The year the internet fell apart. Cyber-analysts and researchers often declare 2014 as the “Year the Internet Fell Apart” due to a series of high-profile hacks on Sony, J.P. Morgan Chase, and Apple’s iCloud. In 2015, cyberattacks on Ashley Madison, Anthem, and the FBI were front-page news. And now in 2016, political hacks have really taken center stage with the DNC’s email breach, the hack on election systems in Illinois and Arizona, and Guccifer’s “October Surprise” threat of releasing Hilary Clinton’s private server emails. 2016 will be remembered as the year cybersecurity was exposed as an ever-evolving game of cat and mouse. And we have just realized that we are the mice.
While most breaches in the news come from the worlds of retail and geopolitics, other industries cannot and should not ignore the threat of cyber-attack. Everyone is under attack. In fact, healthcare, manufacturing, and financial services companies have the highest incident rates. And for any company, elaborate software alone will not prevent a hack or data breach. Why? Because 91% of all targeted cyberattacks rely on “social engineering” to persuade employees to reveal confidential company information. Below are Trenegy’s 4 methods to help you build a more comprehensive response to the growing cyber onslaught.
- Revise your Attack Radius
The main fault of many cybersecurity programs is that Finance and Operations leaders inaccurately believe that the IT guys can block out the hackers by themselves. But cyber criminals will attack ALL employees, not just your experienced IT staff. In a comprehensive cybersecurity plan, the Attack Radius extends to any system that can access sensitive data, as well as the people who could access those systems. It is also critical that the ownership of the cybersafety program rests on an executive-level leader (i.e., Chief Risk Officer or Chief Information Security Officer). This confirms that the cybersecurity initiatives are whole-company initiatives, not solely IT-related ones.
- Rethink “Cybersafety” Awareness Training
There needs to be an intense focus on bringing awareness to the methods used by hackers and the company policies and procedures for addressing the following types of social engineering schemes:
- Phishing – Email with malicious links. These can be individually targeted or sent as a mass email blast.
- Pretexting – Pretending to be someone else to gain confidential information.
- Baiting – Deceiving someone with a fake incentive (“You’re a winner. Download now!) or a threat (“You have viruses on this device.”).
- Quid Pro Quo – Asking for secure access in exchange for providing something.
- Tailgating – Following someone into a secure physical location, usually one requiring a unique ID card for access.
The importance of training employees on how to identify and avoid these threats can be just as financially important as training employees on how to maintain the organization’s l physical assets. In addition to a robust awareness training program, Trenegy believes in the power of the Cybersafety Minute, a CRO/CISO sponsored minute at the beginning of meetings that provides consistent awareness about the state of the organization’s cybersecurity.
- Remodel Risk Assessments
The testing of controls is traditionally a reactive practice. For example, pervasive testing of Internal Controls over Financial Reporting came about as a response to SOX. And testing of Environmental, Health and Safety controls is driven as a response to EPA regulation. We often find organizations that effectively test cybersecurity controls do so only because they have had several breaches in the past. Cybersecurity controls do not receive the proper testing focus because the risks are not correctly assessed. Creative hacking calls for creative preventative measures. Many organizations will outsource annual penetration testing, but since most hacks rely on the vulnerabilities in human nature, standard “pen testing” is grossly incomprehensive. In performing the risk assessment, the CRO/CISO should sponsor testing that has an internal employee attempt to socially engineer other employees. It is unlikely that any cybersecurity risk – technical or social – will not be rated the highest threat level.
- Rework Incentives
It can be hard to draw the connection between a mysterious email and the loss of company millions. But ensuring employee compliance with a cybersecurity program is key to that program’s success. Incentives, like cash rewards for completing a cybersafety training, can drive positive behavior and encourage engagement. Involving cybersecurity in performance evaluations and day-to-day training helps people understand, on an individual level, how they can make an impact on the company’s large scale cybersecurity program.