There is no doubt that keeping data safe from cyber criminals is on top of every business owner's mind. But while awareness is at a peak, a gap remains on how prepared companies are in securing their information.
A recent survey of information technology and security officials by Rolling Meadows-based IT Association ISACA revealed 80 percent believe they are likely to experience a cyberattack this year, while more than half reported an increase of attacks from the previous year.
Your thermostat may be the next hackMobile devices have been long considered the biggest vulnerability in the business' defense of cyber crime, but hackers may now be finding a new way to get to your company ... like your thermostat.
The internet of Things replaced mobile devices as primary focus for cyber defenses in ISACA's State of Cyber Security Study 2017.
A total of 97 percent of organizations see a IoT becoming more prevalent in organizations, and as a result, security professionals need to enact protocols to safeguard the new threat.
"There are more of these now than ever before," said Robert Clyde, ISACA board of directors vice chair. "It's in devices like routers, surveillance camera, webcams ... and in some of these the software could be more than 10 years old."
He noted that IofT technology is becoming an integral part of the nation's infrastructure, like electric and water grids, as well as powering lifesaving devices in the health care industry.
"If someone were to take over those, it's possible they could disrupt a lot of things," Clyde said.
As an example of how IofT can be hacked, Clyde noted a health care business which had a medical device infected with ransomware. In the investigation, it was found an employee inappropriately used the device to check personal email and inadvertently downloaded the ransomware.
"It should of never happened because nobody should've been using the system like that," he said. "But the fact that she was and that the system was not up to date caused the ransomware to get in."
Although awareness is up, half of the respondents in ISACA's state of Cyber Security Study 2017 don't feel comfortable with their cyber team's ability to address anything beyond simple issues, while more than half say cyber security professionals lack an ability to understand the business.
ISACA board of directors Vice-Chair Robert Clyde notes part of that gap is due to a shortage of trained, certified cyber security professionals coming through the educational system.
However, he adds that a portion is also the result of organizations not investing enough in its security resources. While the survey found 27 percent of the respondents spent at least $2,500 per professional on education and training, 25 percent spent less than $1,000.
"Most organizations are simply not spending enough," Clyde said. "Unless you're spending $2,500 ... or probably a bit more ... on that, you really have no hope of providing education for your cybersecurity staff so they can keep up with things."
Clyde, who also serves as executive chair of Austin, Texas-based White Cloud Security, noted a positive from the survey was an increasing number of organizations that have hired a chief information security officer to lead data security efforts.
A total of 65 percent said they have such a position in 2017, up from 50 percent the previous year.
While that shows businesses are recognizing the need to put someone in charge of data security, Clyde notes not coupling that with sufficient staff training is like hiring a police chief, but not giving his officers the tools to enforce the law.
"It'd be like the police chief saying 'My people are good at routine traffic stops, but if there is any serious crime, we're not going to be able to handle that,'" he said.
So how does your company meet the security challenge?
Clyde said the education system is recognizing the need for data security professionals programs, but it will still be a few years before schools can catch up with the need to fill openings.
"We recognize there are not enough professionals trained by universities, and we need to fix that," he added. "But it'll take a while to go through the entire system."
He suggested companies find people who have related skills -- like IT or networking backgrounds -- and train them in through certification programs like ISACA's Cybersecurity Nexus (CSX).
"Don't just hire the best, most experience person because, in reality, you're just going to steal them from somebody else," Clyde said. "And somebody else is going to steal that person from you, because there really is a shortage.
"An alternate approach that will increase the number of qualified people, is to consider hiring people straight out of school without experience and train them," he added. "It will be less expensive and you can hold on to them longer."
Beyond training your own professionals, Clyde stressed the need to maintain excellent data backup systems, and also recommended companies look at trusted app listings or next generation white listings, which will only allow trusted codes to run on your system.
"It ensures only known, good code will run on your system," he said. "If a ransomware is loaded on system with white lists, it will not run because it is not on listing.
"I like this kind of approach because it prevents the kind of mistakes by users where they click or download something that could cause attack."