The Internet has changed the world in so many ways for the better. We can’t ignore, however, that companies around the world spent $67 billion on security measures last year and that the annual global cost of digital crime is estimated to be $445 billion, according to the Centre for Strategic and International Studies (CSIS). How should companies, especially small businesses, go about doing business and contributing to the positive aspects of the Internet without risking too much (or worse, unknowingly taking risks on behalf of customers)?
At TechPoint’s New Economy New Rules Cybersecurity: The New Normal featuring:
- Nick Taylor, COO, netlogx
- Von Welch, Director Center for Applied Cybersecurity Research
- Scott Morris, CTO, Eskenazi Health
- Brian McGinnis, Attorney, Barnes & Thornburg (MODERATOR)
Moderator Brian McGinnis revealed some alarming statistics. Quoting a study from Experian and Ponemon Institute —
Within the past year 43% of companies have experienced a data breach and of those, approximately 60% have suffered more than one breach throughout the last two years. This is bad enough but making matters even worse is the fact that most of the hacked companies are not prepared to deal with the consequences of a breach.
Recently, a number of large companies have been targeted by hackers. These include Home Depot (HD), which involved 56 million credit cards, JPMorgan (JPM), and the mega retail chain, Target (TGT). Unfortunately, 67% of the 567 US company executives surveyed said they did not have a real understanding of what to do in the aftermath of a breach specific to losing customers.
In fact, 62% of those surveyed confessed to having no confidence of responding to a breach that involved intellectual property or proprietary business information. On the other hand, about three-fourths of companies stated a breach response plan was established but about 50% did not feel it was up to par. Another 17% were uncertain if the plans would work and as much as 30% came right out and said the plans were completely ineffective.
“The Internet is always watching you,” said Nick Taylor, COO, netlogx. “Increasingly we as a society are under attack from very organized groups, whether it’s organized crime in Eastern Europe, it’s broad and deep and it’s also state sponsored attacks. People are essentially losing their identities. So why do you rob the banks? Because that’s where he money is. Why rob a hospital? Because that’s where the identities are.”
Scott Morris, CTO, Eskenazi Health told a story about standing up some new data centers 10 years ago and wondering how soon they would get hit by hackers.
“I was curious to see how long it would take and it was only about three weeks before state-run Chinese hackers hit us,” Scott said. “A year later we had a full on ‘let’s see if we can get something’ attack and everything they would do we had to try to get a head of it. It was a test to see if they could get in and check the car alarm. The thing that scares me is that I assume we got kicked up to the next level. You are seeing a lot more serious external threats with a lot more resources behind them. Today it’s not IF you’re going to get ‘owned’ it’s you are eventually going to get ‘owned.'”
Von Welch, Director of the Center for Applied Cybersecurity Research said: “We created arguably one of the most complicated systems ever created (the Internet) and now we are in a state where we don’t quite know how to control what we’ve created. Prevention, prevention, prevention. Today you have a very high risk of a breach and you better know how to deal with it if something goes wrong.”
All three panelists agreed that while state-sponsored attacks are on the rise, most companies are still more likely to be hit from the inside through social engineering.
Nick consults with many companies on security while working at a hospital, he was able to walk out with a laptop still logged on to the network just by pretending to be from IT and telling an employee that she didn’t have clearance for the type of computer she was using. He also said that people are very helpful and sometime he can even get them to walk him right to the doors of the data center where he could go in and wreak havoc if he were a criminal.
Here are some of the suggestions the panel had for protecting yourself and your company from a damaging data breach.
Educate your employees.
Like in the aforementioned story about the laptop, make sure your employees know what to do if faced with an odd social engineering attempt. If the employee had asked a couple of questions, like who are you and where is your employee ID, the laptop might not have been stolen and the thief might have been caught.
Talk to larger organizations and partners.
The people you work with and partners you do business with have a vested interest in you staying safe, too. That’s how the Target breach occurred, through a third party. Ask questions about the software they use the staff who help them stay secure and find out where there may be opportunities to work together to improve security at your company through economies of scale or just by being aware of potential threats.
Consider isolating high-value assets
Just because you can have everything digital and connected doesn’t mean you have to do it. Does every employee need access to everything or are there certain assets that could be safer through restrictions and access levels? This could prevent a criminal from getting “the keys to the kingdom” and protect the most important files. For small businesses, you might also consider having just one computer for online banking and just one computer for transactions, etc., and never use them for anything else Internet related.
If you don’t really need it, don’t keep it.
If you have medical records in your system from a completed project or credit cards information older than 18 months, ask yourself if there is any clear business advantage to keeping it or if the risk of a breach and the fallout from it is much greater. When it comes to Internet and data security, being a pack rat is bad for business.
Sometimes the simplest things make the biggest difference.
This will sound silly, but a lot of people forget to to the simple things, Von Welch explained. If you have the option to use a passcode, use the passcode. If something can lock, lock it, and force people to get into the habit of doing everything they are supposed to do like passwords and security protocols. It only takes that one time for a criminal to get into your building and find a unsecured computer for a breach to really hurt you.
Band together with others like you.
If you are a small retailer, partner up with other small retailers and hire someone to help you protect yourselves as a kind of consortium. Like any larger store, this gives you greater buying power and cost sharing and in the end you will have better protection from digital crime than if you were going it alone.
Interested in more resources for protecting you and your business?
- http://benchmarks.cisecurity.org/ Center for Internet Security Benchmarks
- http://web.nvd.nist.gov/view/ncp/repository– NIST Security Checklist Project
- http://cve.mitre.org/ – CVE is a dictionary of information security vulnerabilities and exposures
- http://www.owasp.org/index.php/Main_Page OWASP – Open Web Application Security Project
- http://www.cert.org/octave/octavemethod.html -Octave Information Risk Assessment
- http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf – Security testing
- http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201410_en.pdf OUCH! The Monthly Security Awareness Newsletter for Computer Users
What tips do you have for staying secure? Please share your thoughts and security tips in the comments section below.
New Economy New Rules is a monthly TechPoint event held on the first Friday of every month at Barnes & Thornburg in downtown Indianapolis and broadcast to 20 locations.
Please visit our sponsors: