A

CYBER
SECURITY
ROAD
MAP
INTRODUCTION If your budget does not allow you to hire a third
Most companies are aware they need to do party to do your Risk Assessment, then you
need to include the following tasks:
something to protect themselves from cyber-
attacks. But most resist doing anything, not • Conduct Executive Interviews
because they don’t want to move forward • Create a detailed Threat Analysis
but because of budgets, resources or they • Learn and document all compliance
don’t know where to begin. The four areas of requirements
Cyber Security are Protect, Detect, Respond, • Prioritize Recommendations
and Recover. These tasks can be done Conduct Executive Interviews
independently of each other, however if you
The first task in a risk assessment is to interview
create a Cyber Security Plan, you will find
management from all departments. This will help
that they are all interrelated. The following
you determine what information they identify
endeavors will improve your cyber security and
as critical, sensitive, and necessary for them to
can be completed utilizing minimum dollars
conduct business. This will help you answer the
and resources. The first place to look is where
first question, “What data should you protect?”
your company is the most vulnerable.
Once you have established what information is
1. CONDUCT A RISK ASSESSMENT important to every department you can begin
the next step.
If securing your company’s data is one of your
projects for this year, you need to plan for how Detailed Threat Analysis
your budget dollars will be used. Where do A Detailed Threat Analysis includes application
you start? What do you secure? Where is the and infrastructure threat analysis. Once you
best place to spend your IT budget dollars to have determined what information is important
get the most “bang for the buck?” Begin with to each department, you need to determine
a Risk Assessment. Why? Because the biggest what applications and infrastructure supports
problems most companies face when putting this information. Determine what is in place
together a security plan is – they don’t know currently to protect this information from a
what they don’t know. Questions such as: breach. Who has access to this information? For
• What data should be protected? example, does the sales department have access
to only the applications that support sales?
• Where is my environment most vulnerable
• I have a firewall, antivirus software and Do administrators in the IT department
monitoring logs, what more do I need? understand their responsibility for the
information they can access? What about
• What are the relevant threats?
anyone with remote access? Are the policies
• Can we detect a breach if one has occurred in and procedures in place that ensures that they
our company? can remotely access only the information they
A risk assessment can be done using internal should? With the introduction of cloud-based
resources, but this may not give you the best applications, analysis of these applications must
results. A company that specializes in security also be completed. If you think of cloud-based
can look at your organization from the outside applications, every user is now a remote access
in. They will evaluate the entire enterprise, user, where a different set of security rules,
not just the IT environment or from an IT policies, and procedures will need to be put into
perspective. They will help you answer the place. Make sure these applications are included
aforementioned questions plus, assist you in in your risk assessment. Many companies make
deciding where to spend your budget dollars to the mistake of assuming that the cloud-based
achieve the greatest value and security. application company will set up the correct
security. In most cases, setting up access and
security is your responsibility, not the cloud-
based application company.
Compliance Requirements people but must represent several departments
Do you have to adhere to any compliance and not just personnel from your IT
requirements? This includes regulations such department. This team needs to interview each
as HIPAA, GDPR, PCI-DSS as well as Federal, department to determine several important
state, and local regulations. Many companies requirements.
do not realize that if they are breached, there • What data is most important to them?
are Federal, state, and local laws and/or • What is the sensitivity of their data?
requirements a company must follow. If you
• What is the value of the data to that
don’t know what they are for your company’s
department and to that enterprise?
location (s), this must be documented. During
a risk assessment is the time to research and • How long can they perform their duties
document these requirements, not during a without access to their data?
data breach. Once all the requirements and • What data can they access?
compliances are known and documented, you • Does anyone in their department have and/
must do a gap analysis of what you are currently or need remote access? If so, how is remote
doing and what you need to do to be compliant. access given and monitored?
Recommendation • How is their data shared interdepartmentally,
internally within the company and externally?
