We’ve focused on cybersecurity a great deal over the past few years, and there’s a good reason for that — namely, that cybercriminals have spent a great deal of energy in trying to circumvent it.
That’s because the rewards for moving stolen information are so lucrative and the opportunities are so plentiful. In 2019, the global cost of data breaches is expected to exceed $2 trillion.
The era of specialization and outsourcing creates many, many opportunities for bad actors to gain access to sensitive information, according to Antonina McAvoy, cyber and control risk services manager at PBMares in Norfolk and the presenter in the VSCPA E-Summit session “A Cybersecurity Perspective.”
“A lot of companies are outsourcing to other companies, and those companies are outsourcing, too,” she said. “Who are their suppliers? Do they outsources to another company?
“At the end of the day, even though your data’s being outsourced to another vendor, it’s still your data. You’re only as strong as your weakest link. Once you’ve moved your data ourside your environment, it’s still your data to protect. Even if you have strong controls in place, the vendor may not have that same strong network in place.”
McAvoy focused on the Target breach from 2013, when hackers got access to 40 million debit and credit card numbers and cost the company upwards of $300 million. One reason the number was so high was that Target didn’t segment its network properly, allowing the hackers to access multiple areas on the network from one point of entry.
Segmentation is just part of a data security plan that necessitates a clear-eyed look at where your most important data is housed. With that accomplished, organizations can put controls in that limit vendors only to the data they need to perform their function.
“Once you’ve identified where data lives and how critical it is to the organization, you can determine what vendors have access within your system,” McAvoy said. “By implementing reviews over critical or high-risk vendors, you can segment their network access and make sure they have appropriate access based on their job responsibilities.”
Negligent employees or contractors caused the highest percentage of cyber attacks in 2017, according to a Ponemon report, followed by third-party mistakes, errors in systems or operating processes and external (hacker) attacks. Employee negligence increased more than any other factor, largely because it’s more effective than ever to cast a wide net.
“In the old days, hackers would target individual companies. Now, with ransomware being deployed, they can mass attack people,” McAvoy said. “They can use botnets to do spearsphishing campaigns. They’re taking emails that are going out and copying the formatting so that it looks like an email that customers are used to, so they’re more likely to trust the email and the sender.”
Further supporting that notion is that phishing and social engineering were the most common types of cyber attacks in 2017, according to the same report. Phishing and compromised/stolen devices saw the largest increase in prominence.
Organizations should train employees to hover over emails before opening them in order to show the actual email address of the sender. If you use Outlook, the preview pane is also helpful in this regard, as it shuts down all pictures and scripts in the email. (Scripts are activated when the email is opened outside the preview pane.)
Customer records were by far the most at-risk data in 2017 cyber attacks, followed by intellectual property. The number of records exposed in the average data breach doubled since 2016, going from 5,000 to 10,000.
The average breach costs its company approximately $1.2 million in damage and the same amount in disruption to normal business operations. Even more frightening: 60 percent of companies victimized by cyber attacks go out of business within six months. That’s why it’s so important to know what you need to protect and how best to protect it — your “crown jewels,” as McAvoy puts it.
It’s also important to identify your biggest threats, and the largest, most pervasive threat to your organization’s data security is people — your employees and contractors with access to sensitive data.
“Most of us don’t wake up in the morning and decide we’re going to cause significant financial and reputational harm to our employer through a data breach,” McAvoy said. “What’s more likely is that an employee who is on four hours of sleep or just had to pick up their kids and feed them and get them ready for bed comes in the next day distracted from other things going on, and they click on a link or respond to a phishing email. That’s where making sure you’ve trained your employees to be vigilant about threats is critical.”
Other vulnerabilities include ineffective access management, unsecured communications, poor coding and configuration practice and poor security training and awareness. Your organization’s roadmap to minimizing threats is made up of the answers to the following questions:
- What assets are you trying (or required) to protect?
- What processes do you, should you, or are you required to follow?
- Where are you doing business?
- Where is your data held, stored, transmitted or processed?
A robust plan has two pieces: Business continuity and disaster recovery. The former is a plan for continued operation during an attack, including which functions should be prioritized. The latter is a plan for getting all systems back online after the attack.
And your plan needs to be a living document. Keeping your cybersecurity program up to date is the best way to make sure it’s still relevant, and having a written plan in place will help your organization get back up to speed more quickly.
“One common mistake that companies have is that they fail to really plan long-term. They update the program every couple of years instead of, at a minimum, once a year,” McAvoy said. “It’s important, as technology continues to advance, that the security awareness program is updated on at least an annual basis so employees and contractors have the most recent information.”
User education is the first step toward minimizing the risk that your own employees represent. That includes training and strong policies regarding passwords, anti-phishing training, information about social engineering, physical access, data handling and more. That’s even more important if any of your employees work remotely.
Controls on removable media are also vitally important, as flash drives and similar devices provide a vector for the loss of sensitive information and the introduction of malware. Organizations should limit the use of removable media, scan all media for malware, formally issue acceptable media to users, encrypt information held on media and manage its reuse and disposal.
User privileges are another key element. They should be provisioned on the principle of least privilege, which requires that every module in a computing environment, be that a user, a program or a process, must be able to access only the information and resources that are necessary for its legitimate purpose. Access should be disabled or deleted within one to three business days of a user leaving the organization, and administrators’ access should be reviewed by a disinterested third party within the organization.
The final piece of the plan is cyber insurance. It’s important to do your due diligence in figuring out the coverage your organization needs.
“Different kinds of coverage can include breach notifications, breach expense, data restoration,” McAvoy said. “Those are all important. And it’s important not just to have the right kind of insurance, but to consider if you’re being negligent or doing your due diligence. If you’re not, there’s no way to know whether you’ll be reimbursed once a breach does occur.”