Companies remain vulnerable to cyber attacks for a variety of reasons, which are, of course, not applicable to every organization. But there are some common and reoccurring weaknesses in strategies to combat and/or prevent cyber breaches. Blouin News spoke with cyber security experts to compile the top five reasons why businesses are so vulnerable to cyber hacks, listed below in no particular order of importance.
1. Denial. "It won’t happen to me" is a common mindset among businesses, particularly smaller ones. The notion that you or your company faces no risk of cyber breach (be it for reasons of company size, purpose or profit margin) is simply untrue. Every individual and company is at risk for hacking as evidenced by the proliferation of breaches over the past few years. Elaine A. Stanko, of McNees Wallace & Nurick LLC’s Privacy and Data Security, Corporate & Tax and Financial Services practice groups, says that denial that one hasn’t been hacked already is also prevalent. As John Chambers, former CEO of Cisco, once said: "There are two types of companies: those that have been hacked, and those that don’t know they’ve been hacked."
2. Lack of preparation. When organizations believe they are not targets, and likely never will be, denial often translates into lack of preparation. Stanko notes that "The biggest mistake is not being proactive – by having a carefully customized data security plan tailored to your company’s individual needs and the types of data stored. Being reactive – waiting till after a breach has occurred -- is the wrong time to be formulating a response plan."
In a PwC Global study issued earlier this year, nearly half of U.S. companies lacked active plans to respond to cyber incidents, while 17% did not have any plan at all.
3. Lack of awareness. This factor is different from lack of preparation in that threats change, as Shaun Murphy, founder of SNDR and communication security expert points out. A cyber attack from last week will look different from the one looming next week. Worse, companies ignore internal threats. Murphy warns against the people and devices within an organization that are "just as bad — or worse" as threats that exist outside the organization. Businesses need to stay aware of these internal threats.
"Companies need to make sure that systems are secure in depth from things like ransomware, malware but also make sure that customer data is deeply encrypted and protected such that only the customer and the people they choose to share it with can access and decrypt that information," says Murphy.
Many executives have not adequately educated themselves on how cyber attacks occur and how to prevent them. (All this traces back to denial.) This lack of comprehension leads to a lack of awareness about steps to take and means of prevention.
4. Technology. There’s something to be said for the actual nuts and bolts of the infrastructure needed to prevent a cyber attack. Prevention plans are needed, but, as Murphy points out, passwords can be a weakness attributable to human fault. He says it’s important to "adopt two factor authentication" including "strong user and device asymmetric key cryptography for all authentication/authorization, and true end to end encryption and security."
The human error factor here cannot be ignored. Stanko emphasized its importance as "an ever present issue" and echoed Murphy’s point on internal threats, noting "employees who make errors and disgruntled employees who act out of malice [are] the most common source of a breach."
Murphy adds that "a password is only useful to protect a corporate system when it's running as intended - hackers, thieves and internal threat employees can easily bypass this."
5. Vigilance. Here is where company culture comes into play. As both Stanko and Murphy mentioned, the internal threat to a company is huge. Executives need to stay vigilant about maintaining systems, infrastructure, and plans to prevent cyber attacks, in addition to fostering a culture of awareness around the potential for data breaches.
Stanko said: "Hackers know it is likely you have likely failed to identify and plug all of the holes, so they return. Failure to patch is a huge problem." The lack of vigilance to uphold the systems in place can provide holes through which hackers enter. And it is critical that there is a culture of sensitivity to data security, she says.
"It’s equally critical that buy-in to a culture of cyber threat sensitivity originates at the C-level, driven by executives and management," she noted. "The company’s key decision makers must play a role in setting a culture of sensitivity to cyber threats."
In the PwC Global study cited above, 88% of U.S. CEOs surveyed ranked cyber threats as the greatest threat to growth in the coming year. They are right in their estimations of threats. Preparation and reactivity to that threat will continue to be crucial.