Effective cybersecurity starts with seeing yourself as a target

You never think it’s going to happen to you, but then it does. We’re all vulnerable to cyberattacks. Even big companies spending hundreds of millions of dollars to protect their customers fall victim. And failing to consider why anyone would want to attack us makes us more vulnerable.

Whether against political institutions like the Democratic National Committee or the French President-elect Emmanuel Macron, or multinational businesses like Disney, Netflix, or Sony Pictures, cyberattacks have become a routine part of the news and our way of life.

The systematic online insecurity we’re learning to live with—at work and at home—is eroding our way of life. Our democracy, economy, health care systems, and seemingly frivolous daily communications are worthy of protection and in need of technological fortitude. And yet we often fail to imagine ourselves as targets and take adequate action when we can alter the outcome.

Think about the most obvious targets of credit card theft and fraud. Card issuers such as Visa, MasterCard, and American Express have advanced security controls. Attackers, often focused on the lowest-hanging fruit, are more likely to target smaller businesses, including hotels and fast-food restaurants, that may not know how best to apply their limited resources toward protecting sensitive data.

For most business challenges—from building an engineering team that scales, to growing a sales organization from $1 to $500 million—there are models for organization, growth, and measurement. Finding and implementing effective cybersecurity measures isn’t one of them. But there are steps we can take to protect ourselves. Here’s my best advice.

See yourself as a target. If you can’t imagine why someone would target you, you don’t appreciate your data assets (or those to which you’re connected), and you will fail to protect them properly. So do an audit of the information you have to protect, and use a red team to discover how someone might pursue those holdings.

Pre-empt phishing. People are always going to be the weakest links in a security system. The best education programs fail to cut down attack frequency rates and reduce attack success rates.

Despite what news headlines might lead you to believe, cyberattacks aren’t complex. They rarely use the dreaded zero-day exploits. Whether facilitated via email, Web, or network, phishing is the root cause of more than 95 percent of all data breaches, ransomware attacks, business email compromises, financial fraud, and even physical destruction. Humans as sensors will never be able to defeat phishing, but strong anti-phishing technology will.

Create a strong chain. A wave of recent attacks targeted suppliers and partners of larger companies. The Internet is a Web of connections, after all. If the little guy isn’t safe, neither are the big guys they support. Every part of the chain needs to be secure. Consumers and businesses need to work together to protect one another.

Effective cybersecurity requires imagination, focus, and action. The good news is that we can solve many cybersecurity problems, if we work well together.