Posted on Mar 3, 2020
A recent study sponsored by IBM Security places the average cost of a data breach in 2019 at $3.92 million. Another study shows the average cost of a run-of-the-mill cybersecurity attack now exceeds $1 million.
With companies, government agencies, hospitals and educational institutions under attack, cybersecurity is more important than ever and cybersecurity risk scores are an increasingly important part of a comprehensive security plan.
A cybersecurity risk score is similar to a credit score, giving a snapshot of the overall cybersecurity risk an organization faces. Not only is it often a required element for meeting various compliance requirements for government contracts, but it can also play a role in acquiring investments and financing, as well as operational insurance.
Whatever your company's current score is, there’s always room to improve it. Here are five of the top ways to do so.
One of the most important steps an organization can take is making VPN usage mandatory for all employees. This is especially critical in an economy where 41 percent of global companies offer remote work options.
Unfortunately, when companies offer remote work options, they don't always have control over where their employees work from. It could be from their home, behind a secure router, or it could be from the nearest coffee shop’s open network. Either way, ensuring all employees use a VPN will keep remote connections secure.
All too often, companies are compromised due to an obsolete service that is still running, with privileges and access that open vulnerabilities. Any time a service, platform, application or server is rendered obsolete, it should be retired and isolated from critical access to the company’s network.
One of the most common ways companies are compromised is by running outdated software that does not have the latest security features implemented.
A recent example is the WannaCry malware that swept the globe in 2017, infecting over 300,000 computers and causing up to $4 billion in losses. Ultimately, the entire incident was avoidable, as Microsoft had already released a fix that patched the vulnerability WannaCry exploited.
In spite of the dangers, however, research shows 41 percent of consumers still use unsupported or nearing end-of-life operating systems (OS). The situation is similar for very small businesses, with 40 percent relying on those systems. Small, mid-size and enterprise businesses are the worst transgressors, with 48 percent relying on unsupported, or soon-to-be unsupported OSs.
Running current, patched versions of software and OSs helps close one of the biggest attack vectors and goes a long way toward increasing a cybersecurity score.
Another significant factor hurting many companies is a failure to perform regular audits of their security processes and permissions. Unfortunately, this can result in significant data breaches.
Microsoft recently admitted to a database configuration error that left some 250 million service records exposed. In their blog post admitting the error, they made the following statement:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
The last part of that is particularly important, namely that it is a good idea to periodically review configurations to make sure the proper protections are in place. This is where regular audits can improve a company’s cybersecurity and, by extension, its risk score.
The fifth way a company can improve its score is by adopting a zero trust policy. Prior to the rise of cloud computing, great emphasis was placed on perimeter security. Keep the bad guys out and everything would be ok.
Cloud computing requires an entirely different approach to security, however, as interconnected networks pose a far greater attraction, and a far greater reward than traditional systems. If a hacker gains access to a company’s cloud, they can easily have their run of the entire network of applications, databases and services.
Google recently released a white paper detailing the unique challenges of implementing security in cloud-based systems. According to the white paper, Google’s new method, BeyondProd “assumes no trust between services, provides isolation between workloads, verifies that only centrally built applications are deployed, automates vulnerability management, and enforces strong access controls to critical data. The BeyondProd architecture led Google to innovate several new systems in order to meet these requirements.”
Companies that rely on cloud-based systems would do well to implement a similar approach to their own security.
There’s never been a more important time to invest in your company's cybersecurity. Threats are on the rise and fundamental changes in the technology companies rely on creates additional vulnerabilities.
At the same time, having a strong cybersecurity risk score is paramount to a company's ability to win contracts, secure financing and get the best rates on insurance. Following these five steps will go a long way toward increasing your organization’s cybersecurity and raise its risk score.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.