Nearly every industry has been deemed “most breached,” “most hacked,” or “biggest security target.”
Of course, they can't all hold the unfortunate title, but financial services, retail, healthcare, and even media and entertainment are all experiencing the intense pain that sophisticated cyberthreats can inflict upon operations. These pain points cannot be traced back to a single source, but to a convergence of factors: accelerating digital transformation across industries, evolving threat types, and a general lack of investment in comprehensive security practices and tools.
With the rise of “smart” digital integration, or what some people are calling “Industry 4.0,” this pain will become more acute. Attackers could conceivably disable manufacturing facilities or hold a crucial piece of intellectual property hostage, leading directly to millions in lost revenue and inestimable damage to brands and their competitive edge, or much worse, impact to critical care. The WannaCry ransomware attack earlier this year, for example, took down healthcare systems in the UK, forcing hospitals that rely extensively on electronic health records to literally reroute patients requiring emergency services.
Past strategies have too often focused on cleaning up consequences rather than getting out in front of threats, and the damages are proving even more extensive. To mitigate these risks, organizations need to adopt a proactive approach to cybersecurity.
Understanding the problem
A clear indicator that current approaches to cybersecurity aren’t working is how little attack strategies have changed over the past decade. While hackers have identified a plethora of new vulnerabilities, they exploit them using methods that have been on our radar for years.
Spear and net phishing, which have been around for at least 15 years, are becoming a source of fear for even average computer users. Despite that, up to 30% of phishing messages are opened and downloaded now that social media and sophisticated fake websites can be used to build trust and establish authenticity.
Not only has the quality of attacks increased, but so has the quantity. Encryption and bitcoin make it easy to extort money directly from victims, prompting scores of criminal elements to migrate to cybercrime. The number of attacks on businesses tripled over just nine months in 2016, and 20% of those who paid ransom never regained access to their data, according to one study. The rate is likely much higher.
A solid backup strategy would reduce threats and control costs at the same time, rather than forcing companies to decide between losing critical information or paying attackers.
Hollywood Presbyterian Medical Center learned this lesson the hard way, ultimately paying a hacker $17,000 to unlock its systems. The center could have wiped and refreshed with limited loss of information if it had been prepared with regular system backups.
Adopting a proactive approach
An effective approach to cybersecurity requires more than a statement of intent. Stakeholders must put explicit plans and programs in place and invest the necessary resources in three primary areas:
1. Develop a culture of security
Making cybersecurity a fundamental part of your operations means engaging in comprehensive employee training and testing, giving security personnel a strategic seat at the table, and making security a priority on the management team's agenda. Too many companies make minor efforts at improvement and then presume their security is ironclad. Measure progress by launching dummy phishing attacks to set a baseline and to test, over time, how secure your infrastructure and users are becoming.
2. Survey and inventory vulnerabilities
Do you know what sensitive or protected data you have and where it's stored? Look for every possible weakness, from systems to connected devices. Prioritize the most troubling vulnerabilities and develop a plan of action to address each. Netflix excels at self-assessment with its Chaos Monkey protocol: Production servers are randomly shut down during business hours, essentially manufacturing disruptions from within. As a result, engineers are forced to become hyperaware of building redundancy into the infrastructure.
3. Articulate response strategies
Disorganization only amplifies the consequences of an attack. Before you get hit, identify the chain of command, locate your support resources, and outline a crisis response plan based on the type of attack. Planning for contingencies is difficult, which is why only 25 percent of businesses do it. The goal, however, is to guide your staff in how to support a rapid crisis response. This is essential for all companies.
The promise of digital transformation is vast; however, so are the potential security exposures. It's critical for organizations to prioritize security as an integral part of their business strategy and to ensure it is adequately resourced. Companies that do so are the leaders that will not only survive, but also thrive.
Karin Ratchinsky, director of healthcare strategy at Level 3, is an author, speaker and contributor to the health IT community. Karin provides expert industry insight on trends in health IT, and emerging care delivery strategies.