Cyber Strategy
Cybersecurity Compliance Q&A for the Board
by Peter Purcell
Large-scale cybersecurity breaches have led to lawsuits against boards and executives, with the argument that security breakdowns should be considered members’ failure to uphold their fiduciary duties. There are no common guidelines for defining board-level cybersecurity compliance. Congress, the Department of Justice, the executive office, and other regulatory bodies have weighed in, creating confusion.
Boards can no longer ignore cybersecurity as a strategic discussion and should be aware of how companies are positioned to address critical risks. Not only is this a way to avoid personal liability, it’s just good business.
How can the CIO or CISO properly interact with the board?
Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the board. Because cybersecurity is directly tied to overall company strategy and business operations, the board should understand how cybersecurity failure could impact the business. A death-by-PowerPoint approach to communicating with the board is less than optimal. A discussion is better.
The CIO or CISO should encourage the board to ask questions!
Specifically, board members will ensure the right level of involvement by asking the following three questions:
1. How critical business processes could be affected by a breach
Most companies have a mind-boggling number of systems that can be breached. It would take days for a well-informed board member to walk through a list of the systems with IT to determine if they are properly secured. The better approach is to realize that no matter how well IT secures systems, the company can be hacked. With this in mind, board members are better off asking the following questions to ensure critical business processes have been identified and prioritized:
- How will our customers be impacted by a breach? Will a breach in our systems lead to a breach in a customer system?
- How will critical operations be impacted by a breach? Is there an opportunity for a catastrophic situation?
- How will our employees be impacted by a breach? Will critical private information be exposed?
- How much intellectual property will we lose? Will we lose competitive advantage if our IP is exposed?
Answering these questions will ensure business and IT have a clear understanding of the critical business process areas that should be closely monitored for cybersecurity weaknesses.
This is the first step in fulfilling board fiduciary duties.
2. How well business and IT are prepared to respond during a breach
The second step in fulfilling board fiduciary duties is to ensure business and IT have a clear understanding of how to respond during an incident. A detailed discussion on the different tools and techniques leveraged during a breach would fix board level insomnia. Instead, the CIO or CISO should encourage the board to ask the following questions:
- Do we have a cybersecurity response team comprised of both IT and business participants? Do they have clearly defined roles and responsibilities?
- Has a cybersecurity response plan been developed and tested? Are there clearly defined checklists the response team can use?
- Does the response team understand how to use the response plan? Do team members have a plan for addressing unforeseen situations?
- Is there an internal and external communications plan? Are there templates for specific communications based on what is breached?
- When should the plug be pulled? When should all systems be shut down?
- Is there a process for bringing the systems back online?
While most board members may not understand the inevitable jargon some of the answers will contain, members must have a comfort that a clear set of recovery guidelines have been developed, deployed, and understood. Most importantly, the board should clearly understand when they need to get involved.
3. How compliance can prevent a breach
A cybersecurity breach is not the time to discover that basic compliance policies and procedures are not being followed. While IT is responsible for establishing strong cybersecurity protection, business is accountable for compliance. Regardless of how well protected, all systems are a fingertip click away from being breached.
The third step to ensuring the board’s cybersecurity fiduciary duties are properly fulfilled is asking questions about critical cybersecurity compliance components. Questions include:
- Who owns cybersecurity? Is it Internal Audit?
- Do employees clearly understand their role in cybersecurity compliance? Do they have the right training? Do they have the right reminders?
- Does IT regularly test employee compliance? Does Internal Audit participate?
- Is Internal Audit involved in testing the cybersecurity response plan?
- Are there clear guidelines for how customers, suppliers, and employees access our systems? Is compliance tested on a regular basis? Has legal counsel updated our contracts to include the appropriate cybersecurity breach liability clauses?
The answers to these questions will generate more, but most importantly, the board of directors will obtain a clear understanding of cybersecurity compliance awareness across the company.
The board’s responsibility is to ensure a company is properly prepared to operate efficiently and effectively. A cybersecurity breach can bring a company to a halt and expose all of senior management to significant personal liability. Boards that rely solely on IT to provide cybersecurity protection are open to significant risk. Asking the right questions about cybersecurity preparedness not only protects board members from liability, but helps ensure a company is prepared for the inevitable breach.
Read on to learn how to establish a successful cybersecurity strategy for your business.