Once you have conducted the interviews,
performed a detail threat analysis and • Does their data need to be compliant with any
document-ed all the compliances regulations such as HIPAA, PCI, EU or others?
and regulations, you can prepare your • How/where is their data stored?
recommendations. How you prioritize the • How often is their data backed up?
recommendations will depend on you. Some Once all these questions are answered, for
companies will prioritize the recommendations all your departments, you can now start the
based on greatest risk to the company while process of classifying your company’s data.
others start with the ones that can be completed You will have a clear picture of the value of
quickly. However you prioritize your list of each department’s data, what is important for
recommendations, your key to success is to
them to do their job and how long they can
minimize your risk of a breach by completing
continue to do their job without access to their
all of the recommendations. This is when an
data. You have blueprints of what data must
outside company can help. They will help you
be available as quickly as possible and what
prioritized the recommendations list and assist
data can be delayed to come online if a breach
you in implementing a solution and/or assist
occurs. In addition, you will learn how and
you in finding the right software or hardware
where valuable and sensitive data is accessed
needed.
and stored. You need to look at all data; live, in
2. CLASSIFY YOUR DATA motion, and at rest. Live data is emails, files, and
Before you start to purchase or upgrade documents that are created and handled right
software and hardware to protect your company now. Next, you need to look at data in motion.
from a cyber-attack, you need to determine This is data sent and received internally and
what data is most important for you to protect. externally, populating all web applications,
Or, a better approach, ask yourself what data and shared throughout the enterprise. Data
do you need to conduct business? This answer in motion includes data downstream. Where
may vary from department to department does the data go once it leaves a department
which is why this project must include the or the enterprise? Data at rest is all data stored.
entire company from a business perspective, This would include data in databases, within
not from an IT perspective. applications, backups, and cloud services. You
The first place to start when classifying your will also have a clear picture of who does and
data is to form a team. This can be a few as 2-3 who should have access to each type of data.
Another important element of classifying your • When are backups scheduled?
data is to ensure you are compliant with all • Are backups both full and partial? If so, what
regulations. If you have to be HIPAA compliant, data qualifies for full or partial backups?
are you protecting, sharing, and storing data to • Who is responsible for the backups?
meet the requirements? If not, now is the time • Is your backup plan in compliance with all
to document what changes need to be made to regulations?
become compliant and set a timeframe for this • What is the timeframe for the backups? Does
to be completed. the backup schedule align with the timeframe
the users can go without their data?
This is the beginning of your Security Policy
and will become part of your Incidence • What happens to any data lost between
backups?
Respond Plan. You must develop a plan to make
sure your policies and procedures reflect the • Is critical data backed up and stored
differently than less critical data? If so, how?
needs of your enterprise to protect your data
and get back online. • Is the backup done to a local drive, remotely
over a LAN or wide area network?
If you have the budget to hire a third party to • Who is responsible for verifying the backups
help with the classification of your data, this is were completed successfully?
also an option to consider. The advantage of a • Who is notified if the backup fails and what is
third party performing this project -- you will the procedure when it fails?
get a better picture. A third party will look at After answering all of these questions, you need
it from outside of the enterprise inward. They to update your backup policies and procedures.
will look at the enterprise as a whole, each This is a time consuming project, it can be
department individually, and how departments completed with internal resources and with
work and share data. They will not have any minimum expenditures. Complete verification
preconceived opinions of what data is sensitive, of the entire backup and restore processes are
valuable or critical to the enterprise. critical. Develop strategies with the appropriate
resources and personnel, and then test them.
