Forget the image of teenage computer hackers late at night in a basement with cold pizza and parents asleep upstairs. Cybercrime is big business that's inflicting real damage to U.S. organizations and institutions, especially small and midsize employers.
In November 2018, a federal grand jury in Newark, N.J., returned an indictment charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, in a 34-monthlong international computer hacking and extortion scheme involving sophisticated ransomware. Savandi and Mansouri allegedly collected more than $6 million in ransom payments and caused more than $30 million in losses to victims by encrypting the data on victims' computers and demanding ransom in return for decryption keys to recover the data. The more than 200 victims included sophisticated entities such as hospitals, municipalities and public institutions.
of employees receive cyber training and education on an annual basis.
And in July 2018, Sinovel Wind Group LLC, a manufacturer and exporter of wind turbines based in China, was sentenced for stealing trade secrets from AMSC, a U.S.-based company formerly known as American Superconductor Inc. The theft resulted in the loss of more than $1 billion in shareholder equity and almost 700 jobs (more than half the company's global workforce), according to evidence produced at trial.
Yet when trying to protect against such actors, many businesses still treat cybersecurity efforts as a collection of noncore, check-the-box technical tasks that can interfere with getting work done. To effectively combat cybercrime, organizations will have to up their game by deploying significant and wide-ranging organizational defenses.
"While there is some recognition of the risk of data loss, the full range of risks from a cybersecurity breach―including operational risk, reputational damage and potential cultural impact on the company―are often underestimated," says Dominic Keller, senior cyber risk consultant at Willis Towers Watson. "Clients, employees and business goals may all be affected by a cyber incident. Having a proactive approach to risk assessment, and identifying the key business impacts of cyber incidents, is critical."
The Growing Threat
The financial costs of cybersecurity breaches are substantial, according to The Cybersecurity Imperative Pulse Report, a recent publication from ESI Thoughtlab that was sponsored by Willis Towers Watson and others. The underlying survey of 467 large companies (more than $200 million in revenue) worldwide found that, on average, those companies lost $4.7 million each in cyber incidents last year; more than 1 in 10 businesses reported losses of more than $10 million.
The types of cyberthreats vary and have grown in sophistication. Among them are:
- Use of confidential data to perpetrate fraud or blackmail.
- Theft of trade secrets.
- Inadvertent disclosure of confidential data by careless employees or contractors.
- Disclosure of confidential information by disgruntled or former employees seeking revenge or financial gain.
- Unauthorized entry to private computer systems by someone to create mischief or gain notoriety.
Threat levels differ by industry. Financial and medical institutions are particularly targeted, given the sensitive financial and health data they retain.
Mega-breaches of the largest companies have drawn the most media attention. But many medium and smaller organizations are increasingly being targeted, in part because they tend to have weaker cyber defenses and far fewer cybersecurity resources than the giants, says Joseph Steinberg, a cybersecurity consultant and author. Criminals reason that smaller firms are often more likely than their larger counterparts to pay ransomware demands, he notes.
Cybersecurity Is a Team Sport
So what's to be done? Many companies are still placing most or all of the burden for cybersecurity on their IT staff. Instead, cyber risk management must be understood as an effort that requires coordinated action by many business units across the company, Keller says. Employees, who are on the front lines of an organization's defense, need to be on alert, too. This year, National Cybersecurity Awareness Month (held every October) emphasizes the role that individuals play and the importance of taking proactive steps to enhance cybersecurity.
Ideally, an organization should have a detailed plan that governs its efforts to prevent and respond to a breach, including clear decision and communication processes across the organization, Keller says.
It starts at the top. C-suite officers must convey the importance of cybersecurity, lest it become just one of a number of to-dos on the list for employees. "Engaging leadership and key stakeholders to ensure that they have a clear understanding of the organization's cyber risk management strategy also ensures consistency of approach and improves cyber risk resilience," Keller says.
‘The full range of risks from a cybersecurity breach―including operational risk, reputational damage and potential cultural impact on the company―are often underestimated.’
Improving cybersecurity also calls for a change in attitude at many organizations. "The most important thing is for employees to understand and internalize that they are targets," Steinberg says. "People fall for social engineering and phishing attacks much less frequently if their guard is up."
Cyber risk management strategies should vary based on the potential business impact of cyber incidents. For example, an organization with one or two clients can face greater business damage than those with diversified client bases, Keller notes.
In addition to being pervasive, a good cybersecurity strategy should be multi-layered. "There's no single thing that stops all attacks, so you need to layer defenses," says Erich Kron, a security awareness advocate at Clearwater, Fla.-based KnowBe4 Inc., a cybersecurity awareness training organization.
"On the phishing side, you can use e-mail gateways to control how much potentially problematic e-mail gets to employees, though you won't stop them all," he says. "Then you train people to spot the bad e-mails. But they occasionally will still click on the links they contain. Then you use good antivirus software. And then, should the worst happen, you make sure data is backed up and test how you would respond and recover."
