In every industry and every part of business today, the internet and technology are staples of daily life, with countless megabytes of sensitive data moving around the world each second. Cyber criminals, knowing the potential value of this information, will go to great lengths to acquire it. Once in possession, they can leverage data for a ransom payment on the threat of releasing it publicly or selling it to competitor businesses.1
Read on to explore the importance of cyber security in business: the impact that cyber attacks can have, various forms of cyber attack and multiple means used to prevent and protect against them.
The importance of cyber security in business
At some point, almost every company in the world must process sensitive personal details belonging to customers, clients or business partners. A dedicated cyber security department, therefore, is critical in ensuring that all data being stored or transferred between a business and its partners is safe from theft.
Businesses suffer high monetary and reputational costs in the wake of ransomware attacks, in addition to the time and labor spent recovering data and employing damage control. Each company spends an average of 50 days recovering from each attack, at a cost of around $300 per employee per day.2 The FBI's most recent Internet Crime Report lists 2,474 formal ransomware incidents in 2020, with losses estimated at $29.1 million.3 A further report from Cybersecurity Ventures estimates that the global cost of ransomware will exceed $265 billion by 2031.4
Forms of cyber attack
Cyber criminals infiltrate an organization's IT systems in several ways, from brute-force hacking to email phishing. With a wealth of hacking tools freely available online, it's increasingly important to have a strong cyber security team protecting your business from intruders.5
Phishing emails often include links that take the recipient to a fake company website or secretly install malware to gather data in the background. Possibly the most famous of these attacks was orchestrated by a criminal hacking group who, in 2014, caused $100 million in damage to the film studio Sony Pictures. By sending phishing emails appearing to originate from the tech firm Apple, the hackers were able to trick Sony employees into entering their login credentials to a fake website.6 This allowed the hackers to steal highly sensitive data from Sony servers and install malware that caused millions of dollars in damage. The hack was sponsored by North Korea in retaliation for the film “The Interview,” which pokes fun at North Korean leader Kim Jong-un. Businesses now spend a fortune training staff to be aware of phishing emails and notice the subtle clues that give them away.7
In 2020, hackers broke into the systems of Texas-based information technology firm SolarWind and added malicious code into the company's software system. Like most software providers, SolarWinds regularly sends out updates to their systems, whether by fixing a bug or adding new features. Beginning as early as March of 2020, the company unwittingly sent software updates that included the hacked code to its roughly 33,000 customers. The code created a back door to customers’ information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations. This made famous a type of cyber attack called a zero-day exploit, which takes advantage of a vulnerability found within popular software and targets companies that use that software. To date, the SolarWinds breach is the largest and most critical attack of this kind.8
In addition to theft of laptops, phone and accompanying hardware, other forms of cyber crime include:9
Denial-of-Service (DoS) attacks
In these attacks, legitimate users are unable to gain access to information systems, devices or other network resources to which they should have access. Services affected may include email, websites, online accounts such as bank or credit card accounts, or other services that rely on the affected computer or network. Cyber criminals create DoS attacks by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users.10
Web browser exploits
A browser is a computer user’s gateway to the internet. Everyone going online uses a browser such as Chrome, Firefox, Safari and so on to access the web. Through the browser, we can see web pages, video, images and other content. By design, a browser constantly interacts with websites and applications that might be infected. Browser exploits are pieces of code that allow attackers to abuse flaws and vulnerabilities in browsers and their extensions or websites, applications and third-party plugins. When a browser containing a flaw connects with a website that is infected in one of these ways, it allows the attacker to take control of the browser.11
Man-in-the-Middle (MITM) attacks
This is a form of active wiretapping in which an attacker positions him- or herself in between the user and the system in order to intercept and change data traveling between them.12
Identity theft
According to the US Department of Justice, “Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.”13 With enough stolen information, a criminal can make fraudulent withdrawals from bank accounts, complete false applications for loans and credit cards, and gain illegal access to other supposedly protected goods or privileges.
