TAKING ACTION BEFORE CYBERATTACKS HAPPEN.

Cyberattacks are pervasive, on the rise, and can devastate a business. 

“When it comes to cybersecurity, good enough is no longer good enough,” says Clarence Foster, Business Information Security Officer with T-Mobile for Business.

If the drumbeat of alerts, advisories, and news reports of data breaches has taught us anything, it’s that businesses large and small must be proactive in their approach to security. “It’s imperative that organizations evolve and grow as threats become more frequent and more sophisticated,” says Foster.

Clarence Foster, Business Information Security Officer, T-Mobile for Business

As a company, we’re dedicated to ensuring we meet or exceed cybersecurity standards and best practices. We’ve deployed state-of-the-art cybersecurity technologies, strengthened policies, and implemented around-the-clock monitoring and response operations. 

We’ve also beefed up our security staff, doubling the size of our application security team in 2022 and then doubling it again in 2023. And we have also doubled the size of our vulnerability management team. We’ve learned as a company that there’s no shying away from the challenge when it comes to cybersecurity.

An account takeover, or ATO, is when an outsider gains unauthorized access to an employee’s online account. ATOs are one of the most challenging risks confronting businesses today. ATO attacks are on the rise, according to a recent Sift report, by an alarming 354% in the second quarter of 2023, compared to the same period a year earlier. That followed a 169% jump in 2022.

The financial losses associated with ATOs and other cyberattacks are growing. Globally, per a 2023 IBM report, the average data breach cost in 2023 was $4.45 million—15% more than just three years ago. What’s more, related costs such as identifying a breach and post-breach response are also on the rise. And the costs could be much higher or lower depending on the size of the company and the regulatory environment.

Stronger authentication procedures are essential to reducing the likelihood of an account takeover. This includes unique and long, complex passwords composed of a random mix of letters, numbers, and symbols that are routinely changed. Additionally, password managers can be used to help employees track and keep their passwords complex and compliant.

Multi-factor authentication—requiring two or more forms of digital verification for network access—is another technology that companies can implement.

Clarence Foster, Business Information Security Officer, T-Mobile for Business

Hard tokens are becoming a must-have for some organizations, including T-Mobile. Hard tokens are physical devices that continuously generate access codes that auto-expire after a short period. A hard token is more secure than sending a code over text or email, which can be compromised by malware, spoofing, or a network intercept.

Employee training and education can reinforce best practices and ensure everyone understands the importance of doing their part. Talk to employees about common attacks and the importance of digital security to your organization’s health and viability.

“People need to understand that everyone needs to be thinking about security,” Foster says, “and not just the company’s cybersecurity team.”

T-Mobile is moving beyond passwords. We have adopted using FIDO 2 keys—physical devices based on the Fast Identity Online 2 standards. With FIDO or other passkeys, there’s no password to remember or type in. Instead, the passkey takes advantage of public key cryptography, where a public “key” is stored on a website that is paired with a private key stored only on a user’s device.

“Weak passwords, stolen passwords, passwords repeated on work and personal accounts—all of those concerns go away when the user has a hard token,” explains Foster. FIDO 2 or any other passkey can thwart phishing attacks and its variants, as well as network attacks, because no passwords are transmitted. Passwordless authentication not only bolsters security but also increases productivity.

While authenticating users and their access helps prevent employee account takeovers, it’s also critical to have tools in place for detection and response. And it’s important to update those tools as today’s work environments and threat landscapes evolve.

Today’s workers may need access to a company’s network from home, an airport lounge, or a corner café. One way to protect a company’s employees from wherever they log on is with a Secure Access Service Edge, or SASE—pronounced “sassy"—solution.

SASE is a cloud-native architecture combining a single service's networking and security functions. A SASE solution ensures that only authorized users can access a company’s data. It provides users with the access they need regardless of where they are, adding visibility and control and simplifying user management. Among other benefits, SASE tracks malware that may enter a network so it can be contained and removed.

It’s also important to consider a robust threat intelligence program that aggressively monitors cyber threats. That includes advanced analytics and machine learning, which help identify unusual or suspicious activity.

Security Information and Event Management, or SIEM, and Security Orchestration, Automation, and Response, SOAR, are two additional components to consider as part of an enterprise cybersecurity strategy. A SIEM system uses advanced analytics and AI to analyze data from various sources, including user logs, alerts, and employee data, to attempt to identify potential threats and anomalies before they can do harm. SOAR employs a suite of technologies to automate certain threat prevention and response approaches.

We also hold “tabletop” exercises, where participants go through mock scenarios to work on incident responses, delineating roles and duties and improving our responses in the process. Doing this regularly keeps the team sharp and ensures that our playbooks reflect best practices and keep pace with a rapidly changing world.

We’ve also hired internal and external “red teams” to test our defenses and implemented an enhanced bug bounty program that gives cash rewards to security researchers who find and report vulnerabilities to us. Everyone has a role in ensuring these defensive measures are as effective as possible. Our entire company—from the board of directors and C-suite on down—recognizes security as a top priority.

What can a business do when, despite all precautions, a breach occurs? It’s important that you already know the answer to that question before anything happens. 

That requires having a real-time response plan set in place that anticipates different kinds of cyberattacks while limiting an attack’s “blast radius”—the potential impact that could be caused by a breach to a specific system or network—by isolating accounts and using a multi-account strategy with different access for different teams.

Our mantra is to protect, detect, and respond. Re-securing a network after a breach is a top priority. Preserving evidence for forensics analysis is another. Cybersecurity teams must glean everything they can from a breach and fortify defenses accordingly.

Few businesses have a 100% success rate avoiding cyberattacks. But organizations can recover and become stronger by making the most of an important learning moment.