Data breaches are becoming more commonplace, causing millions of dollars in damages for companies that have personally identifiable information (PII) hacked by cybercriminals.
“Think about all of the losses you can incur. Not only do you have to hire a security expert to find what happened, you may be assessed fines or penalties by the merchant’s acquiring bank or payment card brand. In addition, you could be responsible for credit card charges made by the criminals and lose business because no one trusts you anymore,” says William M. Goddard, CPCU, principal, Insurance Advisory Services at Brown Smith Wallace.
Smart Business spoke with Goddard and Lawrence J. Newell, CISA, CISM, QSA, CBRM, security and privacy manager, about protecting companies from cybercrime.
How do cybercriminals access networks?
One typical method is spear phishing. Unlike traditional phishing attempts, which are fraudulent emails sent at random claiming to be from a reputable organization like a bank or eBay, spear phishing emails are sent to targeted employees or customers of a company.
The email appears to be coming from the company and requests that the recipient click on a link, which then goes to a fraudulent website. They may ask for personal information or they may launch a virus they’ll use to get into your network.
If you click on the link, it launches a program in the background that goes onto your workstation and canvasses the network for other vulnerabilities. The program collects data, whether that’s credit card information or other PII, and uploads it to the cybercriminal.
How can you reduce cyberattack risk?
The first thing to do is develop an information security policy, document it and disseminate it throughout the organization.
Other protective measures are:
- Conduct an inventory of authorized devices on your network. Guests can come into your place of business with a laptop and leave a device on your network that goes undetected. That device could have Trojan horses or viruses that, when executed, plant a program on your network.
- List an inventory of software allowed to run on workstations or servers. That helps when looking for rogue programs or software installations.
- Install an anti-virus program to detect malware. Anti-virus protection also needs to be maintained and updated for the latest definitions.
- Run vulnerability and penetration tests on servers and networking equipment to make sure you don’t have unnecessary services running that could lead to a vulnerability and potential unauthorized access.
- Prevent data loss by running programs to detect outbound calls or connectivity to remote sites that are not authorized to receive data output.
- Create security awareness within your company to ensure that people who have access to information are not sharing anything that is confidential or private.
- Develop an incident response plan to react to a breach and quarantine activity before it spreads throughout the network.
Companies think they’re protected because they are compliant with some standard such as PCI, but that’s no guarantee their systems will not be compromised. Your security program needs to go beyond PCI and focus on more than credit card information. Cybercriminals go after the easiest target along with whatever PII is available that has value. For instance, not-for-profit organizations may have names, addresses and checks with banking information; all of that information is valuable to somebody. For similar reasons, credit cards are often targeted because they’re so widespread and it’s the easiest information to sell.
What can companies do to protect against losses if they are hacked?
A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. All cyber policies are slightly different, and you have to be careful to buy the right coverage.
Businesses are smart enough to buy fire insurance in case a building burns down. Cyberattacks can be just as damaging, depending upon what happens and what information has been compromised.
William M. Goddard, CPCU, is principal, Insurance Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1253 or firstname.lastname@example.org.
Lawrence J. Newell, CISA, CISM, QSA, CBRM, is manager, Risk Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1218 or email@example.com.
Brown Smith Wallace can help you with cybersecurity. Visit them here to learn more.
Insights Accounting is brought to you by Brown Smith Wallace
For two hours, Tom Reilly sat with Secretary Janet Napolitano, head of the Department of Homeland Security, to discuss the importance of cyber security and how to protect citizens from cyber attack. Today, the threat of cyber attack is an issue that affects more than just big business and government entities, but everyone.
“You read every week about another breach in the industry, whether it’s enemy nation states attacking our power grid, it’s a bank undergoing cyber fraud, credit cards getting stolen or identities,” says Reilly, who is the former CEO of the $181.4 million security and compliance solutions company ArcSight LLC, which was acquired by technology giant HP in 2010. “It’s happening. Clearly the traditional approach to solving security has not worked.”
In light of more high-profile security breaches at companies such as Google and Sony, it is also a problem for which new solutions are plainly needed.
“I talk to a lot of customers who have been investing in security technology for 20 years, spending a lot of money, and yet they still don’t feel secure,” Reilly says.
