How Bad is It?
Almost on a daily basis another cybersecurity breach is published. Each attack resulting into millions of member’s, account-holder’s and customer’s data being stolen or compromised. Below is list of just the past two weeks according to Lookout:
- April 2nd, 2018: Five million payment card numbers have been compromised of Hudson’s Bay
- March 31st, 2018: 150 million MyFitnessPal of Under Armour users had their account information and email addresses breached
- March 25th, 2018: 360 teachers in Pennsylvania may have their personal information, including social security numbers, breached
- March 24th, 2018: 10,000 Primary Healthcare patients may have their personal health and financial information breached
- March 23rd, 2018: 35,000 patients of ATI Physical Therapy have had their medical and financial information compromised
- March 21st, 2018: Walmart’s jewelry partner, Limoges Jewelry, had the personal information of 1.3 million people exposed on an open Amazon S3 bucket
- March 20th, 2018: Ten million National Lottery players are being warned their accounts may have been accessed in a breach
- March 20th, 2018: 880,000 Orbitz customers may have their payment card information breached
What does this list tell you?
For one, while more business is done online than ever in history, an overwhelming number of organizations are not prepared for it. In February 2017 there were 1.2 billion registered web domains.
And second, in a way, members, account-holders and customers are allowing it to happen. Hardly anyone reads and/or understands the terms and conditions or the privacy and legal information before making an online purchase or signing up with an organization. And even if we do, what guarantees does one have that the promises made are actually being upheld, verified and ensured?
Why Do We Put Up With It?
Well, that’s a good question. Is it, because we got so used to it? Maybe none of us can make a difference as individuals and make these organizations do a better job protecting our personal information? Maybe, because there is so little oversight and organization are getting away with it all? Maybe, because we don’t even know what to ask for or demand before we hand over our information? There are so many answers to this question and they all have some validity to it.
And the trends for 2018 do not look any better. In his article “10 Must-Know Cybersecurity Statistics for 2018”, Jonathan Crowe paints a bleak picture for the rest of this year.
It’s worrisome; that’s for sure. And to make matters worse, a level of complacency has kicked in as if this is the new norm and we just have to live with it.
Are These Cybersecurity Attacks the New Norm?
We know one thing, and that is that these cyberattacks will not go away, unless we do something about it. “We” in this case means everyone who is leaving personal information in someone else’s custody.
In Europe, the GDPR laws will go into effect soon; a step in the right direction, and a step to put more control in the hands of the individual. It’s a small step however. While the penalties are stiff, it doesn’t really make it mandatory to have a minimum level of information security, or cybersecurity for that matter, in place for those organizations being the custodians of your data. Isn’t prevention better than the cure?
Prevention should be new norm, not let’s live with this annoyance.
Personally, Preventing Cyber Attacks
As an end-user, you can do a few things that are relatively easy to prevent common cyber attacks:
- Keep your system updated. Hackers love out-of-date computers and ones that haven’t had their security and patches updated in a long time
- Make sure you have a good firewall and antivirus installed
- Never share your personal information online unless you’re 100% certain the website is safe. You’ll know this by looking for an “s” in the URL (web address). So, instead of starting with http:// it should start with https://. While this is not guarantee anymore, it is still something to look for
- Never click on email links, even if you think you know how the email is from. If you receive an email from a bank or credit card company, close the email and type the organization’s web address directly into your web browser. You can also pick up your phone and call them; remember the good-old-days?
- Don’t download any files such as music, attachments and pictures unless you’re expecting to receive one from someone
- And, finally, always backup all of your files so you can quickly return to normal if something does happen. A good rule of thumb is to make a backup when you add a new program or change any settings. Otherwise, make a backup at least once a week. Or daily when you work that often on your computer. Keep you backup separate from your computer by using the cloud or a removable hard drive.
What Should Organizations Do Preventively?
This blog is too short the address every possible scenario. There are number articles on the web available with great information and even better, there are standards and certification training courses to really prepare you best.
When keeping it simple, if you are running Mom and Pop store, you should at the very least take into account the list above.
However, if your organization counts more than 30 or 40 employees, you will need to raise the bar. Consider subscribing to the services of a consulting firm who frequently assesses your potential risks and implements the proper counter measures. A service like this will not break your bank account and is worth the avoidance of unnecessary headaches.
When your organization surpasses the size of 60-70 employees, you will need additional precautionary measures in place; even more when your customer-base in on a global scale and when you are dealing with confidential information such as birthdates, credit card number, social security numbers, etc. The time has come that you consider becoming an ISO/IEC 27001 certified organization that is audited annually by an independent third-party auditing firm, to sustain compliancy. This is not a far-fetched recommendation. Organizations needing to comply with Payment Card Industry (PCI) requirements are already used to being audited.
What Does ISO/IEC 27001 Offer?
This internal standard for information security helps organizing your organization to be best prepared for information security breaches, including cybersecurity threats. The implementation guidance of the best practices to be followed can be found in the ISO/IEC 27002 document. And the ISO/IEC 27032 document adds cybersecurity-specific practices that are recommended. A fourth document that is of value is the ISO/IEC 27005 standard which addresses how to best conduct a risk assessment to identify your weaknesses, vulnerabilities and potential threats. Each of those can be countered with recommendations you will find in the ISO/IEC 27002 and the ISO/IEC 27032 documents.
So what’s in it for those organizations that are ISO/IEC 27001 certified? Well, the answer is easy. Publish is on your website and all your sales and marketing collateral. You may find that you are outperforming your competition as too few organizations bother to make the investment as they still believe that they can get away with cumbersome care.
Being an ISO/IEC 27001-certified organization signals trust, just like the “s” in https. The certificate is like a seal of approval; remember the days that we were looking for the Better Business Bureau (BBB) logo? The time has come for a logo that shows the organization is cyber secure. It will only be a matter of time before the government steps in (even more). Do you want to wait for that moment and have lost your reputation and ultimately your business, or do you want to send a message to your customers that you truly appreciate their business? What’s your answer?
Information Resources for All Budgets
To learn more about preparing for cybersecurity and ISO/IEC 27001:
- Download this free white paper: “What is ISO/IEC 27001?”
- Take the online self-paced “ISO/IEC 27001 Foundation Course” for $495
- Purchase the referenced ISO standards from the ISO organization for about $150 each
- Participate in the next online “ISO/IEC 27032 Foundation – Cybersecurity Certification Course” for $995