Bill Ross is the founder of Vercerta, a risk-management consulting practice.
Cybersecurity intrusions and breaches happen to all kinds of organizations and no one is impenetrable. Equifax had data on 143 million clients stolen last year. Even the U.S. Internal Revenue Service admitted that 700,000 social security numbers and other information may have been stolen in 2015.
Canada is not immune. Last year, WestJet suffered a security breach involving its rewards program members.
Usually, breaches go unreported. According to a 2017 study by the Ponemon Institute – which conducts independent research on privacy, data protection and information security policy – the average cost of an intrusion today is US$3.62-million and the average time to resolve the damage of a malicious attack is 55 days. The question is how to protect against an attack. Clearly, there is a balance between accepted risk and the cost of doing business.
Cyberattacks exploit weaknesses in an organization’s systems. The most common weaknesses are:
- Software vulnerabilities owing to poor coding. Witness Microsoft’s patch to deal with file sharing: The malware called WannaCry affected users who did not carry out a Microsoft update in 2017;
- Hardware vulnerabilities caused by computer memory and buffers being under stress, resulting in reduced data protection. This can happen in the normal course of operating a system or it can be induced by an attacker who overworks the central processing unit;
- Lax security practices.
There are different types of attackers. Some just do it for fun with no particular objective in mind. So-called “White Hats” perform intrusion tests in order to highlight weaknesses, while “Black Hats” are bad guys seeking profit or commercial advantage. Finally, “Organized Hackers” are the most dangerous, because they possess sophisticated resources to help them perpetrate fraud.
What attackers usually seek are user names and passwords.
Potential attackers follow a user’s social-media sites to gain insights into their personal profile, and lots of information is available. Pet names, product preferences and lifestyle behaviours can help intruders get answers to security questions.
How do you crack a password? It can be done with specialized software. Another method is by listening to unencrypted data transmission in unsecured networks (such as airports or coffee shops).
Disguising oneself as a trusted visitor, such as a network printer, can be a successful gateway into a network. So, how does an organization protect itself?
Start by fostering a culture of cybersecurity. This means employees should be well-educated about safety practices and should encourage one another to follow such practices.
Having secure passwords is paramount to security, and passwords are the easiest way for attackers to get in. The problem is we are human and have a limited capacity to recall passwords, and people can have several passwords.
The solution is to use a password vault, such as LastPass, which will generate a distinct password for each site that requires one and it will store that distinct password in a secure vault. All the user needs is one strong password to let them enter the vault.
Another good idea is having several e-mail addresses. That may be daunting, but separate e-mail addresses for work, home and banking will help you recover lost information.
Many security providers offer innovative solutions to help organizations enhance their security. The trick is to determine the delicate balance between what it costs to operate a business and how much to spend on data protection.
Always evaluate the security technologies available and determine which one provides the most value to your cybersecurity defence. For any organization, big or small, creating a strong cybersecurity foundation requires investing in the basics, such as security intelligence. This means having a program that lets you continuously learn about new methods of attacker intrusion.
The final defence is really an audit, or “risk assessment,” to test the organization’s system. It involves extreme pressure testing on all entry points to the system (i.e., performing tests to ensure that all attacks are blocked).
It is never enough to only test compliance with the organization’s policies. That sort of thing has a beginning and an end, and after the test the powers that be might think everything is hunky-dory. Big mistake. Indeed, this is where attackers thrive.
Testing must be a dynamic and continuous process to identify vulnerabilities so you can outwit and outpace the attackers. In other words, make it part of the culture, or one day pay the piper.
We’ve launched a new weekly Careers newsletter. Sign up today.