For many CEOs, cybersecurity attacks are the stuff of nightmares. According to a 2019 C-Suite study, their biggest concern, even more than a recession, is a cyberattack. Another report by the ISC highlights it as the biggest risk of doing business in North America.
These studies show just how critical cybersecurity has become for businesses in the United States. CEOs feel they can cope with new competitors, a recession, and even terrorism, but data breaches are harder to work through.
It is no wonder that companies are spending tens of millions of dollars to protect systems and data. The average business spends about 10% of its IT budget protecting data and preventing breaches.
In June 2022, the government committed $15.6 billion to cybersecurity. Most of this money was allocated to the Department of Defense and the rest to the Cybersecurity and Infrastructure Security Agency (CISA).
In addition to paying for advanced technologies and software, the private sector and the US government are looking for the best talent in this field. People with the right qualifications will make excellent careers in this sector.
An online masters in cybersecurity, for example, is a highly marketable qualification. Such as the course available from St Bonaventure University, which covers enterprise security, cybersecurity forensics, and data mining for cybersecurity. Students also learn machine learning and how it applies to cyber threats as well as risk management and system protection.
All material is offered online, which makes the course ideal for working professionals. You don’t need a background in cybersecurity to qualify for this program. You can do a foundation course for the basics and then enroll in the masters program.
To buffer up the foundation course, it is important to know about cybersecurity threats and how they can be prevented.
Three biggest data breaches of the last six months
When looking at cybersecurity threats, it makes sense to consider the most recent ones. The technologies behind these threats evolve. Looking at the latest threats gives you an insight into the latest techniques hackers use.
As you will see below, even the most stable businesses can be crippled by an attack.
Chick-fil-A (March 2023)
On the 6th of March, the fast-food company reported that a data breach had potentially exposed customer details.
Although only about 2% of customers were affected, there was enough concern for the company to issue a statement assuring customers that they shouldn’t worry; its IT people were doing everything they needed to do to prevent further breaches.
The CEO acted fast, communicating with everyone affected to let them know they should be on the lookout.
How did it happen? The company noticed unusual login activity on one account, and upon investigation, discovered an ongoing breach since December 2022. Hackers had accessed the website and the app using email addresses and passwords obtained from a third party.
They were able to download customer names and addresses, mobile payment details, and membership numbers. They also had QR codes and money saved on Chick-fil-A accounts. They also accessed credit and debit card numbers but could only see the last four digits. They could have used this information to make fake orders and redeem customer points for gifts and rewards.
ChatGPT (March 2023)
On the 20th of March, there was trouble in chatbot paradise. An outage exposed user payment details and personal information. However, the company was quick to point out that only 1.2% of its subscriber base was affected.
During the nine-hour window, some users could see others’ first and last names, emails, and payment details. They could also see payment addresses, the last four credit card numbers as well as the expiration date.
ChatGPT has taken the world by storm, and hackers have taken notice. Americans have been skeptical about ChatGPT and are cautious about AI in general, so this breach did not do the company any favors.
Granted, we have not heard reports about the hack slowing down subscriber numbers, but what we can infer from it is that the company needs to improve cybersecurity with particular attention to user information.
How did the breach happen? The company explained that they had found a bug in an open-source library that exposed details for users who were logged in at the same time.
T-Mobile (January 2023)
In early January, the company discovered that hackers had been in their systems since November and had harvested user information. They got the first and last names, email addresses, and birthdays of more than 37 million T-Mobile customers.
The malicious hackers gained access through an API. Fortunately, they didn’t get access to credit card information, social security numbers, or financial information.
The company announced that it took action as soon as it noticed the breach, launching an investigation to trace the source and find how many records were compromised.
T-Mobile has a history of cybersecurity breaches. In July 2022, the company paid out $350m to customers affected by a 2021 intrusion. After the settlement, the company promised to spend at least $150m to improve systems and secure customer data. T-Mobile was also breached in 2018 and 2019.
How often does the US government experience cyberattacks?
They are just as frequent as in the private sector and can sometimes bring vital government functions to a standstill.
So far this year, Alabama, Kansas, Utah, and California are just a few states that have had to deal with cybersecurity threats. These range from ransomware to crypto thefts.
Not very long ago, the government of Alaska was hit by a malware attack that affected the basic functions of government. It was apparent that an employee had opened an email attachment or link, and it released malicious code into the system.
In a short time, it infected more than 600 computers, government servers, and other devices. It affected phone systems as well as computers used to access tax, property, and finance files.
Staffers had to do math using calculators and issue handwritten receipts to those who needed government services. Some historical information was lost, but IT staffers worked long and hard to rectify the systems within a few days.
This is just one example of how serious cybersecurity attacks can be. They can paralyze some of the basic systems we take for granted.
The other thing to note about these attacks is how long it took for anyone to notice that their systems had been hacked. When you think about how much data hackers can gather in two or three months, you see how extensive and damaging cyberattacks can be.
What makes companies vulnerable?
Before we look at what the three companies we have discussed could have done differently, it is worthwhile to consider what made them vulnerable in the first place.
Some businesses seem vulnerable to cyber threats; they get attacked repeatedly, almost like hackers are lurking in the shadows, looking for the smallest opportunity to gain entrance.
Experts agree that there are three things that these businesses share:
- They have existing vulnerabilities. Hackers are smart. Once they find a way to infiltrate a system, they leave it open for future attacks. When they want to come back a second or third time, all they have to do is find the “door” left open. They are particularly giddy when they discover companies that don’t actively seek out and repair vulnerabilities.