3. REVIEW AND UPDATE YOUR BACKUP
During the test, document everything that went
PROCESSES
right and wrong. Make all the adjustments to
When was the last time you reviewed your correct any errors that occurred during the
backup policies and procedures? Better yet, testing. But don’t stop there! Test again. Your
when was the last time they were tested? The backup policies and procedures are not finished
time to test your backup procedures is not until a test is completed with no errors. But
during or after a cyber-attack! You need to you are still not finished. Part of your backup
know how you are going to recover from a data policies and procedures is to have regularly
breach. Knowing, testing, and continuing to scheduled recovery tests. You should do this at
update you backup policies and procedures is least once a year, but remember, the more often
an inexpensive way to ensure your recovery it is done, the more confident you will be that
time is faster and less painful. Most companies you can recover from a data breach.
fail to review their backup policies and realize
4. REVIEW AND UPDATE HOW YOU
during the recovery process, their backups no
MONITOR THE LOGS FROM YOUR
longer support the business. FIREWALL, DETECTION, OTHER
If you have completed the classification of your SECURITY AND APPLICTION SOFTWARE
data project, you can align you backup schedule The first step in your monitoring process is to
to ensure the most critical data is available determine what applications running in your
online as quickly as possible. Start your review environment produces logs. Next, determine
by asking yourself questions about your current which logs are important to monitor. You may
processes. have invested in firewalls, Intrusion Detection
Systems, and other software and hardware sure all of these are running the most current
applications that protect the perimeter of version. If they are not, upgrade to the newest
your environment. However, if you are not version. Many of them have new features that
monitoring the logs generated from these protect your environment and produce better
applications, you are not receiving the full value logs. If you are running the newest version,
of your investment. If you have determined make sure you are taking advantage of the new
you need to monitor an application that does features. Many times, a company will upgrade
not produce a log, you have to make a decision. their hardware and/or software but will not
Does the application need to be upgraded utilize the new features. Many of these features
because you are running an older version and provide better protection and logs that will help
the upgraded version can now produce logs? If you secure your environment. Microsoft will
the current version does not produce logs, you send updates out and they can be automatically
need to determine what information you need downloaded. If you are running Microsoft on
to know about the application. Can you create a any of your computers, make sure they are set
process to extract the information needed? up to do upgrades automatically. The same
should be done to your anti-virus software. If
Don’t make the mistake that many companies
you are not updating it, it cannot protect you
do when creating monitoring processes and
against the new viruses, malware or other kinds
procedures; they monitor everything. What
of attacks. Remember the cyber attackers are
generally happens in this case is that the
continuously changing and improving the way
intention is great but the follow through fails.
they hack into your environment. Keeping your
The logs become too erroneous to monitor so
software up to date is one way to help to prevent
they are no longer monitor any logs. A problem
a breach.
is missed because too many logs will not give
an accurate picture of what is happening in Intrusion Detention System (IDS) and
your environment. Intrusion Prevention System (IPS)
If you have classified your data, then you know Intrusion Detention System (IDS) monitors
which data is most important to protect. Thus, traffic at the network or hosts (device) level.
the first place to look is at what applications run, The network based software (NIDS) is placed at
backup, store and has access to that data. If you strategic points within your network to monitor
have not classified your data, then start at your traffic to and from all the devices within your
first line of defense, your firewall, End Point environment. All inbound and outbound
Protection and anti-virus software, and access traffic should be monitored. However, most
control. If you have either Intrusion Detention companies do not monitor all traffic because
or Intrusion Prevention systems, these logs are it can slow down the network and impair the
critical to monitor. overall speed of the network. If you choose to
not monitor all traffic, you must understand the
Log management and monitoring will help
risks you are exposing to your environment.
you detect a security breach within your
Host-based Intrusion Systems are deployed in
environment. Research has shown that it
the host servers and analyze data that are local
takes an average of 208 days for a company to
to the machine to identify unusual behavior
detect that they were breached. In addition, it
(HIDS). It compares traffic patterns against a
takes them an average of 69 days to remove
baseline.
