Cybersecurity is the discipline of protecting data, software programs, systems, and networks from attacks and unauthorized access.
In 2021, the average data breach cost $4.24 million. With a 105% surge in ransomware attacks alone, businesses are increasingly likely to experience a cybersecurity incident. At some point, your business will probably experience an attack. Without the right steps, it could be financially devastating. The right cybersecurity measures can act like a protective forcefield around your company. We’ll explain what you need to know about cybersecurity, including the purpose, types, and how you can thwart threat actors.
Hardware, software, and information assets are critical to business operations. In the event of a cyberattack, some or all of your assets may be compromised. Just as building security protects your facilities, cybersecurity provides data protection and shields your technology resources.
If your assets are compromised, you may not be able to continue normal operations. Affected systems may need to be taken offline, ransomware could block access to important files, and you may experience a business interruption. A strong cybersecurity posture can help you prevent many cybersecurity attacks, recover more quickly from unavoidable incidents, and maintain cyber resilience in a changing cyber threat landscape.
In many industries, businesses are subject to regulations that govern their cybersecurity requirements. Implementing strong cybersecurity policies and procedures helps with compliance.
Customers, investors, and partners may lose trust in a business with weak cybersecurity, and a cybersecurity incident can significantly damage a business’s reputation. With reputation accounting for 63% of a company’s market value, damage to the company’s reputation can have far-reaching implications.
In cybersecurity, operational security (OPSEC) looks at systems and operations from the perspective of a malicious actor to identify sensitive data, address potential cybersecurity threats, assess vulnerabilities, and implement countermeasures. This approach is valuable for cybersecurity risk management.
Cloud security addresses vulnerabilities in cloud environments, which may involve data, applications, and infrastructure.
Sometimes classified as a separate field outside of the cybersecurity realm, information security (InfoSec) focuses squarely on safeguarding the integrity, confidentiality, and availability of all forms of data, both physical and digital. Since most businesses now rely primarily on digital data, some now lump information security as a subset of cybersecurity.
Each business uses an average of 110 SaaS applications. If they’re not properly designed and maintained, these applications can open your business up to increased cybersecurity risks. Application security is an element of application design in which the developer introduces security standards, procedures, and systems. Penetration testing then searches for weaknesses hackers could exploit.
Network security encompasses configurations, hardware, software, policies, and procedures related to network access and use.
IoT security aims to protect devices like printers, security cameras, industrial robots, building automation, and other physical objects that connect via the internet. These smart devices increase the exploitable attack surface. They also frequently lack updates and have inadequate default settings.
Critical infrastructure security refers to the protection of the systems society relies upon. While this is outside of a business’s control, every company should assess the ramifications of an attack on the electrical grid, water supply, and other physical systems. Preparing contingency plans can enable your business to pivot quickly if the need arises.
In some cases, the phrase “critical infrastructure security” may also be used to refer to your company’s hardware, including your workstations, network, servers, and telephone systems.
Protecting your company from cybersecurity threats requires a three-pronged approach that incorporates prevention, detection, and response. The NIST Cybersecurity Framework adds two additional steps, identification and recovery, which can be grouped into prevention and response respectively.
While some businesses focus on prevention assuming they’ll be able to stop any attack, this method is doomed to fail. Cybercriminals routinely develop new approaches to bypass existing security measures. Without prevention, detection, and response, your company opens itself up to unnecessary cybersecurity risks. We’ll highlight key steps to take towards protecting your business:
Use a firewall
Use a VPN
Establish a strong password policy
Implement other key IT policies
Use the principle of least privilege, limiting users to the privileges essential to performing their jobs
Back up your data
Conduct security awareness training
Perform risk assessments
Conduct security reviews and audits (penetration testing, red team testing, architecture design reviews, code reviews, etc.)
Use a security information and event management (SIEM) solution
Use antivirus software
Implement an intrusion detection system (IDS)
Conduct threat hunts
Do disaster recovery and business continuity planning preemptively
Consider cyber insurance
Secure your systems and fix vulnerabilities
Take affected equipment offline
Mobilize a response team
Notify key parties (authorities, customers, etc.)