- Human error is the second most common factor that these businesses share. In many cases, attacks happen because employees use weak passwords that can be cracked easily.Sometimes people forget to log out of systems, leaving them wide open for anyone with basic hacking skills to walk through. Public Wi-Fi systems also expose employees to malicious entities. Phishing attacks are mostly attributed to clicking on attachments or links from unknown senders.
- Malware is another running theme in companies that suffer frequent cyber attacks. It can be a virus, ransomware, spyware, adware, trojan, and other malicious code that is cleverly inserted into company devices.
- Inside actors are also a factor, although they are rare. A disgruntled can plant malicious code to get back at their employer.
What can businesses do to prevent future attacks?
Below are the things CEOs should be doing to secure their systems and minimize exposure.
Limit access to sensitive information
One of the things you will learn in the online cyber masters program is that data should not be compartmentalized, but it also should not be open to all either. It doesn’t make sense for the mailroom employee or the receptionist to have access to customer details.
Limiting access allows you to trace breaches as soon as they happen. You know who has permission for different areas, so if there is a breach, you have a narrow pool of suspects.
It helps track down and correct problems before they become a crisis.
Know your third-party vendors
The guy who delivers printer paper to your office just got out of prison on a fraud or robbery charge. Or the guy who services your printers has a record. Do you want to let these people anywhere near your data?
Not only do you leave yourself open to data breaches, but you also open yourself up to lawsuits. If an attack occurs and customers realize that their details ended up in the wrong hands because you didn’t carry out due diligence on third-party vendors, you may be forced to pay millions.
Do not work with third-party vendors you cannot vouch for, especially if they are allowed access to important data. Hold your vendors accountable. Make sure they provide proof that they are complying with privacy requirements.
Train your employees on system security
It is not uncommon for a CEO to hire an IT manager or director and then sit back and assume that all will be well. The IT department cannot nail down security if others within the organization don’t cooperate.
Every employee needs to understand data breaches, how they happen, and what they can cost the company. Smart CEOs organize company-wide training sessions and refreshers to make sure that every employee is up to date.
Training can be conducted by an outside entity in conjunction with the IT department. They are likely to be objective, and will point out problems wherever they find them.
Do regular software updates
Software updates include security patches. If you regularly update business software, you have the latest patches, and although this may not stop hackers, it will slow them down.
Whenever possible, use SaaS software. It is cloud-based, and the creator is responsible for security and maintenance. These systems are harder to hack because they have fewer vulnerabilities.
Remind your employees to keep their devices updated. Whenever they receive a notification about a software update for their laptop, phone, or tablet they should install it right away.
Encourage everyone to have passwords that are difficult to crack
Almost 10 or 20 years ago, CEOs did not care about employee passwords. They were considered a private affair. The attitude has changed, and today’s managers ensure that employees use passwords that are difficult to decipher.
Some companies insist on employees using automatically generated passwords. Others use double authentication.
Whatever you choose, the important thing is to make sure that a breach is not easy.
Have a response plan in place
Looking at hacking statistics, you can’t help but feel that it is only a matter of time before you become a victim. You may not be breached yet, but in a few months or maybe years, you will have to deal with a malicious entity in your system. How will you go about it?
It is one area that companies don’t pay attention to. The general assumption is that if there is an attack, the IT team will deal with it.
That is not an adequate response. You should have a comprehensive plan that outlines exactly what happens and who is responsible for what.
Do you, for example, shut down all systems? If yes, who should do it? How will the attack be communicated to the rest of the employees? How will normal operations continue when systems are down?
Most importantly, how will you inform your customers there has been a breach, and what will you offer as mitigation? If there are financial settlements, how will they be handled?
A cyberattack response plan is a comprehensive document that should be developed with the cooperation of all stakeholders. It must be communicated to the rest of the company so that each person knows what to do when the time comes.
Reassure all customers
It is the hardest part for CEOs. Letting customers know that they have been breached may feel like a betrayal to them. They trusted you with their data, but you were not careful enough, and now it is in the wrong hands.
Unfortunately, it has to be done, and the sooner the better. Reach out to each affected customer and let them know what details are out there. Advise them to look for suspicious activity in their bank accounts and online transactions.
You should also talk to those who are not directly affected and reassure them that you have stopped the breach and they need not worry about their data.
Reassuring customers could make a difference to your bottom line. Consumer surveys across America have shown that more than 50% of respondents cut back on online purchases if they feel their data could end up in the wrong hands.
Businesses may need a good PR campaign to help them recover. However, they should not let the spin masters be the face of the company. Smart CEOs engage with the public. It becomes easier to buy back trust.
What can we learn from past cyber attacks?
The most important lesson you can learn from past attacks is that every business, big or small, is vulnerable. They can have the best systems and all security measures in place, but hackers may still get through.
It is the job of the malicious actor to stay ahead of the curve, and they continually develop new technologies that can get around firewalls and passwords.
It is not to say that businesses should give up. On the contrary, companies must invest in cybersecurity if they hope to survive.
They must be alert at all times, conducting frequent audits of their systems to sniff out vulnerabilities.
As mentioned before, complacency is common in companies that are frequent victims of attacks. Smart CEOs do routine internal checks every month but also invite consultants to give systems a thorough audit once or twice a year.
Cyberattacks are the biggest threat that American businesses face today. They come in many forms, and have the potential to shut down otherwise healthy companies.
Senior management should invest in the latest technologies and have a response plan. That way, if they should become victims, they don’t waste valuable time.