While organisations must identify and guard against weaknesses in their systems, staff have a major role to play in the battle against cybercrime, says Seth Berman
This article was first published in the January 2015 International edition of Accounting and Business magazine.
Cybercrime is on the rise and as criminals become increasingly successful and targeted in their approach, it is time to recognise that IT alone cannot solve this problem.
Fuelled by the prospect of unfettered access to high-value information, such as customer records, financial data and competitive intelligence, recent attacks have shown a greater degree of sophistication and ability to cause significant financial and reputation damage. Senior management and boards face painful and expensive choices when allocating budgets for IT security as organisations step up their focus on countering such threats.
One common thread throughout some of the recent high-profile incidents across retail, banking and healthcare is that the perpetrators maintained access for weeks or months before the penetration was discovered. Hackers are increasingly playing the long game after having successfully identified a network’s weak point – whether through phishing attacks designed to get an unsuspecting user to click on a link in a bogus email, or by accessing a third-party’s connected system.
Realistically, not all hacks can or will be prevented, but much can be done to lower the risk of hacking and mitigate the consequences of a successful attack. In short, organisations must take steps to identify and address their key weaknesses.
The process should start with a comprehensive security assessment conducted by an external third party. A security assessment is an in-depth review of the company’s risk profile based on the specifics of how it does business, how its network operates and what sort of information the company holds. The scope of this assessment is much wider than a traditional IT audit. The primary focus of a conventional IT audit is to ensure that the company meets a certain predefined security standard. But relying on an IT audit alone amounts to ‘checklist syndrome’, which could see the security strategy fail to address the real-life business risks, even though the demands of the security standard were met on paper.
While standards are important, it is notable that almost every one of the high-profile breaches in the recent past occurred after the corporates had passed their IT audit and been certified as compliant with the relevant security standard. By contrast, a company’s security assessment will allow management to judge a company’s central risk profile and take steps to reduce that risk.
One of the risk factors a security assessment will explore is the extent to which security is seen as a company-wide priority. Simply put, IT security cannot be the exclusive domain of the IT team. Everyone involved in using the IT systems has a crucial and often overlooked role to play. Organisations should aim to foster an environment where users are alert to what a threat may look like and know how to respond and who to get in touch with to report any concerns – without fear of reprisal.
Too many organisations impose IT policies from the top, without really setting out why a particular policy is being implemented. Whether relating to the use of personal web-based accounts or cloud storage services, most users see these policies as irritating and rarely understand the connection between the new policy and any real security weakness.
This process is fundamentally flawed, as users need to understand the rationale behind IT policies. Only if individuals understand why restrictions have been introduced will they avoid bypassing or undermining these rules and, inadvertently, creating new vulnerabilities in the process.
Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Hackers have become very adept at manipulating people, by eliciting information that may ultimately secure access to sensitive corporate systems. By using company websites and social networks to research a few individuals within a company, hackers can swiftly find information that can form the basis of a sophisticated ‘spear phishing’ attack. Publicly available information about an individual’s interests, activities and friends allows the attacker to send a personalised email that the target is likely to trust, which in turn lures them into clicking on a link or open a document that triggers malware.
Individuals must be taught to be vigilant about such email attacks, which will make it more difficult for attackers to catch someone unaware. However, this is not the end of the process. Users also need to understand what to do if they suspect a problem after they click on a suspicious link or open a mysterious file. If something unusual happens – if a computer freezes, for example – users should be made aware that the best response is not just to reboot their computer and carry on as usual, but to call the individual or team responsible for IT security and report their concerns. Crucially, they must not be afraid to say, ‘I think it might be because I clicked on something’.
In one case, a manager received a phishing email purporting to be from a professional publication. In fact, the day after subscribing to the magazine she received an email, supposedly from the magazine, referring to her earlier subscription request. It turned out that the email contained a virus. Somebody had hacked into the magazine’s database and was using that information to send phishing emails that were entirely plausible, as the individuals targeted had just subscribed to that magazine.
This particular user was well informed about the risk from phishing. Despite its initial plausibility, when she read the email and opened the attached document that did not look like it would come from the claimed sender, she realised that this was not something that should be just deleted and forgotten, but reported. As a result, IT staff successfully contained the virus. A less savvy user may have inadvertently let the virus spread.
With increasing ingenuity and persistence, cyber criminals are stepping up their attacks on companies, in their quest to steal information that can be monetised. Such attacks are costly to protect against and respond to, and the consequences of a successful attack can be devastating – not only for the company, but for senior management too. While no budget can ever guarantee immunity, executives must put in place an appropriate framework to minimise such risks, backed by an ongoing commitment to ensuring all staff understand their role in safeguarding the integrity of corporate systems.