On average, a cyberattack occurs every 39 seconds. While we don’t hear about the vast majority of incidents, some are so remarkable that they make headlines. You’re probably at least mildly familiar with the following historic cyberattacks due to their massive scale.
Between May and July of 2017, threat actors gained access to sensitive information on over 140 million U.S. consumers via a vulnerability in the consumer credit reporting agency’s U.S. website application. Names, birthdates, addresses, Social Security numbers, driver's license numbers, credit card numbers, and dispute documents were compromised.
Equifax announced the unprecedented security breach in September of 2017, and the fallout was catastrophic. For one year, Equifax offered free credit monitoring and waived the dispute arbitration requirement. The CEO also resigned, Equifax’s reputation took a hard hit, and the company agreed to a global settlement that includes $425 million in relief for those affected.
Hackers backed by China’s military were later charged in connection to the attack.
In late February and early March of 2014, hackers accessed 145 million eBay user records, including passwords, email addresses, mailing addresses, and birthdates. The company then delayed alerting customers. Even after customers were notified to change their passwords, some reported problems doing so. A federal judge dismissed a proposed class-action lawsuit, but the breach and subsequent mishandling did undoubted reputational damage. The Syrian Electronic Army claimed credit for the attack.
In 2016, Yahoo announced that in 2014, an adversary gained access to data from over 500 million user accounts, including names, email addresses, telephone numbers, birthdates, hashed passwords, and security questions and answers. This report would make the breach one of the largest in history. But that’s not where the story ends.
A few months later, Yahoo announced that a second breach occurred in 2013 that affected 1 billion accounts. For those of you keeping score, that’s 1.5 billion affected accounts in just a couple of years. Epic, right? But the story still isn’t over.
After Verizon acquired Yahoo’s internet business in 2017, it disclosed that the 2013 breach was far greater than previously reported, affecting all user accounts: 3 billion in total. That included accounts for email, Tumblr, Fantasy, and Flickr. The attack was attributed to hackers backed by Russia.
Needless to say, these attacks weren’t great for Yahoo. Verizon paid $350 million less in the final acquisition price than previously offered, and the Yahoo CEO resigned. Not surprisingly, costly lawsuits and regulatory fines piled up.
As one of the most famous ransomware attacks in history, WannaCry instilled a fear of malware in business leaders worldwide. In a few short hours in May of 2017, it infected thousands of computers in over 150 countries, encrypting files and demanding payment in cryptocurrency to restore access. Most notably, hospitals in the United Kingdom lost access to medical records, forcing them to divert patients. However, companies, government systems, and railway networks were also hit.
While a security researcher eventually found a kill switch that halted the attacks, billions of dollars of damage had already been done. Some victims paid the ransom to try to recover their files, but there have been no reports of the cybercriminals actually restoring access.
It is believed that the attacks were perpetrated by a hacking team backed by the North Korean government.
In 2018, Marriott announced that a reservation database breach may have exposed the personal information of as many as 500 million guests who’d stayed at Starwood hotels since 2014. Hackers copied and encrypted information that may have included names, dates of birth, mailing addresses, email addresses, phone numbers, passport numbers, credit card numbers, and more.
With so much sensitive data at their fingertips, the hackers could have wreaked havoc on the lives of the victims. Instead, remarkably little came of the incident, and none of the records have been found for sale on the dark web. Some sources claim that hackers associated with Chinese intelligence may have perpetrated the attack to acquire information on American government employees, who frequently use the hotel chain.
Marriott had cyber insurance that covered some of the $28 million in expenses the company initially incurred. However, lost business, legal fees, and technology expenses could ultimately cost billions. Marriott also faced a penalty from the United Kingdom’s Information Commissioner’s Office (ICO), which was reduced from $123 million to $23.8 million. The company agreed to pay for passport replacements for affected customers. However, a class-action lawsuit was dismissed.