With technology advancing and changing exponentially, it’s important for companies of all sizes to reevaluate the security measures that they are using to protect their most valuable information, data and possessions.
“What’s interesting is cyber criminals do not distinguish between company sizes,” Reilly says. “They don’t distinguish between industry and they don’t distinguish between countries or public and private sector. They go after the softest target.”
Smart Business spoke with Reilly about how the security landscape is changing for the next decade and what business leaders can do to defend their companies from imminent cyber threats.
For companies that don’t have a risk management strategy, what is the first step in creating one?
I think the first thing is to know, based on your business, what is critical to protect. So if you are a healthcare provider, it’s patient records. If you are utility, it’s keeping up the power grid or protecting customer records. If you are a bank, it’s definitely protecting accounts from account takeover. So you need to identify what is critical to your business that you need to protect. Don’t take just a generic position ? let’s protect everything equally. Protect your crown jewels. Understand where that data, those systems reside and make sure that that data or those systems are well-protected, much more than the rest of your organization needs to be protected.
Which industries are at high risk for cyber crime?
The opportunity in cyber security is a global opportunity, affects companies that are small right up to the largest and it touches many verticals. In every vertical, I can tell you what it is that they want to protect, whether it be intellectual property, it could be financials, it could be customer data, it could be health records or it could be services like the power grids that have to keep power up and phone companies that want to keep phones working.
What are biggest cyber threats?
The most serious risk and the one that can have the most significant impact is one that is called ‘the insider threat.’ And the insider threat is not an attack from outside but it’s an employee in your organization who for one reason or another is a disgruntled employee. Yet you’ve trusted that employee with access to systems and sensitive data. The employee could be disgruntled because they are a poor performer and then they get fired. They could be compromised because somebody is bribing them externally for data, which we come across a lot. Or they could be getting blackmailed, which is also quite common. The insider threat is not only that they have access to the most sensitive information and they can do the most damage, but they are the hardest to detect.
The second area is the theft of intellectual property, and a lot of this is sponsored by enemy nation states who are trying to access intellectual property within companies that have leadership. By stealing intellectual property, you can gain a competitive advantage effectively. Intellectual property could be the designs of a new electric vehicle. It could be the designs of a new plant that’s being built. It could be the spreadsheets that rationalize a bid for a big mining project.
What can companies do to prepare employees for cyber risks?
Continual education is always needed. The reason it’s continual education is cyber criminals are always evolving. They are always introducing new techniques and new capabilities, and they are very, very patient. So they may take six months to a year targeting a specific company to penetrate that company’s network, to get code on there and to have basically sweeper agents that are monitoring what’s happening within a company.
When you start understanding some of these sophisticated things, you suddenly realize that you have to have continual training around what our security policies are, how you provision people to access systems, how you de-provision people when they leave the business. You have to have good rigor in enforcing those policies. You are only as secure as your weakest link. Unfortunately, now the weakest link is not technologies or computers, it’s employees often making inadvertent mistakes and bringing in malicious code into the environment.
How do risk management tools identify cyber security threats differently for businesses than other approaches?
It allows them to measure the amount of risk that they are taking or that they have in their IT environment. And once you can measure risk, you can invest money wisely to reduce or mitigate risk. So we’re changing the discussion from ‘Are you secure?’ to ‘What’s your risk posture?’ You can now look to a chief security officer and say, ‘What’s your risk posture? What’s your risk policy?’ and they can answer that concretely rather than ‘Are you secure?’ which is usually a yes or no. So risk deals with the gray.
What about security intelligence?
One of the assumptions you have to make to really effectively use security intelligence tools is you have to assume that you have been breached and that your network has malicious code or malicious users on it. Your job is to go discover them.
So if you assume that your perimeter has been breached and that either you have a malicious user inside or you have malicious code on your network and you say now I have to go find it, then that’s how you use security intelligence tools. You start listening and monitoring network activity. You start modeling how users use the system for the normal course of business, so that when anomalous use is occurring, it stands out.
How to reach: HP Enteprise Security, (888) 415-2778 or www.hpenterprisesecurity.com