I’ve got a proposal: let’s not talk about how turbulent 2020 has been. Instead, let’s talk about the ways that we can make the rest of the year better, safer, more manageable for everyone. Since it’s Cybersecurity Awareness Month, of course, we’re thinking about improvements in that context.
Turbulent times, after all, have a way of getting us to reassess our priorities. But in cybersecurity, COVID-19 has hammered a few realities in more than others:
- Are there cracks in your cybersecurity foundation? Now isn’t the time to paper over them — we need real fixes.
- In a time of damaged public trust, businesses need to prioritize establishing trust with their consumers
- Resilience is foundational to weathering any kind of difficult periods
Cybersecurity, of course, is a big umbrella. Some of the big sticking points right now, though, are ones that have been with us for a while. Consider these ongoing issues then take a look at our top ten ways to step up cybersecurity at the end of 2020.
What we’ve seen in 2020
Data breaches: That friend who you definitely didn’t invite to the party
Data breaches aren’t new news. But they’ve been on the uptick for years now. It’s not pretty, but closing your eyes and wishing reality away never helped anyone.
- In general, a cyberattack occurs every 39 seconds
- A big breach is big money: on average, it costs businesses $392 million for the breach of more than 50 million records
- 39% of surveyed SMBs report that their organizations lack any incident response plans
And it looks like businesses simply aren’t prepared to face these risks.
- The average time to identify and contain a breach is 280 days
- 53% of companies found over 1,000 sensitive files accessible to every employee
- Only 5% of a company’s folders are protected
- 34% of data breaches in 2018 came from internal actors
These are just SOME of the statistics — there’s a lot of information to process. And if it’s a lot of cybersecurity professionals to process, imagine how it feels for non-IT employees at your business.
Consider the number of people internally who are responsible — either in a malicious way or not — for data breaches. This number shows why it’s critical to:
- Have rigorous training programs in place for all staff
- Implement consistent internal measures to monitor for security risks among staff
CCPA right of action
The California Consumer Privacy Act (CCPA) — yes, it’s about privacy, but it’s got security provisions written into the legislation that make it imperative for cybersecurity professionals to pay attention. Among the most pressing issues: the right of action.
Under CCPA, consumers have the right to legal action if their records are exposed in a data breach IF the company hasn’t taken “reasonable measures” to secure their data. While “reasonable measures” currently has a vague definition, there are some takeaways that can help protect your data.
- Keep on top of your data assets
- Know where personal information is located, what access permissions are, and any other risk factor.
- Is your data stale? Toss it to avoid unnecessary security threats.
- Implement appropriate permission levels to limit access to sensitive data
- Regularly review data and permissions
A common issue with CCPA compliance — really, any kind of compliance — is that we think once we’ve met the guidelines, we’re in the clear to infinity and beyond.
That’s unfortunately not the case. It’s an ongoing process and one that requires close monitoring.
Remote work: More risk, more reward
It’s a mark of just how wild 2020 has been that one of the most major shifts in the US workforce took place and yet it feels like a mere footnote. But it shouldn’t be, at least for anyone dealing with cybersecurity.
There are upsides to working from home these days — public health, childcare, work-life balance (maybe?) — but it presents undeniable security risks. Consider this:
- 88% of the organizations, worldwide, made it mandatory or encouraged their employees to work from home after COVID-19 was declared a pandemic.
- The number of unsecured remote desktop machines rose by more than 40%
- 46% of global businesses have encountered at least one cybersecurity scare since shifting to remote
8 Steps to Cybersecurity for 2020 and 2021
In an increasingly tech-centered and remote-working world, there are ample opportunities to do this in a way that makes cybersecurity a core business practice rather than applying it as a bandaid when things go sidewise.
What’s important for your customers is important for your business. Here’s how to communicate,
1. Best practices start with communication
Best practices can feel pretty opaque to those who aren’t fluent in cybersecurity-ese. To combat this, place strategic messaging about your security measures throughout your points of contact.