and recover from the breach. Protecting your
environment and detecting a breach must be IPS technology takes an additional step on
included in your security plan. monitoring that IDS does not. IPS will try to
detect a problem. For example, IDS may detect
Protect Your Environment an invalid IP address that is trying to access
Your first line of defense is the software and your environment, IPS will block it from gaining
hardware that protects your environment. Make access to your environment. Another way to
think of IPS is the way that your email blocks 5. INSTITUTE AN INCIDENT RESPONSE
invalid emails by placing them in either a spam PLAN
or junk folder. IPS often sits behind the firewall Describing an Incident Response Plan could
to provide a layer of analysis such as: take an entire white paper. This section will
• Sending an alarm to an administrator give you an overview of what needs to be your
• Dropping malicious packages response plan and get you started down the
• Blocking traffic from the source right path. Creating and testing an Incident
Response Plan should be done now, before you
IPS was originally built as a stand-alone solution have been breached. During a breach is not the
but now it is included in next generation time to develop one. The six major components
firewalls. The main difference to remember of a plan should include; Preparation,
between IDS and IPS is that IDS monitors the Identification, Containment, Eradication,
network to detect inappropriate, incorrect Recovery, and Lessons Learned.
activities, while IPS detects intrusion or an
attack and takes active steps to prevent them. Preparation
How prepared is your company to protect
Log Management and Monitoring
your data and detect if a breach has occurred?
Depending on the sophistication of the logs Firewalls, IDS, IPS, and log management are
generated from each system, monitoring some of the ways to guard against cyber-
the logs could be relatively easy or difficult attacks. Classifying your data and ensuring
to spot an attempt or successful attack. You your backup policies align with the time
need to have a dedicated person monitoring needed to get your critical data back online
these logs. This person must be trained to are other key components to protecting
know what to look for to detect a breach or an your environment. If you haven’t done any
attempted breach. If the person is untrained or of these yet, you need to start now. Not
not dedicated to monitoring the logs, a breach tomorrow or next quarter, but NOW! A lot of
may occur and it will take you days, weeks or the preparation can be done in-house with
sometimes years to detect a breach. In March your current staff. But you need to make sure
of 2018, American Express informed their card they understand what their responsibilities
holders that used American Express for online are and what the overall objective of the plan
travel purchases that Orbitz had been breached. is. They need to understand that it is okay to
(Orbitz is the engine behind American Express point out deficiencies and weaknesses in the
online travel.) The breach occurred in January current processes. If the team responsible for
of 2017 and continued until 2018. This meant developing a response plan is afraid to identify
Orbitz had been breached for over 700 days problems in the current environment, nothing
before it was detected. Why does it take so long will change or be improved. A plan has little
to detect a breach? There are many reasons but value if it is not put into action, tested, and
most involve the company’s lack of systems in continuously improved. This is not the time
place to detect a breach. Determining what logs to have egos, departmental differences, or not
are being generated within your environment wanting to change the status quo. This plan
and which ones need to be monitored is a great may be the difference between keeping your
step to help detect that an attack was attempted company’s creditability, minimizing the risk,
or has occurred. However, detecting the breach losing some of your customers or staying in
is only the first step. The person monitoring business.
the logs must know what to do next. Who do In your plan, you need to know who is in
they notify? You need to have the processes charge during the recovery process and who
in place to isolate the breach, eradicate it from can and will make the final decision if and when
your environment, and recovery to get back to needed. It is essential that the person in charge
business as usual. has been trained and has the support of senior
management. During the recovery process this lost , stolen and/or compromised. While
person must be able to make decisions quickly. you are determining the processes needed
to remove the infection and restore your
Identification
environment, you need to communicate to all
Hackers have become very skilled and know the stakeholders and all entities that have been
that they rarely get caught. Plus, they have comprised.
become so efficient in developing their code.
