February 17, 2017
While today’s cyber threats have seemingly innocuous names – Poodle, Heartbleed or other – the threats can cost companies millions, no matter how big or small. Ransomware, hacking, phishing, worms, distributed denial-of-service (DDoS), and malware are just a few of the many ways that criminals can access precious information that can literally destroy a company – or come close to it.
The stakes to a company’s bottom line — and reputation — are enormous. Consider the stock dive after Yahoo announced that a billion of its email accounts were compromised, something which put at peril it’s potential sale to Verizon for $4.8 billion.
Whether the threat comes from a plain old cybercriminal, a competitor, a hacktivist with a political ax to grind, or a disgruntled employee, the statistics are staggering: In 2015, top British insurance company Lloyd’s of London estimated that cyber attacks cost companies $400 billion per year. (http://bit.ly/2iEvE57). By 2019, the cost of data breaches will be over $2 trillion globally, according to a study published by Juniper Research (http://bit.ly/2ja0eqf).
The threats are across the board – and can wipe out small and medium-sized companies too, simply because they often do not possess the resources to hire a full-time CTO or other IT support to monitor security adequately. As the threats grow, it is critical that each company design and implement a security policy that offers multi-layered access protection.
I spend a great deal of time thinking about these issues, and below are a few of my thoughts on how senior leadership should be thinking about security within their companies:
Security is Holistic:
Remember when computers were “stand alone” objects in an office? Not so long ago, companies had to worry about someone stealing their computer and taking all their records. How quickly the world has changed. Things were quite different ten, or even five years ago. As the world has become increasingly digitized, the risks are unprecedented and come from everywhere – and anywhere. Now, criminals can access a myriad of “resources” from a knowledge perspective.
Every piece of information that flows through a device – desktop computers, mobile devices, tablets, laptops, connected devices aka the Internet of Things (IoT) – all of these are points of exposure.
Our access and presence online expose businesses, customers and clients to additional risks: every piece of information that is online becomes an asset that can be hacked, taken advantage of, and compromised for malicious intent.
Employees are the First Line of Security
Executives do not realize the number one threat to their company’s security is social engineering, which refers to the psychological manipulation of users who unknowingly divulge confidential information. Cyber criminals use tricks to gain the confidence of company employees and partners. The goal is usually to execute a larger, more complex, fraudulent transaction.
The problem is not the use or lack of security tools and technology, but employees who are unknowingly the objects of security threats. The latest trick employed by criminals is to emulate executives within a company in a trusted environment. For example, an employee receives a legitimate looking email from the CEO or CFO, instructing them to wire money. Before, employees used to be able to tell if the email was real, but today, hackers are sophisticated, and in fact, employees are often duped.
Employee awareness is key. Companies may spend tens of millions of dollars to secure their systems, but employees must be trained and educated on the risks. Systems of verification must be put in place, which include stopgap measures and policies to limit the damage caused by security breaches. For example, the general rule is that if an email is received to wire money, there are policies and procedures in place to do so, and a financial limit to these transactions.
In addition to employee awareness, other measures include password management, monitoring services, lock downs when it appears there are data breaches, minimum permission sets, and more. An incident response plan is critical: if the company is hacked, which staff handles it, and what procedures are instantly implemented internally and externally?
Key tip: One method to ensure employee awareness is to regularly hire a security firm to conduct a red team engagement in the company to see how deeply they can penetrate the system. The red team experiments and exposes weaknesses in employee awareness early and often.
Right Sizing is Key
One might argue that security breaches are “right sized” – in other words, intruders will put in enough effort if the “rewards” are high enough. A burglar breaking into a house will not put much effort into robbing the house if all there is to steal is an old TV and costume jewelry. Another example would be using a club to lock a steering wheel on an old car; this might be enough to deter some car thieves, but not enough if it is a Ferrari.
The key to ensuring safekeeping of your digital assets is to make sure that you protect them like a house and all their parts: the house’s architecture, as well as the tenants and possessions inside.
A right-sized solution begins with a security audit, which will help a senior management team to understand a company’s blind spots. Ideally, the audit will be honed and focused, and the auditor must understand the business they are examining. A reputable security consulting firm will help each company understand its unique risks. A few key questions: is your company PCI (Payment Card Industry), or in the case of health care companies, HIPAA (Health Insurance Portability and Accountability Act) compliant? Alternatively, is there a standard which can be voluntarily adopted as a differentiator?
Companies that are not compliant face a greater risk of a security breach, but more importantly face potential lawsuits from consumers and fines from banks if the thieves have charged merchandise or other with stolen credit card numbers. Cleaning up the mess – remediation costs – adds to the bill. Lost revenue and a damaged reputation add to the long-term costs.
One question that I constantly have: Why aren’t organizations doing a better job of protecting their assets? There is no greater risk a company faces than getting hacked. Companies simply are not aware of the tremendous threats and costs, or perhaps they, ironically, have a false sense of security. Entire companies and businesses are on the line.
7:24pm by JanetB