How Security Awareness Can Protect the Tech Industry
Introduction
The tech industry often falls prey to new emerging cyberattacks. This doesn’t come as a surprise because of the valuable information these organizations hold. Employees in the tech industry also tend to adopt the latest technology earlier and are more susceptible to such attacks until the technology used has matured. For instance, employees adept at technology are more likely to install latest applications and use newly introduced smart devices that may not be secure yet.
Moreover, some parts of the technology sector are bridges for attacks on other sectors, as tech products are part of the basic infrastructure of every other organization. In a way, technology has not only made our lives easier but also made us more vulnerable to these security threats. For instance, point-of-sales systems with vulnerabilities have caused further security breach issues for retailers and backdoors in communication hardware have often resulted in a wide range of cyberattacks.
Because human error has played a significant part in successful security breaches in the past, the best way to protect the company from costly mistakes is to offer security awareness training sessions to all the employees. These sessions can include classroom-style training, periodic emails, posters and charts, and dedicating a website solely to security awareness.
Risks/Threats Faced by the Tech Industry
The tech industry is in a relatively sensitive position in relation to cyberattacks today. Because of their valuable commodities, software and tech companies are big sources of business for the hackers. Stolen intellectual property and software are not only being sold in public markets but they are also exchanged between cybercriminals. Microsoft recently made the news after facing a severe crisis of ransomware affecting thousands of people in more than 150 countries. Even though it has a team of 3500 security professionals, the attack still occurs. Apparently, the attacks took place with the help of a hacking tool that was built by the U.S. National Security Agency and leaked online in April 2017.
Brad Smith, the president of Microsoft, wrote in a blog post, “We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world.” With this statement Smith hints that the government intelligence agencies need to be more cooperative in improving Internet security and share software vulnerabilities with technology firms.
Loss of Intellectual Property
One of the biggest threats for companies in the tech industry is the loss of intellectual property (IP). Losing intellectual property can be a major blow to an organization’s competitive advantage and this is why it is mostly the competitors or states that are involved in theft of intellectual property. However, a skilled insider with the right level of access can also pose a big threat to the organization by making off with a large amount of valuable information in little time.
Loss of Customer Information
Because many tech companies provide online services, another major threat they face is loss of customer information. Many countries require disclosure of information by law in case of loss of personally identifiable information. Cybercriminals aim to steal personally identifiable information of customers for their own monetary gain.
Hacktivism
This is another threat particular to the tech sector. High-tech organizations often create products that are hacking targets by tech-savvy people. When organizations sue these hackers, they are targeted by “hacktivist” groups, which can eventually lead to reputational damage and heavy financial losses to the tech company.
In 2015, a hacker named Phineas Fisher hacked into an Italian technology company, Hacking Team, that actually sells hacking and spying software tools. He explained that his motive behind the breach of more than 400 gigabytes was to stop abuse against human rights.
Setting up a Security Awareness Program in Tech Sector
The year 2016 saw a number of high-profile cyberattacks such as those on Yahoo, Tesco Bank, and the World Anti-Doping Agency, to name a few. With these attacks, cybersecurity became a hot topic of discussion in the tech sector. Now, tech professionals perceive cybersecurity as the most potential trouble-maker in the tech industry in the next five years.
According to the “Technology: Voice of the Workforce” survey conducted by Networkers, a majority of more than 1600 surveyed technology professionals believe cybersecurity to be a major potential disruptor, beating other tech innovations such as IoT, big data, automated technology, 5G and policy/political changes. By 2019, cyberhacks are estimated to cost around $2.1 trillion globally, which demonstrates the need to establish effective security awareness programs. Such a program ensures that training is periodically conducted in order to develop competencies, methods and techniques necessary to face possible security threats. Completing an awareness program is not merely a destination, but rather a journey that requires regular improvement as it moves forward. For the tech sector, it is even more important because these awareness programs educate technical as well as non-technical staff and keep the information security policy of the company fresh in their minds. Moreover, the entire staff needs to be on the same page and stay equally involved to make the security program successful. Any technical defense measure taken will turn out to be useless if any individual from the staff is left out.
Because of the threats mentioned above, the tech sector is at a greater risk of cyberattacks. Employees may or may not be from technical backgrounds, but they do need to be well-informed. Technology sector workforce needs to be even more conscious of their surroundings and must be equipped to respond effectively.
Employees generally tend to care less about the business at a technical level and embedding a security awareness culture in the organization cannot be an overnight task. A program will be successful if every employee feels the responsibility, takes ownership, and accepts accountability for exposing the organization to any risk.
For any security program, the first line of defense is the controls. How best practices are enforced and security compromises are prevented successfully is the first step. Second comes detection, i.e., how an attempted breach or attack is caught. Then comes the third line of defense, i.e., your people, how aware they are of security practices and to what extent are they successfully avoiding potential attacks. An effective security awareness program works on your third line of defense, educates them all about the first and second line, and equips them with the right tools and knowledge.
Develop the Required Skill Set
Considering the increased demand to fill key security positions in the near future, the tech sector needs to recruit and upskill penetration testers, security consultants and security analysts. These can emerge from existing job roles such as network administrators, web developers, system administrators or from entry level information security roles. For starters, knowledge of security standards and frameworks such as ISO 27001, CISSP, and PCI DSS is important.
Educate the Staff
According to recent research by Intel Security, about 43% of data and security breaches occur due to the negligence or irresponsible behavior of staff. Senior IT security positions such as governance and compliance managers chief information security officers (CISOs) can help ensure that all staff members are given the right kind of education to avoid potential security threats in the future.
Avoid Hacktivist Groups
What is the best way to deal with these hacktivists? Using security best practices and keeping a low profile. Establish routine cybersecurity measures, such as multifactor authentication protocols, virtual private network, firewalls, and tools that protect against DDoS attacks. Also, practice threat modeling exercises to determine the response in the event of a real attack.
Keep Your Intellectual Property Safe
Limit access by allowing only authorized people to view critical files and make them sign confidentiality agreements. Now that you have hired security professionals and educated the staff, employ security technology at its best. Start with the basics, use security information and event management (SIEM), cloud access security broker (CASB) or data loss prevention (DLP) tools to identify any outliers. Act fast on potential attempts to infiltrate into intellectual property.
Conclusion
With the rise in cyberattacks every year, tech companies particularly need to secure their private infrastructures and employ effective threat intelligence. Today, it is not just about damage control but rather about preventive measures. This is why security awareness and the development of actions to mitigate threats and implement a protective strategy are critical for successful running of these tech organizations.