Cyber security protection methods
The Federal Trade Commission provides the following tips for keeping data secure:14
- Keep stock and know what data you hold
- Only hold necessary data
- Protect all data you have on file
- Properly dispose of data that are no longer needed
- Have a plan in place to respond to security incidents
The methods used by cyber security professionals to protect business assets have become increasingly complex. Nowadays, every bit of data entering or leaving an organization is protected by strong encryption. Even if information is stolen, it can't be read without the matching encryption key.15
For remote workers and external clients, businesses set up a virtual private network (VPN). This provides a direct, secure line to the business with all data encrypted during transfer. Furthermore, all network traffic moving in and out of the business is closely monitored, including internal communications between staff. Some businesses can’t even allow personal mobile devices onsite as they pose a potential risk of data leak.16
Cyber security teams employ a wide range of tools and procedures to prevent cyber attacks. In addition to strong password policies, they include:
Staff training
It's vital to train staff regularly in new developments in cyber crime, ensuring that all employees are aware of the threat and know how to protect themselves. Most cyber attacks target low-level staff members who unwittingly provide hackers with access to sensitive information.17
Blue team/red team training
In these exercises, the Red Team will attempt to break into an organization's network using hacking tools, while the Blue Team will work to defend it. The exercises mimic a realistic attack scenario, ensuring that any weaknesses—in staff preparedness and the physical security configuration—are revealed.18
Patch management
Software companies work around the clock to repair bits of code in which hackers have managed to find loopholes. As soon as such an item, called an exploit, is discovered, the companies race to get their software updated (patched) before hackers breach security. Cyber security teams must ensure that all software and systems are patched as soon as an update is released. While this work is largely automated, it must be monitored to ensure the success of each installation.19
The importance of cyber security in your career advancement
As cyber crime becomes an ever-larger threat, the need for cyber security experts continues to grow. Hone your skill and knowledge at Marquette University, in the nation’s #6 online master’s program in information technology.20 Study with expert faculty, earn the Information Assurance and Cyber Defense (IACD) specialization and become a seasoned authority equipped to help countless people. To start your advancement in a rewarding, increasingly important field, reach out to one of our Admissions Advisors today.
- Retrieved on November 30, 2021, from cbsnews.com/news/ransomware-cyberattacks-60-minutes-2021-06-06/
- Retrieved on November 30, 2021, from kiuwan.com/the-true-cost-of-cybercrime-for-companies/
- Retrieved on November 30, 2021, from ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
- Retrieved on November 30, 2021, from einnews.com/pr_news/542950077/global-ransomware-damage-costs-to-exceed-265-billion-by-2031
- Retrieved on November 30, 2021, from kaspersky.com/resource-center/definitions/brute-force-attack
- Retrieved on November 30, 2021, from tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/
- Retrieved on November 30, 2021, from imperva.com/learn/application-security/phishing-attack-scam/
- Retrieved on November 30, 2021, from arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/
- Retrieved on November 30, 2021, from lepide.com/blog/the-15-most-common-types-of-cyber-attacks/
- Retrieved on November 30, 2021, from cisa.gov/ncas/tips/ST04-015
- Retrieved on November 30, 2021, from cynet.com/blog/browser-exploits-legitimate-web-surfing-turned-death-trap/
- Retrieved on November 30, 2021, from csrc.nist.gov/glossary/term/man_in_the_middle_attack
- Retrieved on November 30, 2021, from justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud
- Retrieved on November 30, 2021, from ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
- Retrieved on November 30, 2021, from techopedia.com/definition/25403/encryption-key
- Retrieved on November 30, 2021, from cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html
- Retrieved on November 30, 2021, from pcmag.com/news/6-ways-to-train-your-employees-to-prevent-cyberattacks
- Retrieved on November 30, 2021, from purplesec.us/red-team-vs-blue-team-cyber-security/
- Retrieved on November 30, 2021, from rapid7.com/fundamentals/patch-management/
- Retrieved on November 30, 2021, from usnews.com/education/online-education/marquette-university-OCIT0079/computer-information-technology