- Real Estate
- Food & Drink
Oct. 22, 2018
This paid piece is sponsored by Eide Bailly LLP.
By Eric Pulse, Eide Bailly director risk advisory, CISA, CISM, CRISC, GSEC, CFSA
“No, not me,” you say. “I don’t have any reason to be concerned about cyber risks. That happens only to big corporations in large metropolitan areas.”
The truth is hackers know no bounds, have no “minimums” and target business large and small. And cyber thieves are at work right here in our back yard. We frequently receive calls from Sioux Falls organizations who have discovered breaches — from the employee who unwittingly sent sensitive data to a spoofed address to the employee who responded to a crafty phishing scam — and are frantically trying to assess the damage. These innocent mistakes can put your company’s survival on the line.
October is Cybersecurity Awareness Month. So we thought this would be an appropriate time to share our white paper “The Fundamental 5 Ways to Reduce Cyber Risk by 70 percent.” Read on.
There are some very important executive decisions that drive good cybersecurity hygiene in well-run, well-protected companies.
It is not to say that well-run companies do not get breached, but all indicators lead to the conclusion that if certain things are done from the top down, the effects and cost of defending your company against data breaches and recovering from a breach can be reduced substantially.
Survivability of the company is at stake. Could you survive having all operations shut down, fearful customers, unknowns that may never be known and millions of dollars of profits spent on operating without incoming revenue? It is a reality and directly related to leadership, execution and sustainability of key cybersecurity practices and controls.
It is the executive function to ensure these practices are achieved sufficiently to ensure the survival and profitability of the company. This white paper lays out the “Fundamental 5” ways executives can dispatch this duty and potentially reduce those risks by up to 70 percent.
If you’re thinking that just the “big companies” get hit by data breaches — you are in a word, WRONG.
If you think that, as a business leader, you are powerless — you are WRONG. In fact, if you are a C-level executive, 53 percent of the root causes of breaches are within your control.
According to the authoritative IBM-sponsored 2017 Ponemon Institute’s Cost of Breach Report:
The Ponemon study also reports that the average number of records in a U.S. breach is 25,802 and the cost of remedy in the U.S. for each of them averages $225 per data record. That calculates to over $5.8 million from your bottom line “not if, but when” your company is breached.
Many corporate leaders outside the IT group have incomplete information, not only about what is actually happening with cybersecurity controls, including the allied programs and related projects. It is not to say that there have not been briefings, reports and information. But sometimes the acronyms and bits and bytes get overwhelming or even seem irrelevant. Because new data breaches are happening daily and being reported on in the media, two things tend to happen. First, you may become desensitized and begin to not listen closely. Or, conversely, you could become hyper-focused on a new threat category such as a new offending malware. Neither one of those reactions really accomplishes the best outcomes. So what to do?
Based on the 2018 Verizon Data Breach Investigation Report as well as some insights of over 15 years of cybersecurity hygiene interpretation, this white paper will give you a different view of what envelops this cyber hygiene view. In its 11th edition of the annual report, Verizon has actually done a fine job by inserting humor, satire, movie references and quips to make the reading more fun, but with all of the acronyms, graphs and phraseology, the bad news is still there, which can make it a daunting challenge to understand and get through.
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Robert Mueller, former director of the FBI: 2012 RSA Cyber Security Conference
Cyber hygiene is a reference to the steps individuals and companies can take to maintain system health and improve online security. Like personal hygiene, these practices should be made routine to ensure the safety of data that could be stolen or corrupted and to defend against common threats.
A very strong case should be made for a top-down cyber hygiene program, which if done correctly by following some best practices, companies can reduce up to 70 percent of cyber risk.
Based on your company, only you can know what the priorities for concern are for sure. Regarding the overall view of the cyber landscape, the Verizon report states: “Most of the data breaches are caused by outsiders, but surprisingly almost a third of them involved internal actors (employees or contractors). Organized criminal groups caused a stunning 50 percent of the breaches whereas nation-state (China, Russia, North Korea…) sponsored activity is lower in volume.”
Based on Verizon, Ponemon, the cyber world and the analysis of the facts, below are the “Fundamental 5” areas where executives should focus first to reduce the risk target that is on their company:
Having a complete view of the business plan and balancing priorities is clearly a C-suite responsibility. Determination of a security framework and governance process must be clearly thought out, planned out and worked out from the top for consistency’s sake and to align with the company’s true business risks. It is said that another name for the “bottom-up approach” is rebellion.
