As relentlessly ubiquitous as it is, you really can’t quibble with ongoing saturation media coverage of the coronavirus pandemic. Who doesn’t want to know all there is to know?
But there is a flip side. This is sidestepping significant coverage of other important developments, including another slew of major cyber-breaches this year, not to mention the heightened online risks confronting millions of additional Americans now working away from offices in less secure homes outside the secured enterprise perimeter and firewall.
This raises an obvious question. Is your company’s cybersecurity policy as effective as it should be amid these tumultuous times? And if you’re not an employee but the owner of a small business—typically someone with much less sophisticated cybersecurity protection—how does your online security stack up?
Despite the pandemic, this is no small issue today. Largely as a result of mediocre security protection, 43% of cyberattacks target small businesses, according to the Verizon 2019 Data Breach Investigations Report.
It’s easy to get distracted today amid the tremendous blow striking the United States and most of the rest of the world. It doesn’t help, either, that the federal government has fallen down on the job of cybersecurity protection. Nonetheless, the ramifications of a cyber-breach today are arguably the worst ever because companies are already under enormous pressure. Already in 2020, high-profile victims have included Estée Lauder, Nintendo, MGM Resorts, Marriott International, Carnival Cruise Lines and J.Crew—a list you don’t want to join.
Don’t dismiss the importance of caution and a strong defensive posture. The New York City-area Long Island Railroad, Metro-North and New Jersey Transit use signs that read, “Watch the gap,” on trains and platforms. Businesses large and small should also weigh these words when they think about the gaps in their own security and what harm might easily slip through the cracks. In times like these, a strong cybersecurity policy may be the determining factor in business survival.
The volume of computer viruses is rising sharply this year. In January, February and March, FortiGuard Labs documented a 17 percent, 52 percent and 131 percent increase in viruses, respectively, in comparison to the same months last year.
It would be heartily welcomed if the federal government beefed up cybersecurity nationally, as it said it would do in recent years. But, sadly, there has been minimal follow-through, notwithstanding positive periodic moves, such as President Trump’s recent executive order (EO) halting the installation of bulk-power system equipment manufactured by foreign adversaries.
Three years ago this month, President Trump announced a cybersecurity executive order (EO) that mandated a review of cybersecurity capabilities and, among other things, placed responsibility for cybersecurity risk on the heads of federal agencies. The EO also required regular status reports on the security of critical national infrastructure, to no avail. The upshot? A survey last year by The Cybersecurity 202 revealed that more than 78 percent of digital security experts believe that today’s critical infrastructure is no safer from cyberattacks than when Trump signed the EO.
Meanwhile, the picture is worsening. Two years ago, the White House eliminated the position of cybersecurity coordinator on the National Security Council, thereby eliminating a post central to developing policy to defend against increasingly sophisticated digital attacks and the use of offensive cyber-weapons. Since then, there has been a string of departures in the federal government of well-regarded, high-profile cybersecurity experts.
By and large, states have attempted to fill the vacuum, but their steps are mostly limited to data privacy. Missing are steps to help stop breaches in the first place. Laws that went into effect this year in California and New York are good examples.
The California Consumer Privacy Act of 2018 dramatically increases corporate protection of consumer data. Companies that store large amounts of personal information, including Google and Facebook, are now required to disclose the types of data they collect, as well as allow consumers to opt out of the sale of their data. Similarly, New York's SHIELD Act subjects many companies that do business in New York but are based elsewhere to more stringent data privacy compliance obligations.
At this juncture, what should forward-thinking, security-minded companies do? After carefully analyzing their current cybersecurity posture, they should work to improve the steps they take in tandem with their IT teams. Many times, for example, companies today use third-party, off-the-shelf products, even though this may not be the way to go. An enhanced cybersecurity policy must also update systems already in place to protect critical business information.
Here are four key security steps that big companies today should focus on:
+ Update software and systems. Make sure that the potpourri of devices in the hands of users are all updated with the latest versions of a bevy of operating systems. This typically requires embracing a “push” methodology, forcing new security updates onto a user’s device. This is better than a “pull” methodology, which notifies the user that new security patches are available to be downloaded but often never are downloaded.
+ Conduct top-to-bottom security audits. This audit will review the security practices and policies of your central IT systems, as well as your end-user departments and at the “edges” of the enterprise, such as IoT devices at manufacturing plants. The audit should also examine remote site compliance with security policies.
+ Demand audits from vendors and business partners, among the most significant threat vectors in cybersecurity. Most sizable companies now see the cloud as integral to their technology, making it even more important to demand regular IT audit reports from outsiders.
Annual vendor audit reporters should be mandated. Companies should also require security audit reports from potential new vendors before signing a contract.
+ Perform regular data backups that work. A significant problem, unfortunately, is not that companies don’t perform regular backups but rather that they don’t always work. Data backups and disaster recovery measures need to be thoroughly tested at least once a year.
Meanwhile, what should small businesses do?
At this point, at least, more basic measures will probably suffice. If they don’t already, small businesses must install a firewall as a protective barrier between their data and cybercriminals. Companies must also document a BYOD policy focused on security precautions. In addition, all employees must be trained on a company’s cybersecurity security policies and practices and required to adhere to them. Multi-factor identification procedures should also be implemented.
The message behind all these steps is abundantly clear. Notwithstanding the pandemic, businesses big and small cannot drop their security guard and in fact should strengthen protection. No company wants a breach compounding all their other headaches in 2020.