Ahhh, October. Changing leaves, dropping temperatures, pumpkin spice everything. What’s not to love?
One of the best things about the only month to start with an O? Our favorite holiday, one that unites people around the country, is in October.
That’s right, folks. October is home to Cybersecurity Awareness Month.
Wait, did you think we were talking about Halloween?
Halloween is great, but candy and costumes don’t hold a candle to cybersecurity.
How cybersecurity took over October
In 2004, as part of an expansive effort to protect people online, the US Department of Homeland Security and the National Security Alliance launched the first-ever Cybersecurity Awareness Month. Initially, goals for the month focused mostly on getting people to update their antivirus software and stop sharing identifying information online.
Over the last 18 years, however, there has been an explosion in eCommerce, cloud-based solutions, and app usage for everything from banking to project management. This dramatic digital growth has transformed cybersecurity awareness from a cute consumer campaign to a key component of economic (and national) security.
Coffins and cauldrons and criminals, OH MY!
It’s our theory that the head honchos made October Cybersecurity Awareness Month because a data breach is one of the spookiest, scariest things that can happen to a company. But to be successful, the spirit of cybersecurity awareness needs to stay in your heart all year long.
Because cybercriminals will attack you all year long, not just in October. And just one hack can cost your business a lot, both financially and reputationally.
Statistics on cyber skullduggery
If you don’t think you need to pay attention to cybersecurity because your business is small or you’re in a niche industry, consider the following facts:
- There is a hacker attack every 39 seconds
- Security breaches have increased 67% since 2014
- The average cost of a data breach in 2020 was $3.86M
- While hacks are common, it takes most companies 207 days to identify a breach, meaning bad actors have access to sensitive data for over half a year before being stopped
- 95% of breaches are caused by human error
- Small businesses account for nearly a third of all 2020 data breaches, and nearly 60% of small businesses go out of business within six months of getting hacked
We could go on and on, but the proof is in the pumpkin pie. Cybersecurity really is just part of the cost of modern business operations, even if you aren’t an international corporation with a major online presence.
The global COVID pandemic made that abundantly clear.
Cybercrime increased 600% over the course of 2020 and 2021 as companies around the globe were forced to quickly set up work from home and remote work operations. Advanced phishing scams, malware emails, and ransomware attacks have grown exponentially in sophistication, frequency, and destructiveness, which means governments are starting to pass legislation aimed at protecting sensitive consumer data and mandating stricter cybersecurity programming.
Basically, you really can’t afford to not be proactive.
A manual for magical security measures
Technology changes so frequently and so rapidly that it’s normal to feel like you need a spell to build an effective cybersecurity program—but you don’t.
Following a few simple steps can dramatically increase your ability to protect your business.
- Hire a cybersecurity professional
- Tighten up your data collection and storage practices
- Improve your security measures
- Increase the frequency and quality of your employees’ cybersecurity training
Hire a cybersecurity/privacy officer (or contractor)
Your success as a company is likely based on your specific expertise. If you want your cybersecurity program to succeed, you need an expert.
Whether you hire a full-time Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO), engage a fractional executive, or seek out an independent contractor, having a cybersecurity pro on your side will save you time and money.
Tighten up your data collection and storage practices
Every digital data record you have is a cyber risk. Some types of data, like consumer information, are more valuable than others, but all data is valuable to hackers.
This means that if you’re collecting more data from employees or customers than you actually need (do you really need to know their favorite ice cream flavor?), you’re more likely to be the victim of a breach.
The same thing applies to how and how long you store all that data. Storing unnecessary data in databases that a bunch of people have access to over several years is kind of like leaving a key to your front door under an obviously fake plant on the porch. That key doesn’t guarantee that someone will break in, but it also makes it easier to open the door.
Improve your security measures
Improving security measures usually requires the help of an IT specialist, but knowing what to ask for can go a long way towards getting your company to the cutting edge of what’s possible.
If your company is regularly handling sensitive data, you should look into:
- Two factor or multifactor authentication (requiring more than just a password for system, network, or data access)
- A policy mandating regularly scheduled password changes and setting complex password requirements (10-character minimum, use of special characters, etc.)
- Strict and enforceable mobile device management policy that explicitly prohibits the use of company devices for personal business (and vice versa)
- Clear, cross-functional plan for ensuring software patches and updates are regularly and correctly installed
- Least permissions principle, limiting data access to the minimum amount of data needed to complete a task
Improve the frequency and quality of your cybersecurity training
Hackers change their tactics to match technological advancements all the time. To keep up, your training needs to be engaging and consistent.
This doesn’t mean, however, that you need to be sending your team to day-long symposiums every quarter. Cybersecurity awareness training can be:
- A five-minute refresher on how to avoid phishing scams during a monthly staff meeting
- A weekly email reminding employees of requirements for password complexity or the use of public WiFi networks
- Using a direct-from-the-shelf product to cover essential data protection practices (we have our favorites)—or opt for a tailored version like we offer for companies who want to make sure all aspects of their business are addressed
The most important thing about your training is that it needs to be frequent.
Employees are far more likely to comply if they understand why your cybersecurity policies are important and what role their actions play in helping protect your business.
The best way to help them understand all that is to make those best practices part of your company culture.
Avoid the tricks and keep the treats
Having a month dedicated to raising awareness of online threats is a great way to get everyone on the same page and to educate people about emerging threats.
But just like the smart kids try to ration their Halloween candy so it lasts until the next big candy holiday (Valentine’s Day), smart businesses will use Cybersecurity Awareness Month to jumpstart a commitment to building a robust cybersecurity program that includes frequent, cross-functional reviews of internal policy, increased dedication of resources to program maintenance, and expanded access to quality training.
If you need help figuring out what your company needs, give us a call.