A Successful Cybersecurity Strategy
by Matias Fefer
Boards are being pressured to ensure companies have developed and deployed robust cybersecurity strategies. Government oversight is increasing with the recent passage of HR 1770 by the Energy and Commerce Committee, which encourages companies to share details of all computer breaches with the U.S. government and affected parties. Many feel that HR 1770 is a precursor to supplementing Sarbanes-Oxley Sections 404 and 409 to hold board members and senior executives accountable for cybersecurity lapses.
Companies addressing cybersecurity threats face two immutable facts:
Fact 1: The IT environment will be hacked no matter how much money or effort is put into preventing cyberattacks.
Fact 2: The only way to prevent hacking is to disconnect computers from the network, disable all external ports, and prevent access by end users.
A company cannot perform business effectively on a day-to-day basis if computers are not networked. Emails need to be sent to clients, electronic orders need to be processed, and critical operational and financial information needs to be shared in a timely, accurate manner.
Companies who have successfully addressed cybersecurity concerns leverage a balanced, four-pronged strategy.
1. Prevention
Companies need to proactively identify and prioritize critical data or real-time control systems that need protection against unauthorized access. Penetration testing of priority areas will help determine gaps to be addressed with a combination of training, software, hardware upgrades, and security solutions.
Realistic prioritization of vulnerabilities is critical to ensure cost effective solutions are implemented. A recent study by an Ivy League college shows the most successful way to address breaches revolves around training and awareness. Cybersecurity experts say more than 90% of breaches are a result of employees clicking links in phishing emails, infected emails from friends or cloned web sites. The remainder of breaches come through vulnerabilities in computing environments that have not been updated.
2. Detection
No amount of prevention will change the fact that networked computer systems will be hacked. Employees make mistakes. Companies need the right tools and resources to identify when a system has been hacked. Software tools and internal resources can be used to monitor networks and user accounts on a day-to-day basis.
Developing a relationship with a third-party cybersecurity firm is critical. Leverage the firm on a regular basis to test the computing environment and address hidden infections. Update training and end user communication based on results.
3. Mitigation
A realistic cybersecurity strategy includes contingency plans to quickly address inevitable breaches. It is not cost effective for IT departments to acquire all the tools and resources needed to recover from specific cyberattacks. Hackers continually change their methods, making it nearly impossible for an internal IT department to keep up.
Work with a third-party cybersecurity firm to develop and deploy clear protocols and service level agreements for addressing cybersecurity threats. Develop and deploy a clear communication strategy with end users. End users need to know what to do and expect in the event of a cyberattack.
4. Transfer
A cyberattack creates significant risk given the sophistication and aggressiveness of hackers combined with our increasing reliance on computer systems. Procure insurance or migrate to a hosted environment to transfer risk. Cybersecurity insurance helps pay for the cost of mitigation and impact on all affected parties.
Using external hosting for key systems places the responsibility of mitigation on the service provider as long as a company employee did not cause the cyberattack. The hosting provider is responsible for ensuring the core computing environment is properly updated and protected.
There are a significant number of technological solutions to address cybersecurity concerns. Many are very expensive and can limit employees’ ability to perform day-to-day activities efficiently and effectively. However, the most effective software solution lies between employees’ ears. Strong leadership, change management, and training are critical to helping companies teach employees how to prevent cybersecurity lapses.
Written with guest author Matias Fefer, Director of Information Technology for Atwood Oceanics and a leading cybersecurity strategist in oilfield services. Matias heads an offshore services consortium tackling cybersecurity issues with critical computing and equipment suppliers.
Read on for a deeper dive into designing a cybersafety program to train employees.
The Three T’s of a Cybersafety Program
by Peter Purcell
This article first appeared on Peter Purcell’s blog, Tech and the Business of Change, on CIO.com.
The most effective safety programs are a result of employee awareness. The more aware, the less likely it is that employees will hurt themselves as they perform day-to-day activities in a dangerous environment. Effective cybersecurity strategies employ the same focus on end-user awareness. IT can only do so much without end users taking responsibility for how they access the internet and respond to emails.
It is relatively easy to set up firewalls, update operating systems and deploy antivirus software. Unfortunately, there is little to stop an employee from clicking on an infected link or incorrectly responding to a phish or spoof without completely disconnecting end users from the internet. Disconnecting from the internet would bring business to a halt. IT has to work with business to plug the vulnerability gap caused by software between the ears. Cybersafety should have no less a focus than any other safety program.