You need to have people with the necessary
They know many of the vulnerabilities in
skills to contain the breach to be able to take the
current software, which makes it easier for
following steps.
them to attack and harder for you to identify,
recognize what type of breach it is, and where • As soon as you identify the access point,
in your environment the breach has occurred. disable all lines of connection to prevent
further access or spreading
Identifying the type of breach will help you
• Identify any programs, files or executables
determine how you are going to eradicate it
that have been installed from the breach
from your environment. Probably the easiest
breach to identify is Ransomware. If this has Eradication and Recovery
happened to someone in your company, they Once the breach has been contained, you must
would have a message on their computer make sure it has been completely removed from
demanding a fee before they would return your environment. Focus on removing and
your stolen data. However, many companies restoring the affected systems. Determine what
have found that even if they pay the ransom, has been affected and how many steps need
the hackers still do not return the stolen data. to be taken to ensure the malicious content
An important part of the identification process has been removed. If only one department’s
should include identifying the following: data is infected, can you restore from the last
• The nature of the attack backup? Or if the malicious content has spread
• The extent of the attack company-wide, do you have to restore from the
• What assets are infected? bare metal up?
• What data has been infected? Start your recovery with the following steps:
• Who has been infected – internal only and/ • Run security patches and software
or customers, suppliers and other third-party updates for your operating system and
partners? applications. Many upgrades include security
• What are the implications of the attack on enhancements.
your business? • Uninstall and reinstall affected files and
programs. All files and programs that have
What can be the cause of a large data breach?
been affected by the attack should be
In 2017 The U.S. Department of Health and
removed and reinstalled from clean backups.
Human Services for Civil Rights (OCR) looked at
• Initiate new login procedures for all affected
the most common causes of data breaches that
parties. If you don’t have strong password
caused HIPAA compliance failures. This chart
procedures, develop them. Include upper and
illustrates their findings.
lower-case letters, numbers, and symbols.
Containment Institute a policy that requires users to change
their passwords on a regular basis as well as
Once you have discovered you have been
using two-step authentication especially for
breached, you must contain the effected
sensitive and confidential information.
section of your environment. It may be
only one computer or it could have spread Make sure in your Response Plan the processes
throughout your entire environment. Once and procedures needed to recover are
the breach is contained, you must begin the documented to eradicate a breach from all
process to identify if any information was levels of your environment. How quickly and
successfully your recovery will depend on how you designated who is in charge of making
well you prepared before a breach occurs. decisions for the business during the outage?
Have they been trained? Who is their backup?
Lesson Learned
If you have determined what processes have
Testing your plan before a breach will expose
to continue during the recovery, how is that
weakness in your plan. This is the most
happening? For example, if you currently
important part of an Incident Response Plan
receive most of your orders electronically and
and the part least performed. This will allow
cannot do so because of the cyber breach, can
you to document what went right and what
you manually take the orders by phone, fax,
went wrong. Next, improve your plan with the
email or mail? Do you have to hire additional
changes that need to be made. Make sure the
staff or have you trained staff to do this job if
changes are documented. Don’t forget to test
again. I know you are reading this and probably a breach occurs? You may remember when
thinking to yourself this will take a lot of time several hospitals around the globe were
and resources. And it may. But what is the cost breached. They stopped all surgery except for
to your company if you do have a data breach emergency surgery. What are your emergency
and recovery time is lengthy? Test, retest and processes that must continue while you are
test again is your best line of defense against recovering from a cyber breach? Once the
cyberattacks. emergency processes are determined, the
process for them to continue with or without
6. CREATE A BUSINESS RECOVERY PLAN access to their data must be documented.
When companies think about a recovery plan Communications
they think of it only from an IT perspective. This
As soon as you realize you have been
is a big mistake and could cost your company
breached—time is critical. You must notify
a lot of time, money, customers, and even
all relevant stakeholders, authorities,
worst, going out of business entirely. While
partners, customers, and any and all entities
your IT department is working to restore your
information and getting the company back compromised as quickly as possible. A crisis
online, you must continue to do business. team is critical! If there is no communications
This is where your business recovery plan team, the likelihood of confusion, errors and the
is important and needs to be documented. wrong message is a major risk. Designating the
The four major components of your business CEO as the spokesperson is a great idea because
recovery plan are: it indicates to the public the issue is taken
seriously. However, make sure the message is
• Develop a recovery plan
well scripted because the CEO may not have
• Communications
the technical expertise. Therefore, the CEO may
• Lessons learned and improvements not be able to explain the technical aspects of
• Retest the recovery. Make sure the information in the
Develop a Recovery Plan first message is correct and accurate. The most
The first task in developing a business important communication error is timing.
