The cyber threat landscape is highly complex and always evolving, and cybercriminals are becoming only more creative and sophisticated with their tactics. As explained in our 2018 Security Threat Report, companies today face a monumental challenge in trying to keep pace with these dynamics, safeguard their critical systems and data, and protect their employees, customers and partners.
Among the many businesses struggling to navigate this landscape are consumer products and services companies. They are key targets for adversaries because of the sensitive customer information they handle and the intellectual property (IP) they generate. Recent headline-grabbing cybersecurity incidents involving businesses in this sector include:
- A security breach that compromised data on millions of payment cards used at stores owned by a major retail business group in North America
- A malicious hack of a leading travel company’s legacy website that may have left the personal data of nearly 900,000 customers unsecured
- A phishing scam involving nation-state actors that targeted faculty members at 144 higher education institutions and resulted in the theft of IP valued at US$3.4 billion
Incidents like those described above have everyone – from chief information officers and other executive-level management to boards of directors – more focused than ever on identifying and addressing cybersecurity risks. Yet consumer products and services companies are still making slow progress in their efforts to improve their security posture, primarily because of the following reasons:
- They are exposing themselves to known threats for which there are known solutions.
Protiviti’s 2018 Security Threat Report notes that most vulnerabilities can be remediated and/or are the result of systems and applications not being patched. However, companies often put off patching because they don’t want downtime to undermine productivity and profitability.
Adversaries are wise to this bad practice, however. For example, the WannaCry ransomware, which affected tens of thousands of systems in more than a dozen countries when it first emerged in 2017, took advantage of the fact that companies often take weeks or longer to implement known security updates.
- They believe that major cyber incidents “won’t happen to us.”
Even when companies in their own industry suffer a major cyber attack, the leaders of many organizations continue to believe that their own business somehow does not face exposure to the same risk or won’t be targeted. That attitude — call it naïveté, overconfidence or blind hope — is inexplicable but common.
- They operate in a “reactive mode” — ramping up efforts to improve cybersecurity and address basic vulnerabilities and other security gaps only after an attack occurs.
Not every attack can be prevented, of course. But if organizations are stuck in a “firefighting” mode, only acting when faced with a crisis, they’ll never have the resources to manage known threats effectively — let alone be prepared to respond and recover swiftly when hit with something entirely new.
- They treat cybersecurity like a project.
While it’s essential for organizations to shore up their defenses in response to specific threats, they must also recognize that winning one battle does not necessarily win the war. Cybersecurity is not a project. It is a never-ending campaign to stay in step with adversaries and, wherever possible, anticipate their next move — all while protecting the business’s so-called “crown jewels.”
If companies want to make progress toward improving cybersecurity, they must be proactive (and realistic) about the need to fortify their defenses, let go of the project mindset, and renew their focus on the basics — in American football terms, the “blocking and tackling” issues related to cybersecurity. That includes:
- Prioritizing high-risk patches: The lag between the time a critical patch is issued and the time the organization’s IT team tests changes and schedules and executes the update must be reduced to the greatest extent possible.
- Using multifactor authentication: Maintaining strong permission and user-access controls, like multifactor authentication, helps to significantly reduce the attack surface for malicious actors.
- Implementing security segmentation: Segmentation is vital to protecting critical data if access controls are compromised. (Note: Regulators now expect firms to practice data segmentation.)
- Refreshing incident response and recovery plans continuously: A key reason most post-breach business continuity plans fall short of expectations is because they’re outdated. So, don’t just set it and forget it.
- They fail to train the workforce.
Organizations should redouble their efforts to build employee awareness about threats, such as phishing, and the danger of poor practices, like using weak passwords, through cybersecurity education and training. Protiviti offers an IT Security Awareness Training Library for businesses to equip their employees with information to help them keep data and devices secure.
Critical Steps Toward Building a Successful Digital Future
Consumer products and services companies, whether they are traditional or “born digital” businesses, need to create and maintain a solid cybersecurity foundation to support their digital future. Mastering the basics of cybersecurity by taking the steps outlined above, as well as others relevant to their business, is vital to shoring up defenses and building cyber resiliency.
But businesses also need to keep one eye to the future and look for opportunities to build in security processes and best practices that can help them prepare for trends and regulations that may not affect them directly today, but likely will in the future. The European Union’s General Data Protection Regulation (GDPR) is one example. And it is particularly important for consumer products and services companies to focus on strengthening data privacy and security as they seek to use more and more data to enhance the customer experience and deepen customer loyalty.
With these challenges in mind, we intend to follow up this discussion with future blog posts relevant to the industry, including taking a look at how GDPR is impacting U.S. colleges and universities — many of which were caught off-guard by the new requirements. Subscribe to stay abreast of these future discussions.