There’s a difference between a security breach and a data breach, explained Julia Seppä, Manager, Cyber Risk, Cyber Identity for Deloitte in Finland at a recent ICAEW Cybercrime webinar, Are businesses ready to tackle cybercrime?. A security breach is a break-in, while a data breach is when a cybercriminal gets away with information.

“Imagine a burglar: the security breach is when he climbs through the window, and the data breach is when he grabs your smartphone and takes it away.”

During the COVID-19 pandemic, the global average cost of a data breach increased from US$3.9m to US$4.2m.

Costs were significantly lower for those organisation with more mature security policies for procedures, and higher for those that lacked in areas such as security AI and automation, a zero-trust approach, and cloud security. It’s why it pays to have good cyber hygiene. Seppä, along with Kevin Wong, managing director at FTI Consulting Middle East and Patrick Wong, Director, cyber security and privacy, PwC Hong Kong, outlined the steps the businesses need to take in order to protect themselves.

Take a zero-trust approach

A zero trust approach helped to reduce the average cost of a data breach, said Seppä. The zero-trust model is a security concept based on the belief that organisations should not automatically trust anything inside or outside its perimeters, requiring verification on anything and everything that tries to connect to its systems. Organisations can use software to aid with this. “Security AI and automation also had the biggest positive cost impact,” she said.

Take a whole-organisation approach

Accept that cybersecurity isn't just an IT problem, says Kevin Wong. Effective solutions incorporate people, process and technology. Having a Cybersecurity Awareness Programme, a strong policy, perhaps an endpoint detection system. “This will not only help defend against malware, but also help against other effects like business email compromise or insider threat.

Spend wisely

You want to spend and invest where you get the most impact, said Kevin Wong. “I’d say if you're an SME, you wouldn't go too wrong with the implementation of multi-factor authentication and an employee cybersecurity education programme.

For larger organisations, consider implementing cybersecurity frameworks, with applicable controls. Assess the effectiveness of these controls provide a framework to manage the risks.

“We need to accept the breaches are inevitable, but it's down to early detection. You can limit the spread of an incident like ransomware by having well-rehearsed incident response plans, so you can react to it quickly. With ransomware, you can really limit the damage by having secure backups that you can reliably restore from. When it comes to supply chain attacks, it's about checking your suppliers or anyone that handles your data conduct the same cybersecurity measures that you're doing, whether that's vulnerability assessments, penetration testing or cybersecurity education programmes.”

Keep systems patched and passwords complex

Catching up on patching is really important, said Patrick Wong, especially on SSL certificates, virtual private networks or anything that is exposed directly to the internet. Hackers are also trying to find the easiest way into your systems, he explained. They look for systems that have been neglected or untouched for a long time.

“Around 40% of the incidents that we're seeing occur due to compromised or brute force passwords. It’s why multi-factor authentication is critically important. A lot of regulators across various regions are making sure that is the baseline of cyber security.”

Making sure that passwords are complex so they’re difficult to brute force. By enabling a second factor means that even if a password is compromised, attackers cannot access any systems.

Keep users aware

Many cybercriminals will disguise themselves by spoofing someone’s email or domain, which can be very convincing. Patrick Wong explained that user awareness is the best defence for this.

“There are some controls that you can put in place that are very simple; highlighting when emails are sent from outside your own company's domain, so that your employees are paying attention to that. Subscribe to a service that allows you to understand and work on potential spoofing domains; you want to have a way to be alerted when there's potential phishing or spoofing attack.”

Stress test

“Really test stress test your incident response plan,” Seppä concluded. “Train like you fight and fight like you train. It's really important to stress test and practice your plan. Having an incident response plans is good, but it's not enough without proper testing.”