By JOSEPH SARACINO //
What better time than October, National Cyber Security Awareness Month, for organizations to take steps to assure their networks are secure, to prevent cyber breaches and, for organizations in regulated industries, to avoid the hefty penalties that come with noncompliant systems.
All organizations, regardless of their size or industry, should be developing and implementing sound cybersecurity strategies that encompass education, vigilance and best practices. It starts with building awareness through all ranks of the organization and educating people about common cyberthreats.
Phishing and social engineering attacks are steadily rising, along with ransomware infections. All staff should be educated regarding these and other common cyberattacks, including keystroke attacks, and be trained on what to do – and not to do.
For instance, they should know the top malicious email attachment types (.doc, .dot and .exe) and be instructed not to open them unless they know the sender.
As for vigilance, management should stay abreast of what is happening within their industry. Very often, cyber criminals target certain industries in similar ways and, in particular, target organizations that manage a lot of sensitive personal data – financial institutions, credit card companies, healthcare providers, real estate companies and other data-intensive institutions.
Many cyberattacks are financially motivated. Bank account and credit card information, Social Security Numbers, etc., are common targets. In the first half of 2019 alone, cyber breaches exposed 4.1 billion records.
Part of being vigilant is being aware of those regulations requiring organizations to take specific measures to protect the data in their systems. Some are non-industry specific, such as the General Data Protection Regulation of the European Union governing data protection and privacy in the EU and the European Economic Area, as well as the transfer of personal data outside the EU and EEA areas.
Others were enacted by individual states, such as the New York SHIELD Act, which expanded the types of “private information” that can trigger data-breach notifications and requires businesses and individuals to take certain preventive measures to protect the data they own or license.
Other regulations are industry-focused. For example, the New York State Department of Financial Services’ NYCRR 500 cybersecurity regulation, which gained attention recently when it filed its first enforcement action against First American Title Insurance, charging the company with exposing millions of documents with consumers’ personal (“nonpublic”) information – including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts and driver’s license images.
First American, which was charged with six provision violations, will face a hearing in October. Depending on the hearing’s outcome, the company could incur noncompliance penalties of up to $1,000 per violation and a separate penalty of up to $1,000 per violation of nonpublic information exposure.
Through the adoption of certain best practices in cyber security, those data breaches could have been prevented. Best practices should include regular vulnerability assessments and penetration testing. In addition, every organization – regardless of the size, industry or nature of the business – should have a cybersecurity manual that every member of the organization, and any vendor with access to the business’ IT system and network, should follow.
It should contain a list and explanation of all best practices, including not opening pop-ups, unknown emails and links; using strong passwords and multi-factor authentication methods; changing passwords on a frequent basis; connecting only through secure WiFi; keeping security software up-to-date; and relying on experienced third-party cybersecurity professionals to assess IT systems and their vulnerabilities.
According to industry watchdog Security Intelligence, the average cost of a data breach in 2019 was $3.92 million. Implementing recommended measures will secure systems and reduce exposure to cyber threats.
Joseph Saracino is president and CEO of Coram-based risk management, cybersecurity and training resource Cino Ltd.