FUD
Business leaders are bombarded with cybercrime marketing. The marketing hammers on fear, uncertainty and doubt, or FUD, which has been the IT industry’s stock in trade since IBM perfected it in the 1960’s. You will go out of business unless you buy our complex and expensive product!
This problem is that fear may get your attention and get you to listen to a sales presentation, but it won’t help you decide what will actually work for a price you can afford.
You Can’t Boil the Ocean
That’s because there is no way, let me repeat that, there is no way you can protect your company from all cybercrime. Cybercrime is so lucrative and in many cases state sponsored, the bad guys have the advantage.
Even the largest of enterprises have to analyze their risks and make judgments as to what risks they can manage, and what risks they can ignore.
Cybercrime is Crime
Cybercrime is like other types of crime, just using different tools and methods. Like other crimes, what you value as a business leader is what you should be protecting. Here are two stories illustrating this.
- A metals manufacturer used very expensive specialty metals with long lead times. When these were stolen, the company not only lost the cash, but also delayed production for extended periods – A big risk! Their security company kept trying to sell them more protection for the perimeter, locks, alarms, cameras, etc., but most of the losses were the result of ‘inside jobs’, employees colluding with thieves. What worked is internal systems, better HR, and better internal monitoring.
- A retail business handled large amounts of cash. Their systems were based on protecting cash from robbery, only to have the highest losses come from employee theft. When their insurance audited them after a loss, it was determined that their internal systems were so deficient they denied the claim.
Keep it Simple
Figure out where you have risk of significant losses and instruct your technology advisors to mitigate these first. Then once that’s done pause until you can spend the time to figure out where the next risks may come from.
How to Prevent 98% of Cybercrime Attacks
According to The Gartner Group, 98% of all cybercrime attacks can be prevented with basic security hygiene (Anatomy of a Modern Attack Surface Challenges & Best Practices, 2023). Go over this with your IT team, if they want more than a few thousand dollars to do this, call me.
- Ransomware awareness training
- Email safety training
- Enable multifactor authentication
- Apply least privilege access and secure the most sensitive and privileged credentials
- Review all authentication activity for remote access infrastructure
- Secure and manage systems with up-to-date patching
- Use anti-malware and workload protection tools
- Isolate legacy systems
- Enable logging of key functions
- Validate your backups
- Verify your cyber incident response plans are up to date