recovery plan is to determine what processes Errors are made if communication is too early
and operations must continue while you are or too late. It is imperative that you know the
coming back online. If the average timeframe required timeframe to comply with the law in
to recover from a data breach is 69 days, do you your state and local regulations. Know what
have a plan to continue to do business without your Federal requirements are when reporting
some or all of your data over those 2 months? a data breach. During recovery is not the time
What is your staff doing during the recovery to research what your Federal, state, and local
time? Do you have to lay people off, hire more, requirements are, they should already be
and/or have people work from home? Have documented in your business recovery plan.
How are your customers going to reach you environment. The more prepared you are, the
during your recovery? Do you have toll free less damage and faster recovery you will have.
numbers set up that can handle the volumes
7. SECURE HOW YOU SHARE FILES
of calls you will received if there is a breach? If
you have customers that are trying to receive Ransomware, malware, Denial of Service (DoS)
information and cannot get through to anyone attacks, or viruses, are constantly attacking
at your company, it will only make the situation your critical and confidential information.
worst. Don’t forget your website. Do you Insider threats continue to plague business. In
have a message on your site explaining what the past, insider threats had been focused on
happened and how you are responding and disgruntled or terminated employees. However,
recovering from the breach? You need to make based on studies done over the past two years,
sure every means for communications to the incidents have been due mainly to careless
public has the same message and information. staff. Employees have opened attachments with
embedded malware and spread it throughout
Monitoring news and social media as well as
the enterprise or responded and shared critical
your call center is just as important. Social
and/or confidential information to a legitimate-
media reveals what customers are thinking looking email. Depending on which research
and saying about your company. News media paper or news article you read, most will
will tell you if the information was clear and quote that 85% to 95% of all security breaches
understood or if more information is required occur because an employee was phished. This
to make sure the correct message is being means that somewhere in your company an
received. employee clicked on an email attachment,
Lessons Learned and Improvements an ad on social media or a phishing email
Preventing a cyber security breach is not only that allowed anything from a nuisance virus
the responsibility of IT, and everyone in your to a ransomware virus into your company’s
company should be part of the solution. Build environment.
a crisis team which includes team leaders from The main reason why insider threats are a
each department. They need to be responsible top concern among cybersecurity experts is
for communication internally and externally. because it is a people issue not a technological
They are also responsible for documenting one. It is easy to bypass security when you have
what went right and what needs to be improved negligent employees. Your employees share
in the recovery plan. Hindsight is 20/20, so use your company’s information continuously all
this to your advantage. Was the person that day, every day. Are you confident that they are
delivered the message, the right one for the job, not sharing critical and/or sensitive information
were you too quick to get the message out, how publicly through email attachments, unsecured
well did you support your customers during file sharing solutions, or other unsecure ways?
the recovery? Was the first communication to You need to have an enforced policy that
the public accurate and ahead of any leaks? outlines how your employees share information
Were you able to conduct business during the internally and externally. Train your employees
recovery in the way you thought you could? regularly on cyber security. Help they become
Answering these questions and making “cyber security smart” to protect their personnel
improvements will make your recovery plan information and your company’s information.
