By Joseph E. Saracino, Jr., President & CEO, Cino Ltd. Family of Companies, which includes Cyber Security Solutions
The term cybersecurity has become part of our everyday conversations. Headline-grabbing data breaches affecting the sensitive data of millions have become commonplace. In 2018, Lloyd’s, the world’s specialist insurance and reinsurance market, which underwrites approximately one-third of the global cyber market (80% of which is written in the United States), estimated that cyberattacks cost businesses as much as $400 million annually. This figure reflects direct damage and post-attack disruption to their normal course of business. Despite these sobering figures, many organizations aren’t taking all the steps necessary to protect their data and that of their customers. Even Information Technology (IT) professionals and Managed Service Providers (MSPs) are not as prepared and trained as they should be in the increasingly more complex arena of cybersecurity and defense. There are many misconceptions surrounding cybersecurity held at all levels of many businesses, from the Board and executive team to the IT department and rank and file employees. Gaining a better understanding of today’s cybersecurity realities, as well as best in class strategies for achieving an optimum cybersecurity program, is essential to mitigate the heightened risk associated with cyber attacks.
“Dispelling Common Cyber Security Misconceptions”
Among the more common misconceptions regarding cyber security, and one which presents false confidence is that having anti-virus software is sufficient. With ransomware a major threat and the ability for hackers to overcome and destroy anti-virus software, this is not a solution. Another myth is that cybersecurity is an IT matter when, in reality, it should be regarded as a core business discipline to which every member of an organization has a responsibility. This thinking recognizes that an IT system is integral to a company’s day-to-day operations (i.e., processing purchase orders, invoicing, data storage, employee benefits, and payroll administration, maintaining the intellectual property, etc.). Thinking that cybersecurity is an internal matter is also a mistake considering all of the interactions a company’s IT system has with external third parties, from vendors, professional firms, employees’ home-based systems, etc. which make it vulnerable to many additional cyber threats. By recognizing that cybersecurity is central to a business’ operation with many interrelating components from both inside and outside of an organization, a business is better prepared to address today’s numerous cyber threats.
“Cyber Security Today”
According to Jupiter Research, the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to an estimated $2.1 trillion globally by 2019. That is four times the estimated cost of data breaches in 2015. This same research firm projects that the average cost of a data breach in 2020 will exceed $150 million by 2020. There are many types of data breaches occurring at a rapid pace today. The Madison Square Garden credit card breach occurred when hackers accessed the credit card information of people used at Madison Square Garden and other related venues. This past November, Madison Square Garden reported that its systems had been compromised during the period from November 2015 to October 2016. Also recently reported was the Marriott International/Starwood multi-year breach which compromised the personal data of up to 500 million customers. Other breaches affecting millions an even billions of records include: Yahoo’s 2013 breach affecting 3 billion accounts and its 2014 breach affecting 500 million accounts, the Equifax breach in 2017 affecting 146 million accounts, and the Anthem data breach in 2015 in which 37.5 million records of personal data including health data were breached impacting an estimated 79 million people. As a consequence of this breach, Anthem was ordered to pay a federal government settlement of $16 million. These large breaches are accompanied by other breaches of smaller size, but with significant impact on the companies and individuals affected.
The harsh realities of today’s cyber landscape are that there are an increasing number and types of threat looming and waiting to attack IT systems of large, small and middle-market enterprises. The size, type or industry doesn’t matter. Everyone is vulnerable including nations and their federal, state and local governments. Malicious AI-driven chatbots, crimeware as a service, and the resurgence of ransomware are pervasive. Additionally, cyberattacks on satellites are taking root. There have been reported attacks on telecommunication companies’ satellites, as well as the satellite communications systems used by the military, airplanes, and ships creating concern that cybercriminals will utilize satellite antennas as weapons to create further havoc.
The leading cybersecurity threats of 2019 include:
- Ransomware – The next level of cybersecurity nastiness that encrypts files and holds them captive until ransom demands are met. When ransomware is attached to a network worm, the level of extortion rises from traditional PC extortion to the Internet of Things (IoT), high net worth users and major corporate disruption.
- Phishing and Whaling Attacks – Where hackers send fraudulent emails from trusted accounts to target businesses through individual staff members. An innocent staff member clicks on the email and then the attachment, at which point the attachment, which is tagged to the email, starts releasing a malware capable of stealing data. Whaling takes this aforementioned cyber attack strategy to the next level by targeting high net worth individuals, often CIOs and CEOs.
- Machine Learning-enabled Attacks – Wherein social engineering attacks are launched and, if the hackers are able to access publicly available data, they proceed to use complex analysis tools for precision selection of the target.
- IoT Botnets – Impacting the projected 8.4 billion things that will get connected to the Internet this year, further compromised by Distributed Denial of Service (DDoS).
Keep in mind that, despite these leading threats, the way most systems get hacked today is through attack vectors such as external hackers, phishing attacks, malware, and key loggers, and/or a disgruntled former user such as a former employee. Finally, a common way many companies’ systems open themselves to hacking incidences is by simply failing to have or enforce cybersecurity controls and related policies.
