Similar to crimes in the physical world, cybercrimes typically involve personal property theft, fraud, or bribery. The difference is that with cybercrimes, the target can be located anywhere: A cybercriminal uses the internet to commit crimes, such as stealing identities or recruiting for terrorist activities. Cybercrime at a global scale is expensive, costing businesses and organization $600 billion in 2018, according to a World Economic Forum (WEF) report. The media often focuses on cyber breaches at high-profile companies, but small companies are also affected by cybercrime. In fact, according to a May 2019 WEF report, 58 percent of all cybercrime is directed at small businesses. What do statistics like these tell us? They reveal the scope and reach of cybercrime and lay the foundation for workplace cybersecurity 101.
Like it or not, every business is in the cybersecurity business. And investing in cybersecurity has become part of the routine cost of doing business. In today’s digital age, companies that incorporate cybersecurity into their core strategy are in the best position to defend themselves against cyberthreats. At a minimum, companies should understand what types of cyberthreats can impact their success and implement cybersecurity safeguards.
Safeguards Against Cyberthreats
Outside of the financial services sector, cybercrime can affect typical companies that conduct business on the internet — in the U.S., companies fall victim to cyberattacks 4 million times per year, according to the Federal Communication Commission (FCC). But the number of cyberattacks is even more dramatic for financial services firms, which are 300 times more likely to suffer cybersecurity attacks than companies in other industries: 1 billion times per year, according to the FCC.
The most common form of fraud in business today is cybertheft, or stealing of digital information, which now tops physical theft, according to the FCC. A cybertheft attack could result in stolen passwords, personal data, banking information, and more. Safeguarding against cyberthreats by properly maintaining websites and managing computing network infrastructure helps companies secure their business assets, both digital and physical.
Cybersecurity 101 starts with a few key steps:
- Ensure that a website host site is verified and trusted.
- Build online shops with securely encrypted e-commerce platforms.
- Install firewalls on every machine.
- Change passwords on computers and other devices regularly.
- Maintain computers and devices with the latest software updates.
- Invest in software and tools such as anti-virus software.
But it is important to note that cybersecurity 101 is more than processes and tools. It requires the active participation of employees and vendors. This means following the cybersecurity policies set out by the company to promote a culture of safety and security. A common misunderstanding in businesses and organizations is that defending against cybercrime is the sole responsibility of a team of skilled cybersecurity professionals. But because everyone in a company or organization is a target of cybercrime — company owners, salespeople, marketing and accounting staff, legal teams, and more — everyone should know how to take steps to keep the company and its assets protected.
Educating Employees on Cybersecurity Best Practices
The city of Baltimore nearly shut down for almost a month due to a sophisticated cyberattack that hit key systems. Typically, cybercriminals use phishing to gain password access to systems. Phishing attacks use fraudulent tactics to deceive email recipients and trick them into revealing information, such as passwords and bank account information. But in the Baltimore cyberattack, hackers uncovered a vulnerability in a government system and used automated software to generate passwords that provided access to key systems.
The more sophisticated cyberattacks get, the easier it becomes for criminals to steal valuable data and shut down business operations. Education is key to addressing the challenge — the U.S. Chamber of Commerce reports that 47 percent of survey respondents cited employee education as a strategy for reducing cybersecurity threats. Education can teach employees what to look out for. One technique involves developing scenarios to test employees’ knowledge of cyberthreats, like detecting potential phishing links in their email inboxes. Tests like these give companies insight into the types of security policies and training they need to help employees detect and report potential cyberattacks. A third-party firm can facilitate testing for companies with small IT teams.
Another educational strategy is an annual meeting for all employees to share updates about the company’s safety and security policies. Security policies tell employees how company property and sensitive data should be handled; for example, a policy can focus on the proper use of laptops in public places and procedures for signing into public Wi-Fi hot spots. Other policies include requiring employees to change their passwords on a regular basis, keeping software up to date, or backing up data. Clear consequences for security policy violations should be established.
Ultimately, educating employees achieves three goals: promoting a safety mindset within the company culture, communicating the importance of remaining vigilant, and increasing awareness of possible cyberthreats.
Increasing Awareness of Cyberthreats
Hackers are skilled at finding workarounds for current defenses, so cyberthreats are ever evolving. Keeping your company data secure means understanding the cybersecurity threats that can impact your business. A key aspect of cybersecurity 101 is being aware of the following common threats.