Determining, building and supporting a corporate culture takes time and effort. People follow clarity. That clarity comes from the top to establish a corporate culture. All industry reports show that a culture where everyone is responsible for information security, at whatever level, brings the highest rates of return.
It stands to reason that the faster a data breach is uncovered and contained, the less it will cost, but most organizations still have a lot to do in this area. If you use these “Foundational Five,” then you are as ready as can be expected. Ponemon found the average time to identify was 191 days last year, with an additional 66 days on average required to contain the breach. These times could be reduced if every organization would keep up to date with NIST’s Cybersecurity Framework and keep tighter control of its data.
Mostly done via email or phone but other means are used to retrieve information that can be used to capture and collate information, so reconnaissance can be done. Two types are called out and represent 98 percent of social incidents and 93 percent of breaches. Phishing is most commonly a precursor followed by another action by a perpetrator.
What you can do about social attacks:
As the Verizon DBIR reports, ransomware has overtaken all other malware to be the most prevalent variety of malicious code for this year’s dataset. Ransomware locks up or encrypts your data or systems, or both, so the perpetrator can exact a ransom amount for its safe return. The worst part about this menace is that it is:
What you can do about ransomware:
In the social attacks section above, awareness is a good start to getting your people to understand they have a responsibility to protect their identity and credentials. This addresses the “why and who.” Now complete their capabilities with a focus on the “what, where and when.”
Although the Verizon report does not have specific statistics, it does note, “As evidenced by the great number of ‘integrity’ issues in our caseload, many breaches continue to involve assets without basic antivirus protection installed” — hence the addition of “up to date.” Most new computers come with an antivirus package installed. However, when the year license runs out, many are not renewed or the updates get turned off because they “impact performance.”
The “Fundamental 5” areas to focus on first will help reduce risk overall. The challenge is that there is no solution or approach that can bring 100 percent security; however, the following are actions and policies that the IT team should implement:
Software patching and out-of-date equipment
This is another area of keeping “up to date.” Because of the rapid evolution of hardware and software, capability obsolescence and going out of manufacturer’s support can be, and often is, deadly to your data. If you are running a computer on the Microsoft XP operating system, you are putting out a sign “Come Steal from Me” on the Internet. It is happening every day around the world.
This is the realization that in today’s world passwords are highly ineffectual for most people. IT staff or “privileged users” — those who routinely access data that is classified as something other than standard or public use — have a real requirement to move into two-factor or multifactor authentication. It requires a higher standard of proof that the person entering the system really is who they say they are.
By having laptops, desktops, smart devices and printers connecting directly to the servers that provide the data to them, you’re giving attackers the direct shot they’re looking for. Dividing a network into subnetworks is smart for several reasons:
Device and data security
As stated above, there are certain, and not always costly, things you can do to significantly reduce your risk profile, as well as the craziness and costs in the event of a breach of your data.
We all should embrace the fact that the number of breaches in the world will increase every year, thus making the probability of your company being victimized an increasing possibility. Reducing the impact, cost and even the chance of overall business failure is in your hands. Embracing a corporate culture that data privacy and security is everyone’s responsibility and key core values as mentioned above is critical to success.
Having an incident recovery plan as directed by the C-suite is a defining step to reduce cost and effect of a breach.
Your incident response manager will guide you through the incident and ensure that all steps necessary to reduce risk of litigation are taken. The point of forensics is to spend the time investigating the technical aspects of the breach to identify how the breach occurred and what actually happened as a result of the breach. How did they get in? What systems did they access? Did they exfiltrate any data? How do we clean this up? Answers to these questions will then be passed to the incident response manager to work with C-level executives, the attorney and other team members to make further decisions. Ultimately, the goal is to find out if the breach requires notifications and what needs to be done to mitigate further risk.
The Ponemon report showed that if a company has an incident response plan and it includes an incident response team already designated, it can reduce the cost of a breach by up to $19 per record. So that calculates with the average number of records in a U.S. breach being 25,802 to $490,238. That’s a good motivation to be prepared for “not if, but when.”
Looking for additional information on cybersecurity? We know you’re busy, so our collection of cybersecurity articles have you, the executive, in mind.
Could you survive having all operations shut down, fearful customers, unknowns that may never be known and millions of dollars of profits spent on operating without incoming revenue? That’s what can happen when your business is the victim of a cyberattack.