Set It And Forget It Cybersecurity?

We’re all concerned about protecting our business with strong Cybersecurity. If you already have your cybersecurity handled, what kind do you have? Is yours more of the “Set It And Forget It” variety or is your cybersecurity more fluid and active? If you haven’t talked with your cybersecurity team in over a month, or if you’ve installed some antivirus software on your computers last year, and in either case believe that you’re protected, then you’ve got "Set It And Forget It cybersecurity."

But that isn’t really cybersecurity at all. It’s only the illusion of cybersecurity.

That’s because the people and organizations that are looking to do you harm are constantly inventing new ways to do that. They are coming up with new ways to hack into your business, lay in wait, steal your data, delete your backups, create social and legal pressure, and ultimately profit at your expense every single day. So if your cybersecurity isn’t adapting to fight these new threats, you’re sure to become a victim sooner rather than later.

Designing Your Cybersecurity

You can’t create your company’s cybersecurity policy based on advertisements and marketing materials. “Buy this software” or “install that system” and then leave it to do its magic isn’t going to protect your business. You need some cybersecurity expert to design it for you.

That design begins with a cybersecurity Risk Assessment, which is an analysis of your organization, the people in it, the network infrastructure, your devices, your software, your cloud services, your data, and the risks that face every single part of your business. It needs to take into account not only what a remote hacker might do, but what a malicious employee (or ex-employee) might do. And we still haven’t scratched the surface. That’s because every business is different, and therefore every business needs its own custom cybersecurity plan.

And you can’t buy a piece of software that can do that for you.

Once the Risk assessment is done, your infrastructure will likely need to be made more efficient, certain pieces of hardware may need to be updated or changed to meet current business needs and security standards, and the systems will need to be installed. Your staff may need to learn new security procedures, multi-factor authentication for logging into their workstations and software, and more.

Responding To Business Changes and New Cybersecurity Threats

But none of that should be a surprise to any business owner. Cybersecurity is complex, and getting more complex by the day. Back in the 90’s the only thing we had to worry about were computer viruses. Not long after, we had to deal with Trojans and Worms. More recently, the world became aware of Ransomware, patient ransomware, data exfiltration, zero day attacks, fileless attacks, and more.

What can today’s Ransomware do to you and your company? Imagine starting your day only to discover an email in your inbox that tells you that all of your company data has been encrypted and transferred to a computer halfway around the world, your backups deleted, your personal emails scanned for company (and personal) secrets, and a threat that if you don’t pay the ransom, your customers, vendors, creditors and state government will all be notified of the hack.

Tomorrow’s Ransomware is sure to be worse.

And as Cybersecurity itself became more complex, the laws evolved to compel companies to protect the data that was entrusted to them. PCI, FINRA, HIPAA, CCPA and GDPR all have strict requirements for data security and incredibly steep fines if your data is breached, and even steeper fines -- and potential criminal penalties including jail time -- if you didn’t do enough to prevent the breach, notify authorities, and notify those whose data was breached.

A Set It And Forget It Cybersecurity plan is not a plan. A real Cybersecurity plan can’t ever be forgotten. Instead, it must be inherently aware of the changes in the business, in cyber crime, and in regulations, and then evolve and adapt accordingly. It takes a team of people to do that.

At least, that’s the case if you want to remain in business and out of prison.

The Human and Psychological Parts of Cyber Threats

Hackers are smart people. They not only know how to create software and systems that can do great damage, but they know how to unwittingly enlist people working in your company to help them.

Phishing (and it’s subcategories of Vishing and Smishing) is just one way that they do that. The bad guys create emails, voicemails, text messages, software and websites that mimic legitimate businesses that are designed to trick someone -- someone who works for you -- to believe that their invention is authentic. In truth, it’s designed to steal credentials, data, resources or money. We previously wrote about how 1.4 million phishing sites were launched every month.

A variant of Phishing is even more clever, and is called “Social Engineering,” which we wrote about last year. Emails are written to appear as though they are sent by a colleague, often a superior in the organization, and which asks for credentials for secure systems (such as network servers, email servers or security systems) or that payments be made or diverted to the criminal’s bank accounts. For example, the request to an accounting manager could appear to be from a Vice President and say that Vendor X now requires immediate payment by bank wire rather than the usual check. Once the funds are paid to the provided account and routing number, the money is gone forever.

And yet another way that your staff might be turned against you and your company could be old fashioned bribery. We recently wrote about how a Tesla employee was approached by a Russian hacker and was offered $1 million dollars if he’d plant one piece of malware onto his own workstation. Thankfully, the employee was trained well and reported the incident to his company, who then contacted the FBI. The perpetrator was later arrested. Had the employee not come forward, Teslas might be stuck in garages across the country by now.

Set It And Forget It Cybersecurity: No Such Thing

There is no such thing as “Set It And Forget It Cybersecurity”. Software and equipment alone just cannot keep your business safe. At Digital Uppercut, only part of the cybersecurity plans we design for our clients is the technology itself. There are three other human components that are critical to your plan’s success.

The first one is the awareness and cooperation of your employees. They must not only understand that the security protocols that are put in place are there for a reason, they must also be made a part of that plan. That’s why Cybersecurity Awareness Training for your staff is an important part of every cybersecurity plan we create.

Second, our team of cybersecurity experts who staff our Security Operations Center continually analyze the meta data logged by your business operations, looking for patterns and attack vectors within your company and similar ones attacking other organizations across the world.

The third human component to your Cybersecurity plan is us. You need someone to understand your business, its risks, and the Cybersecurity threats that put your data and your business in danger every day. So we’re not only there to design your Cybersecurity plan for you, but we respond when your business or the threats change.

Improve Your Cybersecurity Today

If you have been relying on Set It And Forget It Cybersecurity, and you haven’t yet been hit by a serious attack or breach (that you know of), consider yourself lucky. Truly, it’s only a matter of time. If you are ready to implement a real cybersecurity plan to protect your business, contact us online or call us at 818-913-1335.