MPact » Feature
Five tips for reducing the risk of cyber threats
Phil Fodchuk National Leader, Cyber Security
Organizations are increasing their investments in digital transformation as the business landscape continues to evolve. While new technology brings many benefits, cyber attacks and breaches are also increasing with the rate of digital adoption — and becoming more damaging. It is now more essential than ever to reset your cyber security mindset as the digital landscape continues to transform.
According to IBM’s The Cost of a Data Breach 2023 report, the average cost of a data breach is US$4.45 million. However, a data breach causes more than just a financial impact — it also includes reputational damages and impacts to your consumers and employees that are more difficult to calculate.
Eighty-five percent of organizations suffered at least one successful cyber attack last year according to CyberEdge Group’s 2023 Cyberthreat Defense Report. Large corporations and small businesses are equally at risk of falling victim to a cyber attack and companies are continuing to spend more money on cyber security. Still, cyber breaches and data leaks continue to occur. A shift in perspective is necessary to help your organization reduce cyber risks and respond to threats effectively.
How to reduce cyber risks to your organization
It is essential to consider the security implications of your technology decisions and introduce business processes to embed cyber security across your organization. However, transforming your organizational culture takes time, resources, and careful strategic planning to achieve successfully.
While these cyber security approaches are often recommended, introducing these measures within your organization can help reduce risks while you work to enact organizational change:
Maintain an inventory
Developing an inventory that includes both authorized and unauthorized hardware and software is a useful starting point for organizations that want to enhance cyber security. An inventory will provide a broad overview of your entire system — including devices such as cell phones or software such as enterprise resource planning (ERP) platforms.
Maintaining an inventory will not stop a data breach from occurring. However, it will help alert you if any hardware or software inexplicably appears in your system.
Invest in employee training
Your employees play a key role in the success of your organization — and may often work with sensitive data and information. Investing in an employee training program to educate them on how to keep data safe can help make your employees the best defense against cyber attacks.
While implementing an educational program can take significant time, resources, and budget allocation, the results are well worth the effort. This will also require your organization to shift its mindset to encourage employees to report potential breaches or cyber risks without the fear of reprisal.
Perform vulnerability assessments and remediation
Software code is complex — and bugs in the code can introduce security issues. Vulnerability scans look for and fix bugs in your systems. Once discovered, these bugs can often be repaired by simple software patches. Regularly scanning your entire inventory of hardware and software can help your organization find problems, develop an action plan, and repair any vulnerabilities as quickly as possible.
Monthly scans are ideal for most organizations — and coincide with when vendors typically release patches. However, continuous scans are the most comprehensive way to monitor your systems. This involves tools running continuous scans on both your hardware and software. This approach will provide a running inventory of vulnerabilities, with bugs added and removed as they appear or are repaired. You can run these scans on your own or outsource this responsibility to firms with expertise.
Control admin privileges
System administrators have the highest level of access to any system within your organization and it is essential to implement controls to these privileges to reduce organizational risks. For example, your organization may give access to systems when required by providing an on-request account that is used solely when admin-level privileges are needed.
Only 20 percent of breaches are committed by employees — but controlling access will make it more challenging for employees to act maliciously. Additionally, this approach will help protect your system administrators from threats such as phishing attacks by making it more difficult to accidentally share credentials with the attackers.
Limit security configurations
New technology often prioritizes functionality, efficiency, or ease-of-use — and is rarely built for security. To increase the security of your systems, focus on configuring devices or software to only perform its intended function. For example, a server that is solely intended to act as a web server should only have web server functionality enabled.
Additionally, watch for features that leave your systems open to an attack when active and turn off any feature that is not required. Consider exploring other methods to secure a system if a feature is needed that increases cyber risks.
It is important to consider additional avenues to increase the security of your hardware and software. Default passwords are often provided for an easy out-of-the-box experience — however, they are also easy to look up online. Ensure that you implement processes in your organization to change default passwords immediately.
Take the next steps
Cyber threats are constantly evolving, and your organization must reset its perspective to prioritize security across all levels of your organization — including its digital adoption initiatives and business processes.
Stepping up your cyber security efforts can be simple. Instead of hiring a full-time team member, MNP can help you protect your organization by offering a fractional cyber security resource. Connect with our Cyber Security and Privacy team for more information.
NEXT: Parliament passed Bill S-211: Are you ready to meet the new requirements?