the risk seriously. You are already doing business in a high risk environment even if you’ve gotten lucky so far and haven’t been forced to realize this yourself by falling prey to the Cyber Pandemic.
Do the right things and you’ll stay safe.
• Evaluate your risk.
• Evaluate the way you access your systems.
• Evaluate your culture.
Do these things and you will be well on your way to changing your risk into your advantage.
If you would like a complementary risk evaluation – schedule a 30 minute session with Jeff.
One of the ways that we are doing our part is by raising awareness through the Defeat The Breach Coalition.