For example, when your customers sign in, you should use multifactor authentication (MFA), but why are you using it? What should they expect and how does it benefit the customer? Weave this information into signup forms, pop-ups, or emails to your customers are clued in along the way.
2. Make beefy passwords standard
Speaking of MFA, it’s a great tool, but it only works in tandem with strong passwords. Require customers to set up passwords that are hard to crack. Characteristics of a strong password include:
- Combination of capital and lowercase letters, numbers, and special characteristics
- No obvious substitutions (like $ for s, ! for i)
- 12 characters of longer
- Doesn’t contain recognizable or attributable words, names, dates, or numbers (like birthdays, phone numbers, etc.)
- Unique to your customer’s account with you (i.e., not reused)
Password practices can be made even more secure by encouraging or requiring customers to change passwords regularly and not allowing reuse of passwords.
3. Prioritize maintenance
Cue up the cybersecurity mom voice in your head: Is your site secure? Are you updating to the latest versions and keeping everything patched? Are you backing up your data regularly?
If you are avoiding doing these basic cyber-housekeeping tasks, remember that when you ski them, you leave a window open for hackers to compromise your customers’ data. Yes, it’s tedious to schedule maintenance, updates, and reboots, but it takes a whole lot more time to deal with the aftermath of a cybermess.
4. Stay ahead of the compliance curve
Compliance isn’t one of those static areas of business. (Is there such a thing anymore?) Bridge the gap between privacy, security, and your customers needs by investing in staying current on what’s new with regulations like California Consumer Privacy Act and the EU’s General Data Protection Regulation, but also up-and-coming regulations.
1. Create workforce awareness and accountability
Training. Training, training, training. We can’t stress this enough. One of the best things that you can do for your entire workplace is to develop company-wide training that helps everyone in cybersecurity and privacy issues by implementing company-wide training.
Get them smart on everything from phishing to password security to data management and privacy and the WHY of it all and you’ll have a team that’s more prepared to keep your business and its data safe.
Pro move: Don’t just make this a standalone training. Incorporate cybersecurity continuously, from onboarding to holiday party protocol and make it relevant and engaging. (Whatever that looks like in the future.)
2. Working remotely, the secure way
Yes, it’s been seven months since everyone went home en masse but lots of us are still there. Your team might well be among them. Have you gotten your remote work cybersecurity details in place? This is a whole big topic, but some low-hanging fruit that you can achieve includes:
- Implementing good VPN practices
- Setting up Two-factor Authentication (It’s not just for customers!)
- Developing safe standard practices for file access and management
- AND training (see above)
Even if you had worked out cybersecurity strategies for remote work this summer, with the upcoming cold/flu/COVID season, it’s advisable to revisit it to make sure your plans are working for your business and its employees. (And not hackers.)
3. Protect personal devices
Personal devices are an extension of ourselves these days, always within arms reach. They’re indispensable for managing our lives both inside and outside of work.
This expansive utility makes them a unique cybersecurity risk. Your employees are probably (definitely?) using them for work purposes, but how secure are they? (Spoiler: probably not very.)
The best practice is to have employees only use company-owned laptops and smartphones so you can control security measures. However, this isn’t always possible so make sure you have policies and practices in place for security measures like enabling strong passwords, app downloads, file access policies, and location services.
4. Test for vulnerabilities
Bringing in an outsider like an ethical hacker or security expert to test your system is a great way to get a better understanding of where your weaknesses are. Let’s be honest, it’s really difficult to see where your problem spots are when you’re looking at them every day. On the other hand, someone whose job it is to find problems will be pros at rooting out coding bugs, finding backdoors, and other potential security threats.
Cybersecurity Awareness Month is a prime opportunity to expand awareness and improve upon your practices. However, it’s also not really a once-a-year event — cybersecurity should be taking place every day for your customers and your employees.
Want to learn more about how you can support cybersecurity and privacy? We’d love to chat with you. Drop us a line!