It may be too soon to completely understand what happened in the recent cyberattack on Marriott’s parent company, Starwood Hotels and Resorts. What everyone knows at this point is personal and financial information from 500 million guests had been compromised.
Anytime the cybersecurity community is faced with a major breach like the one seen in the past couple of weeks, what strikes home is how important cybersecurity defenses are to organizations large and small.
I think the biggest take away from Marriott, Equifax, the city of Atlanta, and other major data breaches and cyberattacks that have been growing in the past 3 years is that we may have to fundamentally change our approach to security.
Instead of sticking to the “we’ve got everything under control” mindset that many organizations hold—either because you’re too small for an attack or you just invested in state-of-the-art technology—we have to shift our view to assume that we could be compromised at any time.
To the head of your organization:
I don’t want to give you the impression that you are no longer able to keep your network safe. And you certainly shouldn’t abandon your strategy towards cybersecurity if you have one. You certainly shouldn’t abandon good habits like quickly applying patches to vulnerabilities—many of which are helping you from being the lowest hanging fruit for eager cybercriminals.
[Note: if you’re not sure how good your cybersecurity initiatives are lining up with the current threat landscape, many security experts recommend getting a second opinion.]
If you have invested in technologies to block or detect malware hitting your network, certainly continue your efforts. What I want you to start thinking about is that these activities in and of themselves may no longer be enough.
All of your hard work making sure bad guys can’t get through your front door can be undone in seconds when a user clicks on a malicious link or falls for a phishing attack (these attacks represent about 70% of all cyberattacks today).
Even when you are investing in solid security technologies and have a strategy in place for security, you may still have a security flaw exploited before it is identified and patched.
What you should be thinking about today is how your organization is adapting to changing threats and cyber tactics. A strategy that was implemented 5 years or even one year ago will not meet the challenges your organization faces today.
Well prepared organizations keep the mindset that they might very well be the next target. They’re constantly testing their networks, processes and employees for weaknesses (just as you would a fire drill). They know at least to the best of their ability that even when disaster strikes, they can easily recover from it and are finding creative ways to cut down on the amount of sensitive data they need to store.
Here are 4 big areas that your organization should focus its security efforts:
Security Philosophy—instead of merely seeing security as a necessary evil, your organization should be moving towards integrating effective security throughout everyday processes. Consider taking philosophy of cybersecurity as part of your culture. How can you make cybersecurity everyone’s problem rather than simply that of the IT guy demanding people do things one way.
People—most organizations lack the bandwidth to have people acting in roles of cybersecurity. And often, those people with security responsibilities don’t have security top of mind day in and day out. They aren’t focused enough in security trends to really focus efforts on finding ways to make security more palatable for your entire team.
Process—most organizations don’t dive deep enough into making processes security friendly. Rather, they define their process or use old ones that work well enough for operations, but hardly consider security as part of the solution. Think about how to work security into process and how security can help your business scale.
Technology—most organizations simply are using elementary security technologies with simple configurations. Where most organizations fail is (1) not being able to tell when cybersecurity events are happening and (2) not making sure they have all the controls in place—including simple stuff like patching and updates on the network—to ensure breaking into your network is not a piece of cake.
I know these 4 topics may seem inconvenient—possibly even unfair. But once you start addressing these—going beyond the basics for them—you’re taking an approach that even large organizations are failing to implement (mainly because they are stuck with old ways of doing things, ways that often lead to big mistakes).
Are you certain your cybersecurity strategy is actually protecting your staff, donors and sensitive data? Contact us today for a free network security assessment.