How are you addressing cybersecurity in your company or organization? Tom Aune, MCSE, CISA, Senior Manager, information technology, and Joseph Tran, MCSE, Senior Network Administrator offer their perspective on cybersecurity.
Q: Why is cybersecurity so important to companies and organizations?
A: There are a number of reasons, including disruption of operations, loss of reputation, and the potential for regulatory action and negligence claims.
The entire world, for the most part, is networked and connected to the internet, with a number of devices that can access the internet. Businesses rely on communication methods through email, instant messaging and web faxing in lieu of traditional faxing and using analog lines. However, businesses stand a high risk of being targeted by cybercriminals, who can commit crimes from across the globe from the comfort of their own bedroom, using a laptop and sophisticated software.
What this means for cybercriminals is that there’s less overhead in stealing company or personal data in exchange for some form of payment, typically Bitcoin, with less risk of being captured by authorities, whether on home soil or abroad. Cybercrime costs the U.S. economy over $100 billion. A recent study by Ponemon Institute, sponsored by IBM Security, found that the average cost of a data breach in 2017 is $3.62 million globally.
It is very important that businesses have well-defined and thoroughly tested security policies and procedures in place to not only secure themselves, but also be ready to respond in the wake of a data breach – stealing company data, trade secrets and intellectual property – or the sabotage of data: denial of service attacks and disabling of infrastructure. Although there are many types of policies and procedures, every organization should have the following:
- Security policies and procedures.
- Incident response policy and procedures.
- Business continuity plan.
- Disaster recovery plan.
Q: What are the three most important ways a business can proactively protect its information?
A: Companies can safeguard their data by investing in the following data security:
Data encryption. Prioritizing data encryption makes it very difficult for cybercriminals that have successfully breached a network to read the stolen data. Microsoft, for example, offers rights management services to protect all Office application files and emails, including many well-known non-Microsoft files. When encryption is applied to a file, an authorized user, whether within the organization or outside, can only open the encrypted files from across different devices, such as PCs, phones and tablets. If an authorized user were ever to leave a company, then the security would be revoked, even if the user kept a copy of the encrypted file on his or her personal thumb drive. Encryption of data can be provided on-premises, requiring specialty servers, or by using a cloud-based service.
Disaster recovery plan. As networks expand globally, the chance being struck by a data breach increases. Prevention plays an important role, but how an organization responds to the incident when a disaster strikes is equally important. As technology and cybercriminal methods evolve, a disaster recovery plan and incident response policy and procedures should be routinely updated and revised. There should be a response team that involves upper management, information technology, legal, human capital and forensic specialists. Another important element of the disaster recovery plan will involve recovery of uncompromised recent data backups.
Password policies. Having a password policy, and enforcement of a complex password consisting of a minimum of 10 characters that includes mixed-case lettering, numbers and symbols, and two-factor authentication, can reduce a cybercriminal’s chances of infiltration. Most hacking methods occur on the perimeter by guessing at a user’s email password before making their way to finding out an organization’s server and firewall information.
Q: How can firms better train their staff to prevent cybercrime?
A: The best line of defense against cybercrime is prevention. Every organization should have frequent education and training on the company’s policy handbook that emphasizes security. Being able to detect and report suspicious activities of the various types of phishing scams, common hacking tactics and social engineering, should be the starting blocks of prevention against a data breach. With an information technology staff level, there should be expanded security policies and procedures that provide in-depth information regarding the security of the network infrastructure. Organizations should also have the latest versions of software and ensure patches are up to date, which will go a long way to further reduce vulnerability from a cyberattack.
Q: If a company’s system is compromised, what steps should the company do right away?
A: Properly monitoring hardware and software is a necessity to detect and thwart cyberattacks. However, with all the defensive technology and user awareness in place, mistakes happen and/or cybercriminals use new techniques of intrusion that have not yet been seen or discovered. Should a company’s system become compromised, procedures must be documented to where each process is audited and tested often, either quarterly or annually.
The steps to be taken in the event of a security/data breach should address the type of impact and/or disaster level, whether the breach was intentional or accidental, the systems compromised, and when to disable or change security access during a breach. Once a breach has been confirmed, the dissemination of data compromised and timely updates should be followed according to the organization’s policy, and, if applicable, the data breach laws of the respective state where the data breach occurred.
Q: Can you share any anecdotes about a real-life security breached that may surprise our readers?
A: Recently, a colleague told us a story about how a company was breached by having someone pose as a delivery person. The delivery person wore a uniform and was carrying several boxes. One of the employees offered to assist the delivery person with access to the suite. Once inside, the delivery person attached a device to an open port on the network at an open desk. The device was able to traverse the network, gather information and provide the fake delivery person with access to many devices on the network. Had this been a real breach, someone with hacking skills could have found an entry point and done some serious damage. Many lessons were learned with this exercise, but education is probably the most important lesson. Many mistakes were made to allow the delivery person access.
The same type of thing happens daily with social engineering. The bad guys are looking for ways to get in (physically or electronically), and they will use the kindness and naive nature of most people to their advantage.