It's also important to tailor these controls to the threats coming in. "For example, if the organization is falling for phishing or malware a couple times a week," Kron says, "[curbing] that should be a priority."
The Challenge for IT
Many experts stress the importance of establishing well-designed IT data systems that segregate data, restrict data access and organize multiple operating systems by business function so that only those who need it have access to the systems and data. That ensures that infiltration of one business function will not infect others and sink the whole business.
IT also can be active in designing solutions that help prevent breaches. These include:
- Preventing the use of simple passwords that are easily hacked.
- Blocking employee transmittal of sensitive information that hasn't been encrypted or authorized.
- Monitoring intra-office flows of information for unusual patterns of communication.
The Internet of Things, teleworking and the smartphone revolution are compounding the cybersecurity challenge by dramatically increasing both the number and types of devices that store sensitive information, Steinberg says, as well as the potential points of entry for hackers.
The general rule is that only secured devices should be allowed to interface with a company's network; others should be connected to a guest network. "Furthermore, any device accessing corporate data needs security software on it," Steinberg says.
For many smaller organizations, identifying exactly who in IT should be dealing with cybersecurity can be a challenge. Most IT people are busy with myriad responsibilities and tasks, while cybersecurity experts are expensive to hire and hard to retain, Steinberg notes. Contracting with a competent third party to design and direct cybersecurity efforts may be the smartest approach.
The HR Challenge
HR has a critical role in cybersecurity, and it should be broader than organizing employee training. "HR is the critical link in the whole cybersecurity process," says Frederick Scholl, cybersecurity program director and associate teaching professor of cybersecurity with the School of Engineering at Quinnipiac University in Hamden, Conn. "They keep company culture, and if there's no culture of security, there's no effective program. It's important that they understand cybersecurity issues and vulnerabilities well."
IT and HR must work together to rapidly disseminate information about threats, as similar attacks will often follow one another or target additional employees. HR and IT also need to work together to ensure that employees access only the data they need.
Another HR task: recruiting employees who will proactively help ensure the security of the organization.
‘For us, privacy is a core tenet of our culture and one of the first things people are trained on.’
The importance of safety is baked into recruiting at Businessolver, a West Des Moines, Iowa-based benefits administration technology and services provider. "For us, privacy is a core tenet of our culture and one of the first things people are trained on," says Marcy Klipfel, senior vice president of employee engagement at the 1,200-employee organization. "When recruiting, we also look for people who understand the importance of security and why we take it very seriously."
And then there's the critical role of training. Only 31 percent of employees receive cyber training and education on an annual basis, according to the results of the 2019 Chubb Cyber Risk Survey.
Training employees to slow down and think about the e-mails they receive is important. "Most cybersecurity attacks target human behavior," Kron says.
Testing employees can help. "In HR, we partner with our IT department and phish our own employees," Klipfel says. "If we're successful, we meet with the employee and discuss what would have occurred if the situation had been real. Doing that creates a real chemical memory that persists; there are no repeat offenders."
Breach and attack simulation tools also can highlight vulnerabilities in an organization, Scholl notes.
A New World
Increasingly, cybersecurity is changing how business is conducted. Organizations are establishing policies and procedures to navigate key potential vulnerabilities, such as how money changes hands. For example, in response to fraud patterns in which real estate brokers' e-mail accounts are hacked and clients' closing payments are diverted, many state realtor bodies are establishing protocols for how closing transfers will be handled and how agents and brokers communicate with clients regarding such transfers.
Businesses, particularly those in industries with sensitive data, are closely scrutinizing current and potential partners to examine whether their cybersecurity efforts are adequate. "Any vendor software we integrate with our own must pass our cybersecurity review," Klipfel says. "And you would be surprised how many software vendors don't follow the protocols and procedures for good cybersecurity practices. For example, many lack cyber insurance. To me, that's an indication that they're not adequately thinking about cybersecurity."
Cyber insurance is now an organizational necessity, many experts say. If a breach occurs, businesses must also have detailed action plans that include which organizational units should be engaged; a communications plan to provide information to affected clients, business partners or media; and a clear strategy for business continuity while networks may be unavailable. These plans should be tested regularly, Keller says. As cybersecurity threats multiply, robust cyber defenses are absolutely critical.
David Tobenkin is a freelance writer based in the greater Washington, D.C., area.
SHRM provides advice and resources to help employers identify cyberthreats and improve security.
Policy: Computer Passwords
Establish standards for creating, managing and protecting strong passwords.
Policy: Computer, E-Mail and Internet Usage
Encourage employees to use your organization's Internet and e-mail systems responsibly.
Policy: Social Media
Set guidelines for the appropriate use of social media in the workplace.
HR Q&A: Data Security
Employee data is widely accessible via the Internet and mobile devices. What are the best ways to safeguard this information?
U.S. Department of Homeland Security Toolkit: National Cybersecurity Awareness Month 2019
Information to help you understand, secure and protect your digital profile.