CyberSecurity—It’s a
People Problem
Most
companies have had a cyber hack—or if they haven’t yet, they soon will,
according to a panel of experts at the January 31, 2017 European American Chamber of Commerce’s
symposium on The Shifting Paradigm of Data Security. It’s not a question of if
it will occur, but rather, when. And when it does, it’s expensive. According to Stewart Rose, President of ThreatReady Resources, a
Boston-based cyber security awareness training firm serving top corporations in
the US, "The average cost a company incurs is $6.5 Million, including
expenses associated with brand, reputation, and litigation."
We’re all too familiar with the more common ways hackers grab our data: phishing, rogue emails, and links containing embedded malware or ransomware. What we’re not prepared for is how hackers are using human behavior to penetrate security, pointing to the need to “think diabolically, just like hackers do,” says Philip Kibler, who was a Global Partner in IBM’s Cyber Security Practice and now heads Cyber Risk Consulting at AIG. For example, social media outlets, such as LinkedIn and Facebook, are easy entry points for hackers to obtain email addresses, and they’re learning how to bypass even the most sophisticated spam folders.
Cyber hackers are growing more savvy, often
targeting third parties as a way to access company data. Companies mistakenly assume their third-party business partners
have strong controls, only to discover that's not the case, leaving them
vulnerable. Global regulations are still
in flux (after all, the cyber industry is somewhat nascent—only 30 years old),
making compliance challenging.
One trend that is gaining hacker traction is acquisition targets. These companies may have lax defenses as they focus on getting the deal done and containing expenses, with employees scurrying to find new jobs, which can leave the organization exposed.
A solution that could help is for companies to have the equivalent of a
cyber FICO score—with a defined road map outlining what must be done to improve
it. Also, recognizing that most times, cyber hacks can be traced back to failure
at the human level. “No router is malicious, but people can be foolish and careless when it
comes to how they handle data,” says Joseph DeMarco, partner at DeVore &DeMarco LLP, a litigation and counseling boutique law firm dedicated to the protection of intellectual property, emerging e-commerce, and Internet law
Vendors have culpability, too. According to one statistic, 30% of breaches
in a major US government organization could be traced directly to the products
it purchased to guard against vulnerability, shining a spotlight on the need to
prove these products are secure before they're installed.
Most software companies issue patches to fix problems, but the problems they address are often the direct result of having discovered a vulnerability, tantamount to locking the barn after the proverbial horse is stolen. Instead, patching should be rigorous and diligent, driven by guarding against potential susceptibility, rather than by corporations' drive to save money and improve the bottom line.
Most software companies issue patches to fix problems, but the problems they address are often the direct result of having discovered a vulnerability, tantamount to locking the barn after the proverbial horse is stolen. Instead, patching should be rigorous and diligent, driven by guarding against potential susceptibility, rather than by corporations' drive to save money and improve the bottom line.
There is no magic bullet to prevent a hack, but training
employees how not to make silly mistakes can make a company less vulnerable. As
Rose explains, most employees don’t sit at their desks planning how they can
hack their companies’ data. But these same people may nonchalantly plug a thumb
drive into a corporate computer’s USB port—a simple act that can have
disastrous consequences. ThreatReady Resources employs instinctive, active
learning techniques designed to change human behavior permanently.
And if your company does get
hacked? “Your first call should be to
your lawyer, so he or she can guide you on your legal rights and obligations as
to the protection of your systems and sensitive data, says DeMarco.