There are three components to an effective worker safety program which can be directly applied to increase employee cybersafety awareness:
1. Training
All employees should receive mandatory cybersafety training. Just as plant employees are taught to wear safety hats, shoes, and glasses, end users should be taught about strong passwords, safe internet use, and detecting possible phishing or spoofing emails. IT is responsible for developing or acquiring relevant training materials and working with business to ensure training is deployed across the company.
Clearly communicating the importance of training is critical. While OSHA provides a strong external driver for safety training and compliance, there’s really no equivalent body enforcing cybersafety. Key business leaders should kick off training sessions with clear emphasis on the importance of cybersafety compliance. Otherwise, end users will ignore what’s covered in class by surfing websites they should be avoiding.
Keeping employees engaged throughout training is important. Duplicating the excitement of learning how to use an extinguisher to put out a real fire can be difficult. There are materials that create slot-machine like flashing screens and annoying beeping sounds when a computer is infected with a virus or a phishing link is clicked. Allowing employees hands on experience with these materials ensures the proper level of engagement.
2. Telling
Most plant break rooms have a variety of safety posters on the walls. Entrances highlight how many days the since the last reportable injury. Bathrooms have urine hydration charts to ensure employees know when they need to drink more water. Meetings start with a safety minute that covers a broad range of topics from fire alarm muster areas to brief descriptions of safety violations and subsequent consequences. These constant reminders and materials are intended to keep a high level of employee safety awareness.
IT should work with business to duplicate messaging and materials to keep a high level of cybersafety awareness. The marketing or human resources departments can help develop programs that can be shared across the company. Posters with messages such as, “Don’t be a phool, don’t get phished,” or posters that clearly show what a spoof email looks like should be liberally spread in break areas. IT can work with the Health, Safety, and Environment (HSE) department to expand the safety minute to remind end users of cybersafety.
The most important repeated message is the simplest. If anyone has a question about a website, link, or email, contact IT immediately. IT should work with the business to quickly address real or perceived lapses in cybersafety.
3. Testing
Employees will be more diligent about cybersafety if there’s a perception of being monitored or tested. IT should develop a series of phish and spoof tests to determine compliance. Clearly communicate the results via emails which no one reads or by postings in break rooms. Increase compliance rates by creating competition between departments to see who has the lowest fail rates.
After the first two or three rounds of tests, companies who are heavily regulated may even start logging failures in HR employee files. Companies with significant liability associated with cybersecurity penetration should consider a direct impact on bonus or overall employee evaluation rankings.
Either way, employees should have a clear understanding they are being monitored and tested. Compliance will quickly follow in this situation.
IT may have difficulty convincing business that a cybersafety program should be treated the same as other HSE programs. However, the risk and liability associated with a cybersecurity breach is high. IT can work with legal counsel to clearly understand the impacts of HIPAA, FISMA, HR1770, and recent Justice Department rulings on a company’s liability associated with a cybersecurity breach. To be compliant, business and IT will have to work together to address the main weakness in any cybersafety program.
Read on to learn how to make cybersafety not just a program, but a part of your company culture.
How to Create a Cybersecurity Culture
by Mary Critelli
All companies continuously face cybersecurity threats from both inside and outside the organization. IT departments apply very basic defenses in order to reduce the chances and consequences of a data breach. Firewalls, operating system updates, secure connections, and spam filters are all standard, but they do not address the weakest and most fragile component of any cybersecurity strategy: people.
Morgan Stanley’s IT department is well known for implementing world-class cybersecurity protection. However, in a recent security breach, data from more than 350,000 customers was stolen by an employee. The SEC found Morgan Stanley responsible, citing a failure to employ “written policies and procedures reasonably designed to protect customer data.” Creating a work culture centered around cybersafety is essential. Most companies understand that better training and executive involvement are key elements in promoting cybersafety awareness, but what not-so-obvious actions can companies take to promote this culture? Learn more about four approaches below:
1. Ensure tone is set at the top
The only way to ingrain practices that support cybersecurity and lower the risk of cyberthreats is to start with embedding these principles in senior executives and management. This group is responsible for setting the company culture. Consider changing compensation and incentives to include cybersecurity compliance points. Recent studies show a direct correlation between CEO approval ratings and cybersecurity risk assessments. The higher the CEO approval rating, the lower the cybersecurity risk, which analysts believe prove the theory that the happier employees are at the company, the less likely they are to cause a security breach. A company culture that fosters loyalty and happiness among employees will lessen the risk of an “inside job” in terms of hacking or using company data for malicious purposes. A CEO who takes cybersecurity seriously will influence his or her employees to do the same.
