Given the broad range of organizations that are targeted by cyber criminals, what advice can you give companies that are looking to create or mature their cybersecurity programs?

Developing a Culture of Cyber Preparedness We spoke with Mike Kelly, Commercial Banking’s Head of Cybersecurity and Technology Controls, about how to create an environment that prioritizes security and fraud preparedness. Learn why organizations today are so focused on security, and what steps you can take to defend yourself from fraud.
Oct 29, 2019 The cybersecurity field continues to evolve, and we hear all the time about new schemes from criminals trying to gain access to systems. What have our clients learned and what more do they need to know now? Over the past few years we’ve seen cyber criminals expand their targets to include a broad range of types and sizes of organizations, and clients—from smaller businesses, like laundromats and corner stores, to large corporations—want to stay ahead of cyberattacks. It’s important for every company or organization to take as many steps as they can to help prevent cyberattacks. Larger companies clearly have more resources, but there is a lot that smaller businesses can do, too. Keep anti-virus software up to date. Don’t open emails from addresses you don’t recognize. Validate all requests for payment by speaking to the person making the request, either in person or with a known phone number. Bring in a cybersecurity consultant for a review of their systems and vulnerabilities. Small steps matter. What’s motivating the shift in interest in cybersecurity preparedness? Unfortunately, cyberattacks are escalating, and that’s the motivation. The wide range of targets, the increased public attention and the experience of actually being targeted—whether it’s successful or not —are the biggest drivers of clients’ cybersecurity preparedness. In the last three years, we’ve doubled the number of clients that we meet with to discuss the tools and controls they can use. We visit offices, speak at conferences and have detailed discussions, and sometimes that’s still not enough. For example, recently one of our clients was developing a cybersecurity program based on best practices. Unfortunately, the client’s project was delayed by other priorities that impacted the program’s launch. During the delay, criminals launched a cyber attack against them and demanded a ransom to return the client’s employee data. Since the incident, building and maintaining a solid cybersecurity program quickly has become a top priority for that client.
The more organizations are hit with some type of cyber event or cyberfraud, the greater the interest they have in maturing their programs. If awareness is growing, what’s still in the way of clients creating a culture of cybersecurity preparedness? Culturally, there’s a difference between organizations that have experienced an incident and those that haven’t. The organizations that have moved the needle the most are those that have experienced an attack, even if it was not successful. Every organization has to weigh competing priorities. It’s natural that the people deciding an organization’s priorities give it more attention after an incident. You just “get it” once you’ve lived through it. So what can cybersecurity leaders do to help push organizational cultures toward cyber preparedness? Cybersecurity preparedness programs don’t have to be expensive, but the lessons that come from a cyberattack are costly in terms of lost business and reputation, lost revenue and lost assets. Organizations are more likely to be the target of a cyberattack than to experience a fire in their office, but often, they are more likely to practice fire drills than cyber preparedness drills. Testing systems helps to uncover gaps in cybersecurity preparedness and employee training. Given the broad range of organizations that are targeted by cyber criminals, what advice can you give companies that are looking to create or mature their cybersecurity programs?

Cybersecurity preparedness programs don’t have to mean an organization must invest in expensive solutions. Having people involved in a system creates an opportunity for human error. So a strong return on investment can come from lower tech strategies including training and testing—such as phishing drills and tabletop exercises. An old fence can still keep people out. Finding and mending any gaps in that fence is critical, and repeated training and practice is one of the simplest ways to do that.