For some, the word ‘cyber’ might conjure a sense of extreme geekiness and memories of cheesy movies involving unrealistic representations of computer crime, computer intelligence gathering, or secret societies using computers to conduct shady business. It is a term that has been used in Hollywood for roughly three decades, but is still often misunderstood. It is also a term that has seen a resurgence in news with articles about Russia’s alleged meddling in the 2016 U.S. elections and in modern culture with an online-only version of Black Friday dubbed ‘Cyber Monday’.
With the prevalence of computers and other electronic gadgets in our daily lives, it is a term that can now be easily explained. Merrium-Webster defines cyber as “of, relating to, or involving computers, or computer networks”. It is that simple. Cyber is a loose term used to describe technology, networks, information, and capabilities involving computers. Today, that includes smart phones, tablets, smart wearable devices (such as the Apple Watch), desktop and laptop computers, television set-top boxes, and smart home appliances known as IoT devices (Internet of Things).
Cybersecurity
Understanding cyber is the first step in understanding cybersecurity. It should be relatively self-explanatory now that it is simply security relating to cyber. Going back to Merriam-Webster, we can define cybersecurity as “measures taken to protect a computer or computer system against unauthorized access or attack”. But even Merriam-Webster’s definition might seem to exclude all the devices that are not necessarily considered computers. The Information Systems Audit and Control Association (ISACA), an independent, global organization that exists to establish standards in technology, more loosely defines cybersecurity as the “sum of efforts invested in addressing” threats and risk related to cyber.
Definitions, are wonderful, but what does cybersecurity mean in practical terms? What measures am I referring to? For detailed information on one specific standard, you could read the National Institute of Standards and Technology’s (NIST) Special Publication 800-53 and the rest of the related SP 800 series of documents which specify measures one could take to protect information. Alternatively, I will describe some basic things that every organization can, and according to most all industry standards, should implement to embrace cybersecurity.
- Establish a computer security policy that specifies what is and is not allowed on your network.
- Establish an acceptable use policy that outlines how your employees are expected to use your computer assets and what they are and are not allowed to do with them
- Establish and conduct reoccurring training for your employees about how to safely use computers, telephones, email, applications, and the Internet.
- Establish a data classification standard that defines what information your organization keeps that is most sensitive to your business. This might be information that you are legally required to protect, such as healthcare-related information and payment card industry information, or simply information that might damage your reputation if it were to be compromised, such as your customers’ names and telephone numbers.
- Plan for disasters. Having a disaster recovery plan can ensure your organization is prepared for both cyber threats as well as natural and environmental threats such as hurricanes and will help get you back on your feet as quickly and painlessly as possible.
- Implement technologies that are designed to protect computers and networks such as firewalls and anti-virus software. Organizations with that can afford the expense or already have the ability to manage them should implement intrusion detection systems, web proxies, vulnerability scanners, and encrypt all potentially sensitive information.
- Keep your systems up-to-date. Software updates generally exist because a flaw was found in that software that presents a vulnerability, something that a malicious person might exploit to compromise the software and gain access to resources that they should not have. Software and operating systems should not be left unpatched. Additionally, anti-virus definitions should be updated whenever there is an update available. These updates allow the software to identify the latest malware.
- Audit yourself or have an external entity audit you regularly. For most organizations, an annual review of your policies and standards, your employees’ practices, and a how your systems are being maintained can go a long way to ensure your organization is keeping itself reasonably safe from cyber threats.
Why Should I care?
It is true, the cybersecurity industry is largely target towards large corporations and government entities. That is where the greatest amounts of sensitive data resides as well as where the money is at. As of November 2016, Indeed reported that the average cybersecurity professional holds an annual salary of $61,000 per year, 6% higher than any other industry while Forbes reported that highest paid individuals are making a median salary upwards of $204,000 per year. That is a hard pill for a small or even medium-sized company to swallow. Media attention on cyber crime heavily focus on governments and big businesses, such as Sony, Target, and Home Depot. Because of this, it can be easy to feel like cybersecurity is for big business and government. In reality, everybody should be concerned with cybersecurity.
Fox business reported on a Symantec survey that showed in 2015, 43% of all cyber attacks that year targeted small businesses, businesses with fewer than 250 employees. Additionally, the Department of Justice reported an increase in cyber incidents of more that 1,500% between the years 2000 and 2014. Even the House Small Business Committee has warned that malicious groups and individuals are increasingly targeting small businesses though malware, social engineering, and direct attacks and that small businesses in the united states must take this threat seriously. The truth is, bad actors are not just targeting big business. They very often target small businesses because they are easy targets who are not often prepared to deal with cyber attacks.
