3 Ways to Strengthen Your Cybersecurity Program

In a world where work is increasingly done remotely, retail shopping is driven by e-commerce, and entertainment, marketing, and even real estate are expanding into the “metaverse,” cybersecurity is of utmost concern for companies looking to capitalize on the new digital landscape. More reliance on digital channels comes with heightened cybersecurity risk as both revenues and reputations are on the line.

Last year the world saw a 29% increase in data breaches and ransomware attacks, according to Yahoo Finance. Not only has the frequency increased, but the average cost of data breaches also rose by about a third, up to $4.24 million according to IBM. This figure grows to over $5 million on average at firms where employees work remotely.

Major technology and financial firms such as Twitch, owned by Amazon, and CNA—those that should have the best safeguards for their data—saw high profile attacks in 2021 that compromised their customer’s data and their own credibility. The Sustainability Accounting Standards Board (SASB) lists customer privacy and data security as priorities for e-commerce companies, retailers, insurance providers, and internet media companies, among other industries. And like Amazon, many companies see cybersecurity as a priority from their materiality assessment results. Both Twitch and CNA saw user data stolen, and Twitch’s website source code was highjacked by hackers.

In response to the uptick in cyber attacks, governments have called for action and companies are investing heavily in cybersecurity solutions. In August, Google made a pledge to U.S. President Joe Biden to invest $10 billion in cybersecurity by 2026, which started with a $500 million acquisition of Siemplify, an Israeli cybersecurity firm. More formal requirements are materializing as well, with new legislation proposed to deter attacks and protect consumers, including provisions to protect data, detect breaches, and notify customers when a crisis does occur.

The banking sector in particular has seen a high level of activity from regulators including new bank rules regarding the timely notification of customers in the event of a breach. Banks will be required to notify consumers of an attack within 36 hours of its discovery, highlighting the need for swift action among vulnerable firms. Non-bank financial institutions have new requirements from the FTC regarding the disclosure of cybersecurity risk, consumer access to data, employee training, response plans, and reporting of cybersecurity breaches. These regulations can serve as a guide to other industries that host confidential data in preparation for potential upcoming industry-specific regulations.

Short of spending $500 million on a cybersecurity startup, what can a company do to protect itself?

  1. The first step should be the implementation of proper policies regarding employee training on phishing, multi-factor authentication, and protection of credentials and data. Compromised credentials was the largest source of breaches in 2021, accounting for 1 in 5 attacks, according to IBM.
    • Cisco Systems takes a layered approach to cybersecurity, including employee training and behavioral security precautions.
    • Alleghany Corporation notes that it limits the number of personnel with access to data to limit opportunities for error and misuse.
  2. Secondly, systems should be put in place to protect and monitor the integrity of company and consumer data. The faster a breach can be detected, the faster it can be contained. IBM reports significant decreases in the cost of a breach by companies that employ AI data breach detection software.
    • A firewall is a passive measure to limit attacker’s access to data that can be employed by almost all companies, such as boat manufacturer MasterCraft.
    • Prudential Financial takes a more active approach, employing a team of cyber security analysts that use tools to monitor, report and respond to cybersecurity threats.
  3. Third, a response plan should be created outlining who has responsibility for taking action, guidelines on damage control, and timelines for executive, board, and customer notification. Best in class cybersecurity programs will implement protections to deter attacks, as well as well-detailed response plans that allow for swift action in the event of an attack.
    • Destination XL Group, an apparel retailer, has a Board committees dedicated to cybersecurity and data protection, ensuring awareness and responsibility for these issues at the highest levels of the company.
    • Meta provides an outline for the procedures taken in the event of an attack, including the timeline for disclosure and strategies for remediation.

By implementing the three steps mentioned above, you can put a robust cyber security program into place. For more information on cybersecurity precautions and policies, reach out.