Cyber risk, cyber crime, cyber uncertainty.
By now, the tough realities of our digital age have become all too familiar to anyone paying attention to the news on any given day. The year 2016 ended with us reaching fully $1 billion in global ransomware payouts – a 4-fold increase over the level seen just 3 years earlier. Mid-2017 saw back-to-back global scale systems availability interruptions due to the "WannaCry" and "Petya" attacks, with some 300,000 computers being infected by the former in less than 24 hours in 150 countries. Meanwhile, October 2017 opened with the revelation that Yahoo! had experienced not merely the compromising of the 1 billion of its customers' accounts it admitted to in 2013, but in actuality fully 3 billion accounts – its entire customer base!
The world is indeed awash in foul waters, populated by a seemingly unending flow of bad actors. Gone are the days of "prankster hackers"; long gone are the days of amateur-hour attackers whose work brought mere annoyance and inconvenience. Likewise, the days of relatively modest levels of identity theft have been replaced by what is effectively an onrush of large-scale breaches, data compromises, extensive business interruption, and financial loss – the latter reaching a staggering $400 billion in 2015 alone.
Time and again, we discover that risk can be mitigated and damage avoided by following a very straightforward, long-established, well-understood best-practices approach to systems management and maintenance. Yet companies and organizations continue to fall victim to lax patching, updating, and upgrading practices. Access control and account termination policies are put into place only to be unevenly followed. IT departments, especially in the SME marketplace, are leanly-staffed and struggle to keep up with the amount of work necessary to maintain the desired degree of cyber-safety.
What to do?
First, know what the state of your current cyber reality is. Understand where you are exposed; know what needs to be remediated in order for you to establish effective counter-measures. Get the right tools in place to help your organization get and stay protected. Ensure that both your defensive IT systems and your human processes are operating in full support of your cyber well-being. Importantly: understand that every part of your business and systems environments need to have security "built in" – fully integrated from top to bottom within and well beyond application code and firewall configurations. Understand that everyone in your systems group is now, by definition, a security engineer.
And if you need help making these things happen, get it. Your business depends on it.