“Increased Regulation and Litigation”
Federal and state governments are responding to the increase in cyber-attacks through new legislation. At the federal level, the House Financial Services Committee introduced a bill, “The Consumer Data Security and Notification Act,” to amend the Gramm-Leach-Bliley Act to include a national breach notification law for the financial industry which would supersede state laws. The states are also rapidly introducing cybersecurity legislation. In 2019, 45 states and Puerto Rico introduced over 260 different bills or resolutions to address cybersecurity and specifically matters relating to the security of connected devices, election security, industry data security and the establishment of cybersecurity task forces. New York State, for example, issued its New York State Cybersecurity Mandate, which was the nation’s first cybersecurity regulation. It requires regulated financial institutions to establish and maintain cybersecurity programs to include penetrate testing, vulnerability scanning, and education for all employees, design to protect consumers and the industry. In that regulation was a strong emphasis on establishing a compliance culture at the top levels of these institutions. Europe too has acted to help institutionalize a culture of cybersecurity with its “General Data Protection Regulation (GDPR) designed to strengthen and unify data protection for individuals in the European Union (EU) and address the export of personal data outside of the EU.
Consumers too are taking their cybersecurity more seriously than ever, fighting back with increased litigation. Over recent years, we’ve seen a federal judge in California rule that a consolidated class-action lawsuit filed by those affect by three Yahoo data breaches can proceed; Nationwide Insurance was ordered to pay a $5.5 million settlement, Cottage Health System ordered to pay a $2 million settlement, and Home Depot agreed to settlements totaling $44.5 million stemming from class-action lawsuits related to data breaches affecting 50 million customers. For the 143 million Americans affected by the Equifax data breach, there is a $70 billion class-action lawsuit underway. These lawsuits and the countless others in courts nationwide should give businesses pause to recognize their due diligence, fiduciary and data protection responsibilities which require they implement and uphold best cyber security practices.
“Best Practices for Optimum Cyber Security”
The Information Systems Audit and Control Association’s (ISACA) “2019 State of Cybersecurity” research reported that:
- 69% of companies stated that their cybersecurity teams are understaffed,
- 58% of companies said they have unfilled cybersecurity positions, and
- Many companies have difficulty retaining cybersecurity professionals even when they offer training and certification programs.
For all companies, a robust cybersecurity program stems from the top. Management
must be fully engaged in a cybersecurity initiative and support it 100%. Without executive buy-in, a cybersecurity program will not be successful. The C-suite -the CEO, COO, CFO, CISO, and CSO – must become informed and proactive, not reactive, regarding cybersecurity. A culture of cybersecurity awareness, due diligence and responsibility must prevail. The internal IT team, as well as any external IT professionals used, should be aligned and in direct communication with a cybersecurity organization; one which specializes in cybersecurity and has a team of cybersecurity professionals who are experienced and current on the latest cyber threats and effective strategies for defending against them. Some of these organizations offer mentoring, training and certification programs for their clients’ IT teams and MSP staff which should be pursued. Additionally, all employees should be educated regarding their responsibilities to the cybersecurity initiative. This includes guiding them with policies relating to effective cybersecurity practices such as changing passwords regularly, being aware of what constitutes suspicious emails, turning off their computers and personal devices at the end of the day, and reminding them that personal devices used for work too must adhere to sound cybersecurity practices. By building a strong relationship with a cybersecurity firm based on trust, in the same way, a company relies on its accounting and law firms, cybersecurity will rise to the level of a critical operation.
In addition to cybersecurity training, key tactical measures that every sound cybersecurity program requires are:
- Live Penetration Testing – Attempts to penetrate a network from the Internet and external IPs
- Vulnerability Detection – A minimum of two scans per year on an internal network
- Anti-Key Logging Software – Keystroke encryption software to prevent malware from stealing sensitive data
- Identity Theft Protection Services – To mitigate risks and damage
- Ongoing Cyber Security Bulletins and Urgent Alerts – To keep executives, IT staff and MSP staff informed on the latest threats and other timely information
- Cyber Insurance – Liability insurance as well as cyber extortion insurance
“The Inconvenience of Cyber Security”
Cybersecurity is inconvenient; no question about it. It is, however, necessary and not something that should be left up to others. While organizations should avail themselves of the expertise and experience of cybersecurity specialists, they too must be directly involved in their organization’s cybersecurity program, from the top down. Being diligent, informed and armed with the best practices and solutions is an organization’s best defense against cyber attacks and their dire consequences.
About the Author
Joseph served in the United States Navy as a Naval Intelligence Officer and continues to be active as a Military Education Liaison, VA Certifying Official, as well as a Global Yellow Ribbon presenter to Active Duty troops and Reserve personnel. He also serves as a consultant to Homeland Security and Joint Military Task Force Commands. He is a member of numerous civic and industry associations, works with the New York City Mayor’s Office of Veteran Affairs, and is an active participant in the Suffolk County Police Department SHIELD Program which is countering terrorism and crime through information sharing in partnership with the New York Police Department and law enforcement agencies nationwide. LinkedIn: https://www.linkedin.com/in/joseph-saracino-664370b/ You can reach me at: firstname.lastname@example.org