Thursday, February 2, 2017



CyberSecurity—It’s a People Problem

Most companies have had a cyber hack—or if they haven’t yet, they soon will, according to a panel of experts at the January 31, 2017 European American Chamber of Commerce’s symposium on The Shifting Paradigm of Data Security. It’s not a question of if it will occur, but rather, when. And when it does, it’s expensive.  According to Stewart Rose, President of ThreatReady Resources, a Boston-based cyber security awareness training firm serving top corporations in the US, "The average cost a company incurs is $6.5 Million, including expenses associated with brand, reputation, and litigation."

We’re all too familiar with the more common ways hackers grab our data:  phishing, rogue emails, and links containing embedded malware or ransomware.  What we’re not prepared for is how hackers are using human behavior to penetrate security, pointing to the need to “think diabolically, just like hackers do,” says Philip Kibler, who was a Global Partner in IBM’s Cyber Security Practice and now heads Cyber Risk Consulting at AIG. For example, social media outlets, such as LinkedIn and Facebook, are easy entry points for hackers to obtain email addresses, and they’re learning how to bypass even the most sophisticated spam folders.

Cyber hackers are growing more savvy, often targeting third parties as a way to access company data.  Companies mistakenly assume their third-party business partners have strong controls, only to discover that's not the case, leaving them vulnerable.  Global regulations are still in flux (after all, the cyber industry is somewhat nascent—only 30 years old), making compliance challenging.

One trend that is gaining hacker traction is acquisition targets.  These companies may have lax defenses as they focus on getting the deal done and containing expenses, with employees scurrying to find new jobs, which can leave the organization exposed.

A solution that could help is for companies to have the equivalent of a cyber FICO score—with a defined road map outlining what must be done to improve it. Also, recognizing that most times, cyber hacks can be traced back to failure at the human level.  “No router is malicious, but people can be foolish and careless when it comes to how they handle data,” says Joseph DeMarco, partner at DeVore &DeMarco LLP, a litigation and counseling boutique law firm dedicated to the protection of intellectual property, emerging e-commerce, and Internet law

Vendors have culpability, too.  According to one statistic, 30% of breaches in a major US government organization could be traced directly to the products it purchased to guard against vulnerability, shining a spotlight on the need to prove these products are secure before they're installed.   



Most software companies issue patches to fix problems, but the problems they address are often the direct result of having discovered a vulnerability, tantamount to locking the barn after the proverbial horse is stolen. Instead, patching should be rigorous and diligent, driven by guarding against potential susceptibility, rather than by corporations' drive to save money and improve the bottom line.

There is no magic bullet to prevent a hack, but training employees how not to make silly mistakes can make a company less vulnerable. As Rose explains, most employees don’t sit at their desks planning how they can hack their companies’ data. But these same people may nonchalantly plug a thumb drive into a corporate computer’s USB port—a simple act that can have disastrous consequences. ThreatReady Resources employs instinctive, active learning techniques designed to change human behavior permanently.

And if your company does get hacked?  “Your first call should be to your lawyer, so he or she can guide you on your legal rights and obligations as to the protection of your systems and sensitive data, says DeMarco.