Cybersecurity for business is a complicated topic. It always has been. But all too often, people believe cybersecurity is simply a few antivirus and security programs being in place and little more. In all reality, a lack of proper knowledge surrounding cybersecurity is often one of the biggest factors in any breach. The 2020 State of Privacy and Awareness Report from Media Pro states that three and five employees cannot identify a social engineering attack, and one-quarter of employees reported that they could not identify a phishing email. Yikes.
Due to its complexity, many don’t grasp the importance of cybersecurity, which is why education is crucial. To help you better understand its importance, we’ll give you a brief introduction to cybersecurity, information security and how to keep your data safe online.
Introduction to Cybersecurity
The simplest thing about cybersecurity is its definition. Simply put, cybersecurity is the defense against any unauthorized or criminal use of digital data. Though cybersecurity itself and the threats against it are constantly evolving, there are a few consistent key components that make up cybersecurity:
- Tools: Proper tools and software act as the wall between your data and those who wish to take it. Tools go well beyond antivirus programs and can include virtual data rooms (VDR), encryption software, proxy testing programs and more. Each of which we will discuss in more detail below.
- Knowledge: Perhaps the most overlooked component of cybersecurity comes down to computer operators themselves — in other words, the users behind the screens, keyboards and devices. The most well-armed fighters can still fail if they lack the knowledge required to use their tools to avoid pitfalls. To stem the tide of possible cyberthreats, many large companies have protocols in place to train — and periodically test — employees against the latest cyber scams and phishing attacks. Staying current on the latest threats, methods being used and software is essential to any cybersecurity program.
- Planning: Just as you have a plan for any kind of office-related disaster, it’s important for you to have a cybersecurity plan. In the event of a data breach or leak, you need to know what steps you’ll take to mitigate damage and secure your assets.
The above points are only glossing over the surface of cybersecurity, but following them will ensure that you’re off to a solid start with your security initiative.
Why Is Cybersecurity Important?
Now, more than ever, cybersecurity is a top priority for organizations of all sizes. Cyberattacks are routinely front-page news, and these security breaches aren’t things that “only happen to other companies” — not only is the targeted company damaged by the hack (both financially and reputation-wise), millions of individuals are routinely affected by them. The scope of cyberattacks can range from the smallest sites to large, multinational corporations and government sites, and it seems that companies of any size are exempt from being a target.
But why is cybersecurity important and such a vital topic these days? It’s because companies of all sizes are being hit with cyber attacks. And often it’s with companies that are household names – in 2020 alone Marriott, Twitter, Garmin, SolarWinds and others were hit with data breaches – a fact that should be extremely concerning to everybody. According to DynaSys, $1.1 million is the cost of the average cyber attack. But consider this – MacAfee has estimated that in 2017, global cybercrime has a price tag around $600 billion annually. Yes, that’s billion with a “B.”
Six Ways to Strengthen Your Cybersecurity
Having a proper cybersecurity system in place involves a lot of patience, time and finances. That being said, there are still several things you can do quickly and cheaply to be better prepared in the meantime.
1. Educate on Password Best Practices
Did you know that 59% of people use the same password across multiple websites? Or that 18% of employees share their passwords with others? There are countless stats that all point to the same thing: People don’t know or follow password best practices when it comes to online security.
Make sure your team does the following:
- Use a password that’s difficult to guess and unlike any of their other passwords.
- Don’t incorporate any kind of family name or pet name into the password.
- Avoid using obvious numbers like birth dates.
- Add a capital letter, number, and a special character like !, ?, #, or %.
- Change your password regularly, don’t wait for it to expire.
A quick seminar or training session on the above, and your team can be off to a great start as far as security is concerned. If possible, you can also consider implementing a password tool, such as 1Password or LastPass. Having two-factor authentication is also a great idea, as it requires a secondary form of verification, such as a text to the user’s phone.
Also, it should go without saying, but make sure all of your networks and servers are password protected. In 2018, PumpUp, a fitness app, left a server unprotected and lost six million passwords and records.
2. Regularly Train on Email and Social Media Threats
Phishing isn’t anything new, but that doesn’t mean everyone is aware of the tactics used by those looking to steal information. Phishing is the practice of sending emails that look to be from a legitimate source (Amazon, AT&T, etc.), but in reality are scams used to access the accounts of users who don’t realize they aren’t legitimate communications.
Phishers regularly change their methods, using spoofed emails that look real, or popup ads to install malicious software onto your computer. This can be used to track the keystrokes of a keyboard, allowing for the theft of passwords and other information.
To avoid any of your team falling prey to phishing, make sure you hold regular training sessions on the latest threats going around. Discuss that many phishers will send emails that look like they’re from a friend or relative, when the actual email address is totally different. Advise them to not click popups, or even consider using a popup blocker in your office.
3. Use a VPN For All Remote Employees
A virtual private network (VPN) is a great way to ensure your out-of-office employees are using a secure connection. In-office employees will be on your LAN or using the secured Wi-Fi, but those out of the office could wind up using the Wi-Fi from a cafe or their home.
A VPN is an inexpensive and effective way to minimize the chances of their connection being compromised. Many VPNs can be as affordable as several dollars per user, making them an incredibly cheap way to bolster your security.
4. Conduct Regular Scans of Your Computers and Network
While your office should ideally be using something more advanced, free services like Windows Defender and Malwarebytes do a solid job of protecting your computer from infections. No matter what software package you’re using, make sure you’re doing regular scans of your computers.
On top of this, make sure your antivirus and defense software are always up to date. New antivirus definitions are released regularly, sometimes multiple times in a week, and your software needs this to function properly.
You also want to be regularly scanning your network for any vulnerabilities. Use a proxy scanner or network vulnerability scanner to check for any flaws in your network’s security. Any kind of flaw can lead to unwanted visitors gaining access to your network.
There are numerous free options as far as vulnerability scanners. While their functionality can be limited compared to paid options, they will at least let you know if there’s a problem that needs to be fixed, in which case it might be time to pay for a full-featured scanner.
For a reminder on the importance of scanning for infections, look at the 2019 data breach of financial firm Capital One. Over 100 million users were affected, and this hack may eventually cost the company over $100 million overall, not to mention tainting its reputation for years.
5.Emphaszie the Importance of Information Security
Just as you stress the importance of cybersecurity, you need to stress information security as well. A component of cybersecurity, information security is the practice of specifically ensuring the safety of your company’s information. This can be in the form of data and documents.
Information security encompasses both attacks on information like a data breach, and also the loss of information through a natural disaster. For this reason, a proper information security program involves having a backup plan as previously mentioned, keeping your employees trained on best practices, and using the right tools.
A loss of sensitive information can cost a company a fortune. According to the 2018 study done by the Ponemon Institute, the average data breach costs $3.86 million, and the average cost per-record stolen is $148. This isn’t to mention the impact a breach can have on a pending M&A deal.
Hold regular training sessions on information security and how to handle sensitive info. Stress the importance of non-disclosure agreements (NDAs) and consider using digital rights management (DRM) software to protect any information being shared.
Proper DRM can give you the ability to revoke access to files even after they’ve been downloaded, which can prevent anyone from sharing information after leaving your company. This alone could save you millions in the event they try to compromise an M&A or other deal.
6. Consider Using a Virtual Data Room
The virtual data room (VDR) is a relatively new concept — an online space where the due diligence portion of M&A deals are conducted — and cybersecurity plays heavily into that area. That’s because the documents that are required for Mergers and Acquisitions (M&As) always contain highly confidential data — financials, tax issues and intellectual property (IP) information, along with other sensitive data.
For any company conducting an M&A, cybersecurity is one of the top-tier priorities, as a data breach of any kind could have devastating effects on the business deal itself, along with its finances and its reputation and standing in the business world. Therefore, the cybersecurity that surrounds a VDR and companies using it has to be of utmost importance, and a robust system must be implemented to protect all parties involved in the transaction.
If your company regularly handles sensitive information or will soon be in the process of an M&A, you should consider using a virtual data room.
A VDR is a more secure, business-minded approach to file storage and sharing. With a VDR, you can ensure your clients or employees are looking at the most recent files, guarantee authenticity using watermarks, and even use DRM functionality to prevent any file from being stolen.
In the past, many VDRs could cost you upwards of six figures. Today, there are options available for as little as $299 per month. (You can even sign up for a Caplinked’s free trial for those of you curious about how a VDR might benefit your company and enjoy the first-month promo rate for only $149.)
Features to look for in a VDR
When you’re shopping around for a VDR, there are certain features you should be looking for. There are numerous VDR options available, so this list of features should help you narrow down your search.
- Proper compliances: HIPAA and SOC 2 compliance can ensure your VDR is set to handle most deals.
- Audit trail: An activity tracker that automates an audit trail and lets you know who changed what can reduce the chance of anyone abusing privileges.
- IP address restrictions: The ability to block certain IP addresses from accessing files is a key element to keeping your documents safe.
- Automated permission expiration: There are numerous moving pieces during M&A due diligence, during which time many eyes could be seeing sensitive information and documents. Automated permission expiration can take away the stress of managing permissions, and prevent anyone from seeing a document after they’re no longer involved.
- Built-in antivirus scanning: The primary function of a VDR is keeping you and your documents safe. Built-in antivirus scanning adds an additional layer to that security, reducing the chances of your network being infected by a malicious file.
Many companies make the mistake of using a free service like DropBox or Google Drive to share their files, and pay dearly down the road when information is leaked or stolen. A VDR with the above features can prevent that. (Did we mention Caplinked features all of the above?)
Even when using a strong cybersecurity platform, having risk mitigation measures in place is always a great idea. Even the strongest cybersecurity systems can still be breached. A risk mitigation plan will help reduce the likelihood of any damage being done in the event of a program failure or internal breach.
Here are a few best practices you can put into place to help reduce the likelihood that your company suffers a loss:
Limit Access Control
When you’re in a leadership role, it can be tempting to give numerous people administrative abilities within your system. More people who are able to complete high-level tasks will surely translate to more work getting completed, right? Unfortunately, this can lead to an abuse of privileges and result in data being lost, stolen and so on.
To reduce the likelihood of any internal leaks or incidents, limit access and administrative principles to only those who absolutely need it. Take a page from the Microsoft playbook and use their definition of Least-Privilege Administrative:
“The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more.”
Encryption is the practice of transforming information into a scrambled code that can’t be deciphered. When data is encrypted it is often useless to thieves in the event that it’s stolen. This doesn’t necessarily mitigate the entire financial cost of a breach, but it can give your customers peace of mind and help reduce the likelihood of them leaving your company. Whether you’re sending data or simply letting it sit on a drive or server, encryption is always a great idea.
Implement Automated Patching Software
Patching, the act of updating software via updates, can be tedious. This is especially true when you’re dealing with an office filled with computers, each running antivirus software, an operating system, encryption software, and any corporate tools that all need to be updated.
Patches can take time to download, so many times users put them off when they’re in the middle of working. This often results in patches not being downloaded at all. With many patches including fixes that close security gaps, patches are incredibly important.
Automated patching software can take away the hassle of updating an operating system, antivirus programs and more by updating things automatically. This allows you to schedule updates across your entire office, ensuring every computer is updated during a time it doesn’t inconvenience employees.
Leave Audit Trails
Audit trails, also known as audit logs, are records of any changes made to procedures, events, operations and any other security-relevant task. This log can also include major events such as a financial transaction, movement on an M&A deal and more.
There are numerous ways to handle an audit trail. The end goal is to have a solid record of who did what and when. As long as you can always trace any shifts relating to major pieces of your company, your audit trail is working properly.
Create an Incident Response Plan
No matter how secure a company is, the chances of a security-related issue occurring eventually are always there. It’s important to have an incident response plan in case a breach or incident does happen.
Meet with your IT team and anyone that handles data or sensitive information, and discuss any possible loopholes, risks and so on, and determine what the best course of action would be for any potential incidents. Once you have a plan drafted, train any relevant team members on it and ensure it’s updated as processes change over time.
Following everything previously mentioned will put your team in a great place as far as cybersecurity. Still, complacency is the friend of threats and the enemy of safety. Never stop training and educating yourself on the dangers out there, and always make sure you’re auditing your toolset to see if there’s a newer, better option available. The importance of cybersecurity can’t be overstated. Yes, cybersecurity can be costly, but it doesn’t have to cost a fortune. Start by educating yourself and your team and take things one step at a time. And one last thing: Don’t click that link stating you won a free iPad. You didn’t. Nor did anybody else.
Caplinked’s Virtual Data Rooms provide the platform to securely manage documents for the due diligence phase of any type of merger and acquisition. With its easy-to-use dashboard and secure workspaces, a Caplinked VDR provides the protection you need for document control, document management and collaboration throughout the entire Q&A process. If you would like to find out if Caplinked is right for you, start today with a free trial.
Chris Capelle is a technology expert, writer and instructor. For over 25 years, he has worked in the publishing, advertising and consumer products industries.