Amid all of the hullabaloo over the presidential election this year, one topic has quietly grabbed nearly just as many headlines–cybersecurity.
Cybersecurity, or “the cyber” as our president-elect has referred to it, is the effort to protect electronic devices and the infrastructure that supports them, from a host of physical and computerized threats.
With the continued growth of global e-commerce and electronically available consumer data, many businesses have become targets for cybersecurity attacks. Consider, for example, just a few of the companies who’ve acknowledged data breaches this year:
So, what does all of this mean for businesses? Well, for one thing, more government regulation likely awaits. In September, for instance, the New York State Department of Financial Services proposed sweeping new cybersecurity rules.
And yet, regulations alone won’t protect businesses or their customers from cyberattacks. Therefore, as cyberattacks become more widespread, businesses should take action to protect themselves and their customers by considering three questions:
1. What are your assets?
Every business has assets. For many, it’s their brand. For some, it’s the “secret sauce†for the product or service they sell. For others, it’s their customer data. For certain businesses, it’s all three of these things.
Either way, as a starting point, all businesses should itemize their most prized possessions. What are the crown jewels of the company? What does the business value the most? Take some time to consider these questions. Then, as a next step, determine the level of protections that you want to manage. For instance, if your business has $50,000 in assets, you may not want to spend $500,000 to protect them. Figure out a right-size approach that works best for your company’s needs and budget.
2. What are your threats?
As with assets, all businesses face threats. And the threats, not surprisingly, vary depending on the business.
Most businesses face the threat of competitors. But some, like banks or retailers, also face threats from cybercriminals who want to steal their money. Others, such as tech companies, face threats from competitors that seek to steal their intellectual property.
The bullets below summarize the multiple threat categories that exist.
- Nation-states (e.g., China, Russia, and other countries that facilitate cyberattacks to procure data)
- Cybercriminals (e.g., organized crime syndicates that use cyber theft to make money)
- Hacktivists (e.g., people with a bone to pick that use hacking to make a statement)
- Casual Hackers/Lone wolves (e.g., people who hack out of curiosity, but sometimes help cyber criminals)
- Inside threats (e.g., disgruntled employees seeking to steal money and/or make a statement)
Given the different threat categories, it can be difficult to figure out which threats might apply to your business. So businesses of all sizes should consider contacting cybersecurity vendors for help with threat identification. Additionally, businesses may use the NIST cyber threat self-assessment guide.
3. What are your weaknesses?
After identifying threats, the next step is to identify vulnerabilities. In other words, think of how the threats could attack your business. For example, if you have customers’ credit card data stored electronically, could cybercriminals hack into your system to steal it? Or, could a competitor use your company website to access confidential information Considering these types of questions will help identify vulnerabilities. However, most businesses should still probably consult cybersecurity vendors to assess weaknesses and identify solutions.
Lastly, not all cybersecurity weaknesses are “cyber†in nature. Certain physical controls, such as security gates in buildings and employee ID badges, can provide equally important defense against cyber threats. So businesses should ask cybersecurity consultants to recommend logical (i.e., computerized) as well as physical defense solutions.
Stephen L. Ball is Government Affairs Counsel for CSAA Insurance Group. A proud Wolverine, Stephen has a B.A. in Political Science and a Master of Public Policy degree from the University of Michigan. He also has a J.D. from Harvard Law School. For more information about Stephen, see his LinkedIn page.