Cybersecurity is arguably the biggest challenge facing IT departments today. Threats are constantly evolving, tasking businesses with keeping up with the latest strategies to not only protect their organizational data but also that of their customers. One in 4 enterprises are increasing their IT spending because of a recent security incident, according to Spiceworks’ “The 2020 State of IT” report.
The burden of data protection has shifted from the consumer to the company. Legislation such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act have clearly rested responsibility on the shoulders of businesses, making cybersecurity not only a financial liability but a legal one.
As organizations move through 2020, security must expand beyond firewalls to meet the changing needs of the modern enterprise. Scrutinizing vendors, securing devices and properly training staff are all key components to cybersecurity that organizations can’t afford to overlook.
MORE FROM BIZTECH: Learn how to improve employee compliance with cybersecurity.
Vetting Third-Party Vendors Is Key for Security
Enterprises invest heavily into protecting their data and networks from the outside world. Unfortunately, their third-party vendors might not be as secure. Targeting these kinds of businesses is particularly attractive to hackers for a couple of reasons. One reason is that bad actors can access a big company through a smaller, less secure one. Another reason is that hackers can potentially access multiple enterprises through one common vendor, seizing control of more data with less work.
These kinds of breaches are also more expensive for enterprises. The “2019 Cost of a Data Breach Report,” conducted by the Ponemon Institute and sponsored by IBM Security, found that on average, third-party vendor hacks cost companies $370,000 more than typical network breaches. This means third-party risk management is not a cybersecurity add-on; it’s a necessity.
The first step toward effective third-party risk management is to take inventory of your vendors, according to a white paper from RSA. Once IT departments have taken a close look at vendor contracts and processes, they can then pinpoint where in the network there’s engagement. This information can be used to track performance and ultimately put standards in place to mitigate risks.
IoT Means More Devices Need to Be Protected
Enterprises have more to protect than ever before. While the Internet of Things has helped organizations gather more data and stay connected, it has also opened up the number of vulnerabilities in company networks. Each connected device presents another opportunity for a hacker to get in, whether it’s a sensor in a warehouse or a company tablet.
This threat only increases as organizations grow their mobility and allow employees to use their own devices. The rise of BYOD has created increased endpoint security issues, especially as personal applications and email addresses become increasingly interconnected.
For these devices, limiting access to the network with identity and access management can be a strong defense. If access is limited to only certain parts of the organization’s infrastructure, then those parts will still be protected even if a hacker has gained control of the device.
MORE FROM BIZTECH: Watch how organizations ca get to a zero-trust cybersecurity architecture.
Phishing and Social Engineering Can Penetrate the Workforce
While virtual defenses are important, businesses can’t overlook a critical aspect of their security strategy: employees. Nearly all cyberattacks (98 percent) rely on some form of social engineering, according to PurpleSec. Exploiting workers’ emotional responses can undo the digital barriers an organization puts in place, as hackers can move freely through networks once armed with an employee’s password.
This vulnerability can be addressed with a two-pronged approach. First, enterprises can use multifactor authentication tools to ensure that the person using an employee’s login information is indeed that worker. If a password is stolen, access is still protected until a second form of authentication is completed, ensuring the user’s identity.
Second, employees must know how to spot this type of phishing before falling victim to it. Workers need to be trained to recognize when an email or inquiry is fraudulent, be vigilant about giving away personal information and have a system in place to inform IT so attempts can be investigated. Employee diligence can go a long way toward keeping an organization secure.