Having the right technology should be part of your cybersecurity strategy – but it’s not the only part (and maybe not even the most important part). As an organization’s most valuable asset, investing in people to improve cybersecurity can provide a line of defense that’s tough to find from software or technology.
To help you understand where we are in the ever-changing security landscape, read on to find discover the types of data that are being targeted today – and what you can do to protect your organization. (Make sure to read to the end. The tips we share include suggestions that aren’t typically top of mind.)
What’s Worth Stealing – and Why?
When it comes to the types of information that cyber thieves are looking for, there are some obvious targets – and some not-so-obvious ones. There are many types of hackers, and their strategies, methods, and motivations vary based on their goals and what they hope to accomplish.
Nearly any organization’s customer information could be at risk. This is true no matter who your “customers” are (students, patients, hotel guests, shoppers, etc.). Bad actors are looking for things like payment and financial information, driver’s license numbers, usernames/passwords, email addresses, and/or PINs.
These types of attacks aim to provide unauthorized access to data so it can be used in some way, whether it’s to steal more information, use assets (like credit cards or bank accounts) that are in the impacted parties’ names, open fraudulent accounts, or charge a ransom so someone can get their information back.
Having this data can also help a bad actor “track” actions via data so that online ordering patterns and/or intellectual property can be used to the hacker’s advantage in the future.
Similar to customer information, medical information can also be at risk. Right now, this seems to be one of the hottest data types out there. A medical record can be sold on the black market for between $300 and $400 each instead of $5 or $10 per credit card number.
Here, identification data such as social security numbers, insurance information, and prescription information are targets. This information can later be used to commit prescription or insurance fraud, gain access to medical records, establish fake IDs, buy drugs on the black market, and gain access to other hospital or insurance company data.
Bill of Materials
This data is often overlooked when it comes to cybersecurity. While it may not contain the financial or personal information that many bad actors are looking for, bill of materials can give away trade secrets, intellectual property, design specs, unique manufacturing methods or materials, patents, business plans, pricing and cost data, and product-formulation information.
Hackers can use this information against you – or attempt to sell it to your competitors.
What Can Be Done for Protection?
Cybersecurity is a journey, not a destination. As threats evolve, and bad actors find new ways to access data, your cybersecurity initiatives must change as well. But there are key things you can do to establish a solid cybersecurity posture – no matter what happens down the road.
Establish a Complete Cybersecurity Risk Profile
A full cybersecurity risk profile outlines:
- Your organization’s data (what do you have and where is it?)
- Known risks and how they rank in terms of priority
- Existing cybersecurity policies and practices
- Potential impacts of cybersecurity threats on your organization
A vulnerability assessment is a great way to start. It can help you find weak spots in your network where unauthorized access may occur. An assessment can also pinpoint potential threats. As a result of what you find, you can take action, create a plan to follow, and correct any potential problems that may expose valuable data and resources.
Communicate the Priority to Executives
There is often a separation between the importance of protecting valuable data and what the board (or leadership) understands about information security. Communication breakdowns may negatively impact your cybersecurity efforts if leadership doesn’t see how or why an investment in cybersecurity is necessary.
To get the point across, it helps to speak to leaders in their own language. Instead of focusing on technical jargon or specific products/solutions, have a business-specific conversation that explains the company’s current security posture, how cybersecurity may impact key business priorities, and potential risks.
Once you’ve won them over, make sure you communicate progress and good news to remind them that the decision to invest in cybersecurity was a good one!
Don’t Forget About Employees
The majority of today’s cyberattacks are designed to take advantage of human error – not necessarily software flaws. All the technical controls in the world can’t stop someone from giving out a password or emailing sensitive information to the wrong person.
The companies that do cybersecurity right are the ones that not only invest in some cybersecurity technology, but also put their people on the front lines and give them the training they need to identify potentially risky situations. Through proper awareness training, you can prepare employees for these threats, help them recognize iffy behavior, and empower them to say “no” when necessary.
Create a Senior Cybersecurity Council
Bringing together a group of cross-department representatives from IT, HR, finance, and legal helps everyone feel like they have some skin in the game. Getting buy-in from all these corners of your organization can also help move cybersecurity projects along faster.
These representatives are also to bring employee concerns to the table or pinpoint potential areas of concern based on what they’re seeing in their own departments.
Have questions about your data and how to protect it? Send us a note or give us a call. We’re always happy to answer your questions!