better and your recovery time shorter. And of Not only do your employees share information
course, don’t forget to retest again and again. all day, so do your applications. Your business
We live in a world where countries are paying applications are large investments and most
people to purposefully attack US companies. companies do not implement them to enable
There don’t care how big or small you are, them to reach their full potential. To accomplish
they only care that they can breach your this, they need to be integrated with other
applications, and more importantly, they need have given an outside company the right
to be integrated with the applications of your you share you sensitive, critical, or private
customers, partners, suppliers, third party information to an unknown third party.
providers, and government agencies. Each File (or interface) transfers – Who controls
application needs to “interface” to and from
how file/interface set ups are done in your
each other accurately, timely, and securely.
environment? If a new port is opened in your
The reality is that most enterprises experience firewall, did they follow the procedure to ensure
a countless number of problems setting up and that port is secure? What type of protocol was
managing their application interfaces. Properly used? FTP is often used to set up a file transfer
setting up and managing interfaces can be because it is easy to do, yet it is the least secure
arduous and time consuming. When setting and easiest to breach.
up interfaces that send information outside of
Backups – When was the last time you tested
your company, ports are open in your firewall.
your backups? Does your backup schedule
Securing these opening are often times skipped
match your business needs? If you have
in order to get the communications completed
completed a project to classify your data,
to meet a deadline. No one goes back to
has your backup schedule been reviewed
complete the task of securing the opened port
and modified to reflect the needs of data
thus leaving your company vulnerable to a
classification? Also, where are your backups
breach. You will need staff to be trained with
stored, who has access to them and who is
the expertise in networking protocols, security
notified if a backup fails?
methodologies, and best practices for tracking
and troubleshooting all the connections you Paper – In this electronic world, paper is
need to support all your application interfaces. often forgotten. One of the most vulnerable
You also need to make sure someone is aspects of printing is the physical documents.
monitoring all your interfaces to ensure there Important, sensitive data is often printed
is no attempt to or successfully breach your and left somewhere unattended. Make sure
environment. all documents are shredded. But the paper
document is not the only vulnerability.
Another way to evaluate how you are sharing
Now printer security is about data in transit.
your information is to look out how can you
Protecting data in transit anywhere in your
prevent data loss? Data loss can happen by:
environment needs to be secured even data
• Email going to the printer as well as the actual printed
• Unsecured file sharing document.
• File (or interface) transfers
• Backups
• Paper
Email – Do you know what information your
employees are sharing through attachments or
within the body of the email? Are they sharing
critical or sensitive information or violating
compliance regulations?
Unsecured file sharing – Are your employees
using an unsecure file sharing solution? Many
in the marketplace today are not secure. In their
terms and conditions, they state that they can
share any information placed on their servers
with other third parties. Your employees may
Summary Report, IBM and the Ponemon Institute found
Cyber-attacks are happening all day, every day. that healthcare data breach costs average $408
Foreign governments are paying people to per record, the highest of any industry for
indiscriminately try to hack into US companies the eighth straight year. The following chart
and government agencies. As a result, illiterates the cost of a document by industry.
cybersecurity spending is on a pace to eclipse While the cost of a document in the Consumer
the $1 trillion mark by 2021. In addition, the industry it $140 per document, if 50,000 of your
cost of a data breach per document continues documents were breached, the total cost would
be $700,000.
to rise. In their 2018 Cost of a Data Breach
If you have not started a cyber security project,
now is the time to start. You don’t need a
large budget and can do a lot of the work with
internally resources. The FBI has stated, “It is
not if you will be breach, but when”. The more
prepared you are now the better chance you
have at surviving a breach.
Karen Puchalsky, Founder, President and CEO
of Innovate E-Commerce has led the Pittsburgh-
based company through over twenty-one
years of accomplishment and prestigious
recognitions. In 1997, Innovate E-Commerce
is a global provider in supply chain managed
services, secure communications gateway and
secure file sharing enterprise solutions for small
to medium businesses (SMB) and Fortune 1000
companies. Karen conducts monthly webinars
on Cyber Security and has appeared on local
radio and TV talking about Cyber Security.