Denial of Service and Distributed Denial of Service
A denial of service (DoS) attack makes a website inaccessible to legitimate users. In a DoS attack, a cybercriminal uses a computer to flood a target website with traffic to make it crash. In addition to websites, a DoS attack can affect email services, online accounts, and networks. When multiple computers or bots (automated software that performs tasks over the internet) are used to attack a website or network, it is called a distributed denial of service (DDoS). A cybercriminal uses a DDoS attack to send exponentially more traffic to a target website or network, creating a substantial impact. A successful DDoS attack can result in financial losses for businesses, costing an organization tens of thousands of dollars — between $20,000 and $100,000, according to Stay Safe Online. And when a website crashes, users are inconvenienced, which can lead to the business losing customers.
A discussion of ransomware is not complete without discussing a key concept of cybersecurity 101: malware. Malware is software created to harm computers and networks. Because a computer virus is a software code designed to spread damage, it qualifies as malware. Ransomware is also malware, because it is designed for malicious intent, but its purpose is more specific. Hackers use ransomware to attack a computer or network with one goal in mind: to collect payment from a user. Ransomware takes a computer hostage by encrypting the machine’s hard drive. The ransomware demands payment for an encryption key. Without the encryption key, the user’s files are locked and inaccessible.
WannaCry, the notorious 2017 ransomware incident, was detected in 250,000 instances across 116 countries. WannaCry locked down systems by infecting Windows computer hard drives and demanded ransom payments in bitcoin for an encryption key to unlock the computers. WannaCry’s devastating impact shows the daunting consequences of ransomware threats for companies of all sizes.
Again, phishing is a social engineering method to deliver malware or capture sensitive information from computer users. A phishing attack arrives by email or text disguised as a message from a reputable source, such as a legitimate organization. Its intent is to trick recipients into taking an action that would make their finances vulnerable, such as supplying their bank account number. A successful phishing attack can also open the door to viruses or malware that can infect a user’s computer.
Phishing’s origins go back as far as 1995, when America Online was the leading internet service provider. Nearly 25 years later, phishing is still going strong. Ponemon Institute research, reported in Accenture’s Ninth Annual Cost of Cybercrime Study, indicates that 85 percent of organizations have experienced phishing attacks: 16 percent more than reported in the previous year.
Elevate Your Career in Cybersecurity Management
Getting up to speed on cybersecurity 101 basics will equip you to address many cybersecurity challenges. But tackling the most serious issues posed by cyberthreats requires a higher level of understanding.
From identifying risks and threats to developing policy, budgets, and preventive security controls, Tulane University’s Online Master of Professional Studies (MPS) in Cybersecurity Management program gives you the knowledge you need to understand the critical nature of IT security in business. Taught by respected cybersecurity experts, the program is designed to hone your skills and enhance your career in the cybersecurity field.
Want to help companies defend themselves against cyberattacks in an increasingly complex world? Learn more about Tulane University’s Online MPS in Cybersecurity Management program.
Accenture, “The Cost of Cybercrime”
CIO, "How to Keep Your Small Business Safe from Data Breaches and Hacks"
CO by U.S. Chamber of Commerce, “Security Guide: Keeping Your Business Safe Online and Off”
CSO, "The 6 Biggest Ransomware Attacks of the Last 5 Years"
CSO, "Malware Explained: How to Prevent, Detect and Recover from It"
Cybersecurity and Infrastructure Security Agency, Ransomware
Cybersecurity and Infrastructure Security Agency, Understanding Denial-of-Service Attacks
Federal Communications Commission, Cybersecurity for Small Business
Forbes, "Cybercriminals Have Your Business in Their Crosshairs and Your Employees Are in Cahoots with Them”
Forbes, "Cybersecurity 101: Practical Tips to Protect Your Personal Data"
Governing, "The Baltimore Cyberattack Highlights Hackers' New Tactics"
Phishing.org, History of Phishing
SecurityIntelligence, "How Will You Face the High Price of DDoS Attacks?"
Stay Safe Online, "5 Ways to Spot a Phishing Email"
Stay Safe Online, "Criminal Motivations: One Big Reason DDoS Attacks Are Exploding in Popularity"
U.S. Small Business Administration, Small Business Cybersecurity
Wall Street Journal, How to Keep Your Online Business Information Secure — Some Basics
World Economic Forum, "Helping Small Businesses Fight Cybercrime Benefits the Global Ecosystem"