Vice President of Research & Emerging Issues
National Chamber Foundation
Many U.S. companies have a false sense of security online. A new survey from the National Cyber Security Alliance and Symantec finds that nearly 70% of U.S. small businesses do not have any kind of Internet security policy for employees, though 77% of small business owners believe their company is safe from hackers, malicious programs and other digital threats. No matter the survey findings, 100% of U.S. businesses face persistent online threats, and cyber readiness does not happen by accident.
October is National Cyber Security Awareness Month, and it comes amidst legislative debates in Washington over how best to protect American networks. The debates have focused largely on how to secure critical infrastructure – either through information sharing and guidance or through regulation. About 85% of U.S. infrastructure is privately owned, which raises the delicate challenge of balancing private sector liberty and government oversight of a public utility. This is an important debate for America’s businesses, but no matter the legislation ultimately passed, the strength of U.S. business cyber security depends heavily on the daily choices employees and business leaders make online. They are on the “front lines” of the country’s battle against cyber threats.
Many businesses employ network security programs and digital experts. This builds a cyber wall around proprietary and sensitive company data, but cyber attackers, rather than assault a hardened front door, often try to sneak in the back door or through a window that is cracked open in the smallest of fashions. To penetrate secure networks, cyber criminals target weak points – people. Criminals exploit cyber ignorance and use a variety of digital tactics to compromise network access.
The decisions employees make about opening suspicious e-mails, visiting threatening websites, or sharing personal and company information on social networks can either stop cyber criminals in their tracks or render expensive network security programs worthless. The more vigilant employees become, the fewer opportunities cyber attackers will have to circumvent network security. This doesn’t take legislation or bureaucrats; it takes education and mindfulness. There are simple steps everyone can (and should) follow to raise their digital security posture and resist cyber threats.
Return to Sender – There are numerous e-mail tactics cyber criminals use, casting a wide net and relying on human folly to expose security vulnerabilities. Opening suspicious e-mails, clicking on unfamiliar links, and downloading attachments can expose a computer or e-mail account to spyware, viruses, and other malicious programs. This in turn threatens network security and potentially all business data, passwords and other critical information. Use filters on e-mail platforms, delete suspicious e-mails without opening them, and click on links and attachments with caution.
Updates are Important – Every computer program is potentially vulnerable to attack, which is why software companies continually fine-tune and update their programs to stay a step ahead of the dynamic cyber threat. For these security efforts to work, however, users must apply the updates. Employees should implement program updates as soon as they are available and respond to prompts from security programs to scan for threats and address vulnerabilities.
The (Digital) Walls Have Ears –There is sometimes an illusion on social networks that because users are communicating with only “friends,” only the “friends” are reading what is posted. Yet, cyber criminals mine social media posts for personal details that can reveal online accounts, user names and passwords. Gaining enough personal information will allow them to launch a range of other attacks, be it on a bank account or the company-wide network. When using a social site, people need to be mindful and restrict how much personal information is shared with the public.
Walk the Walk – Knowing these and other best practices for cyber security does not independently resolve the online threat. After education, employees and business leaders must put the tactics into practice – consistently. Being cyber savvy takes more than an annual training program and lackadaisical adherence to Internet security practices. True Internet security means continually and actively guarding against dedicated cyber attackers.
The Department of Homeland Security has compiled a list of resources for businesses to improve their cyber security readiness, offering critical information from a range of federal offices. Businesses can also consult guides from private sector groups, such as the U.S. Chamber’s “Internet Security Essentials for Business 2.0.” The imperative for America’s businesses is to draw on these and other resources to better protect their networks. All U.S. companies face the cyber threat, and it will take all of us to secure the nation.