Privacy and Data Protection

Cybervigilance in Establishing Security Cultures

By Mark Lanterman[1][2]

Given our technological landscape and ever-increasing dependence on interconnected devices, it is an unfortunate reality that where we gain convenience, we lose security. From spear-phishing campaigns that seek to compromise the human element of security to ransomware attacks, organizations are now tasked with implementing reactive and proactive strategies to counteract cyber threats and risks.

Cybervigilance is a cornerstone of strong security cultures. Developing a culture of security within an organization requires a combination of proactive and reactive cybersecurity measures, including top-down management support, asset prioritization, well-documented communication channels, incident response planning, regular security assessments, and employee education.

Key Facts

  • Threat actors have four primary motivations for committing cybercrimes, including financial gain, political and/or ideological beliefs, curiosity and fun, or for some emotional benefit. Financial gain is the most common factor, but organizations may be targeted for any one or combination of these reasons.

  • The typical profile of a cybercriminal goes far beyond the standard vision of a lone hacker sitting at a computer in a basement. While lone hackers exist, cybercriminals may be hacktivists, organized criminals, or even professional criminals that work for a greater group. Nation states may also be responsible for acts of cybercrime, as demonstrated by the Sony hack of 2014.[3]

  • Cyberattacks can damage an organization financially, reputationally, legally, and operationally. The effects of a cyberattack can have both short-term and long-term repercussions that affect overarching goals.

  • As technology and cybersecurity strategies strengthen, so too does a cybercriminal’s ability to counteract with stronger threats. Malware, social engineering attacks, distributed denial-of-service attacks, advanced persistent threats, and brute-force attacks are all ways that an organization may be attacked.

  • Top-down management support is critical in establishing cultures of security that take a proactive approach to cybersecurity, vigilance, and resilience. “Set it and forget it” security protocols are incapable of effectively addressing the types of threat actors and risks that organizations face on a daily basis.

  • Incident response teams and clear communication channels for reporting cyber incidents help in relieving the chaos that comes in the wake of a cyberattack, quickens mitigation efforts, and improves public response.

  • Cyber awareness within an organization relies on ongoing investment in security assessments, employee training, and education. While top-down support is critical, it must be understood interdepartmentally that cybersecurity is everyone’s responsibility.

  • Recommendations:

    • Enterprises must incorporate a cyber security approach that takes both reactive and proactive strategies into account.

    • IT security can no longer be the hub of cyber defense communication. Establish a corporate communication initiative that begins with the tone at the top and is administered by risk and/or compliance in partnership with IT.

    • Establish incident response teams that are charged with handling cyber events, including but not limited to public response, internal investigations, external communications, and preliminary mitigation efforts.

    • Act now. Organizations should establish a security baseline via a maturity assessment and proceed from there. Assume vulnerabilities exist and promote an attitude of “when, not if” in regard to potential attacks and breaches.

Introduction

Cybercrime can be incredibly lucrative and relatively low risk, making it an attractive option for criminals on a national and global level. Historically, cybercrime required knowledge of networks, technology, and standard security measures. That is no longer the case. Today there are malware-as-a-service companies that will create worms, phishing attacks, Trojans, viruses, and other malware on demand. Additionally, many individuals work within a group to perform small cybercrime tasks in order to execute a greater attack.

The cyberworld is constantly evolving. Organizations face threats from a variety of angles. Disgruntled employees can seek to disrupt or embarrass the organization or sell company trade secrets. Organized espionage groups can actively look to penetrate databases and steal transactional information. Companies that have, or appear to have, a social agenda face the threat of activist dissidents seeking fame and notoriety for their cause through malicious insertions and denial of service.

The FBI’s 2019 Internet Crime Report released in February 2020 illustrates an ongoing trend: “Internet-enabled crimes and scams show no signs of letting up . . . IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims”.[4] The year 2020 came with its own challenges to organizations, as the coronavirus pandemic drastically altered business operations. From remote work challenges to new COVID-19–related phishing scams, cybercrime abounds. A little over two years later, organizations continue to face these issues as hybrid working situations becoe the norm for many.

According to a 2020 report published by McAfee, the monetary loss from global cybercrime was an estimated $945 billion. The report states:

The COVID-19 crisis has provided a fertile environment for cybercrime. Not only were criminal actors able to quickly modify their schemes in response to the pandemic, they also take advantage of the quick adoption of remote access infrastructure for work and education. Traditional schemes became ‘COVID-themed.’[5]

The COVID-19 pandemic brought to the forefront the adaptability of cybercriminals. Given society’s pronounced reliance on interconnected technologies and devices to maintain business continuity in the face of the pandemic, the threat landscape only widened and the stakes became even higher.

In the Executive Order on Improving the Nation's Cybersecurity,[6] President Biden detailed a roadmap for improving the nation's security posture. This order addresses the need for modernization within the federal government and established the creation of the Cyber Safety Review Board. The purpose of this board is to review and provide lessons learned from major cyberattacks and to promote cooperation between the private and public sectors. Other requirements include, but are not limited to, the joint standard of the International Organization for Standardization and the International Electrotechnical Commission, known as ISO/IEC 27002:2013;[7] the Committee of Sponsoring Organizations of the Treadway Commission standard for cyber risks;[8] the National Institute of Standards and Technology Cybersecurity Framework;[9] the Internet Engineering Task Force Site Security Handbook, RFC 2196;[10] the International Society of Automation ISA99 series;[11] the Federal Energy Regulatory Commission Critical Infrastructure Protection standards, which are developed by the North American Electric Reliability Corporation;[12] the Health Information Technology for Economic and Clinical Health Act of 2009;[13] and the Payment Card Industry Data Security Standard.[14]

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings