Every company—from the largest tech giants to small businesses you’ve never heard of—faces the possibility of a cyber threat. Every minute of every day, cybercriminals turn to the internet to attack companies around the globe. How bad is it? Estimates from Cybersecurity Ventures predict that the damages related to cybercrime will hit $6 trillion—and will thus cost more than all natural disasters in a year. Ransomware attacks strike every 14 seconds and financial services institutions remain a top target for malefactors, according to Cybersecurity Ventures.
The toll that such a breach takes on your organization hinges upon how well you have prepared during peacetime. That means now. Alarmingly, leaders at many companies—from management to the cybersecurity team—cannot answer crucial questions about who targets them, what vulnerabilities employees leave open in their networks and what data, if any, has already been compromised.
Worryingly, cyber threats continue to grow exponentially with no end in sight. The World Economic Forum’s 2019 Global Risks Report ranks “massive data fraud and theft” and “cyberattacks” as, respectively, the fourth and fifth most likely global risks to occur over a 10-year horizon, solidifying their position alongside environmental risks in the high-impact, high-likelihood quadrant.
In response, companies have invested millions into enhanced security measures—yet these same institutions still feel powerless on the virtual battlefield. The current standard approach has not kept up with ever-evolving threats from bad actors. Cybersecurity challenges continue to plague boardrooms worldwide.
So where do we go from here?
Cyber vigor explained
Currently, companies sit connected to the internet as unknowing defenders. Let’s banish this reactionary outlook to the past. In this dangerous environment we now inhabit, we must stay ahead of digital wrongdoing by embracing a novel approach to risk management—an approach I call “cyber vigor.” Gone are the days of responding only after a crisis. Now it’s time to become a proactive defender, unmasking the identity of bad actors and knowing what’s happening to your data through identity threat intelligence.
Audit committees of boards will need to push past the usual security questions of yesterday. To produce a stronger defense and think strategically, CIOs, CFOs and CISOs must prepare to answer more penetrating questions, such as:
- Who is attacking us? This requires identifying your organization’s digital crown jewels, as well as who would take an interest in them. Identity attributes raise the effectiveness of tools to protect yourself.
- What has been hacked? Cybercriminals can not only breach and transmit data from your systems, but also access this information from suppliers and vendors. Understanding the data that was taken, the speed at which it will spread and the potential damage it could cause in the wrong hands will raise the effectiveness of protective strategies.
- How vulnerable is your employee attack surface? While most companies wouldn’t dream of hiring an employee without a standard criminal background check or even a credit check, too few organizations consider the risks created by their own employees’ poor digital hygiene or exposure in past data breaches.
Using identity intelligence, companies can ensure that credentials stolen from past consumer breaches aren’t used to access corporate systems. After a consumer data breach occurs, cybercriminals can seize the personal passwords of victimized employees and reuse them in professional settings—and thereby unlock valuable corporate data and company trade secrets. Understanding what employee data has been comprised enables a proactive defense and can minimize future exploitation.
Parting thoughts: Making vigor bigger
Cybercriminals will always evolve and employ more sophisticated attack methods. In response, we must understand who the bad actors are and what data or resources they’ve seized. With a cyber vigor approach, organizations can assume a proactive stance and strengthen their defensive efforts. Without it they will remain in reactive mode, continuously under threat by the unknown. Nor will they take any comfort in the known threat that usually follows—for as Target, Marriott, Equifax and other victimized companies can attest, massive data exposure often leads to poor media exposure.
George de Urioste is the chief financial officer of 4iQ, a cyber intelligence and identity theft organization based in Los Altos, California.