The philosopher, George Santayana, is credited with observing that those who cannot remember the past are doomed to repeat it. Certain statistics reflect how that doom is pressing down on corporate America’s attempts to defend against cyberattacks. For example, notwithstanding years of warnings and recommendations about using strong passwords, a Verizon report revealed that almost two-thirds of successful data breaches in 2016 stemmed from weak, default, or stolen passwords. The report also noted that employees opened at least 30% of the embedded links in emails from unknown sources, leading to ruinous phishing attacks on an employer’s networks. Hackers may have the technical expertise to create and launch sophisticated cyberattacks, but in most cases it is easier and more lucrative for a hacker to take advantage of human error.
A company’s initial reaction to a cyberattack will likely include a full-force defensive initiative that locks down security flaws and forces employees to comply with new and enhanced security procedures. Once everything returns to normal, the victimized company may pay little heed to continuing enhancements of those procedures and educating employees on cybersecurity risks. That complacency leads to a heightened risk of another cyberattack. The remedy for this situation includes regular recognition of a few realities:
- Employee mistakes are the catalyst for 95% of all cybersecurity incidents.
Companies need to impress upon their employees that cybersecurity maintenance is an ongoing employee obligation. A bit of employee paranoia regarding cybersecurity can go a long way toward keeping a company safe. Regular training and education can maintain the right level of caution.
- Two-factor authentication is better than one.
Individuals often express frustration at having to enter multiple levels of authentication credentials to log in to a company’s networks, but two-factor authentication is an easy and strong defense against cybersecurity threats. The inconvenience of first entering a password followed by a second token or biometric identifier is more than compensated by the down time and frustration that will result from a successful cyberattack. Much like going through metal detectors and other security checkpoints at airports and large public events, two-factor authentication may be bothersome, but it keeps a corporate network safe.
- Employee response teams can get a business back up and running.
A company that is not prepared to respond to a cyberattack will often respond to the attack with employees who duplicate some efforts while ignoring other necessary reactions. The best practice is for companies to prepare for a cyberattack in the same manner as they do for fires and other disasters. Designated employees will have leadership authority to assign and monitor tasks, including locking down servers, and initiating contacts with key customers and vendors. A company that has been targeted by hackers on multiple locations will quickly lose credibility if it fails to demonstrate its preparedness for the attack.
- Cyber breach insurance will ease the transition back to normalcy.
A company that has not secured good cyber breach insurance protection will face the prospect of eating into its own assets, resources, and profits to reimburse customers for their personal data losses and to rebuild after a successful cyberattack. Rather than face this prospect a second time, that company can extend its existing insurance or purchase new insurance policies to cover subsequent data breach incidents. No amount of internal technology or employee education can protect a company from every new form of cyberattack that a hacker might launch against the company.
When a successful attack does occur, cyber breach insurance can provide a source of reimbursement for direct and third party losses. Cyber insurers can also work with a company to extend the lessons of a cyberattack and to prevent cyberattack history from repeating itself.