2. Get certified
The ISO/IEC 27001 is the best known standard for providing requirements to keep information assets secure. Companies are not required to implement these standards, but many companies are now choosing to take this extra step to become certified. Not only does it serve to outline standards for protecting the company, it also helps reassure customers and business partners that their information is safe and protected. Leverage the certification to set a company-wide standard that is documented, followed, and backed by top level management. Hold trainings to ensure employees understand and follow the policies.
3. Create a cybersecurity scorecard
The U.S. Department of Defense is constantly under the threat of cyberattacks. The cybersecurity scorecard is used by the Secretary of Defense to better understand cybersecurity compliance and exposure. The scorecard assesses cybersecurity control across multiple areas: people, process, technology, facility, and compliance. The purpose of the scorecard is to ensure organizations can effectively and regularly perform security assessments that highlight areas for improvement and gaps in cybersecurity policies. Once gaps are detected, they should be communicated throughout the company, and trainings should be scheduled to specifically target and mitigate these issues.
4. Inventory and protect all networked devices
The technology that people wear and carry is often more powerful than they realize, so companies and employees should be aware of the associated risks. Because users rarely think about cybersecurity as it applies to their personal devices, they put the company in a vulnerable position when they default their devices to the least secure settings. Training about the risks is crucial to establish awareness. Publish company policies around what to do if a wearable device is stolen or put at risk and address them in employee onboarding. Establish programs to educate employees on how a hack on their device could put the company in danger.
It is not a matter of if a company will get hacked, but when. Embedding cybersecurity, cybersafety, and cyberthreat awareness into an organization’s culture helps delay and minimize the impact of the inevitable.
Read on to learn practical actions to protect you, your employees, and your business from common online cyberattacks.
Cyber Best Practices
Cyber Hygiene: How to Clean Your Online Presence
by Patricia Dewey
In 2000, Chinese hackers began a nine-year assault on telecommunication giant Nortel. Hackers used remote access and automated software to generate a large number of password guesses to eventually break the credentials of seven executive team members. The hackers successfully obtained critical reports, research and development materials, employee emails, and strategic information. Unfortunately, Nortel’s top executives neglected to secure their network and eventually declared bankruptcy in 2009. As Nortel disintegrated, Chinese telecom Huawei grew, with some speculating “Huawei’s rise was at the expense of Nortel.”
Nortel’s downfall raises awareness of the devastating consequences that are the result of a cyber-attack. However, there’s a growing tendency to generalize cyberattacks as simply “cyberattacks,” leaving us numb to the term rather than educated. This makes all cyberattacks seem like nebulous boogeymen. In fact, there are many different types, and taking these threats seriously is the first step in preventing them.
Everyone must evaluate their online behavior and become hyper-vigilant about their cyber hygiene, the measures taken to ensure one’s health and safety online. Cyber hygiene begins now, with improving passwords, enabling two-factor authentication, installing antivirus software, and routinely scrutinizing potential online threats (like the ones mentioned above).
Business leaders must invest time and money into their organization’s cybersecurity strategy by first training employees to maintain good cyber hygiene. Many executives and board members are hesitant about spending millions on cybersecurity. However, cybercriminals take $400 billion per year from companies, and much of that theft goes undetected. Technological solutions are simply not enough to prevent a cyberattack. Making employees aware of threats is crucial.
Here are three things companies must do to immediately implement an adequate cyber hygiene program:
1. Set tone at the top
- Executives are responsible for setting the company culture. When they support a cybersecurity initiative, the company follows.
- A CEO who takes cybersecurity seriously will influence his or her employees to do the same.
2. Make cybersecurity a part of the office conversation
- Discuss cybersecurity measures regularly. Learn from Nortel’s mistakes and make employees aware of the dangers.
- Create a best practices document with instructions for changing passwords every 90 days, updating antivirus software and other apps, protocols for downloading third-party apps on work computers, etc.
3. Understand and limit access
- Know which employees have access to workstations and keep this information up to date (expired accounts are targets for hackers).
- Minimize attack exposure by limiting access to only those who need it.
Personal cyber hygiene is equally as important. Business and personal information are intertwined, and it is nearly impossible to untangle the spider web when a cyberattack occurs. Many people manage their work and personal lives on the same smart device. Protecting one’s cell phone is just as important as protecting one’s work computer. It is essential to know what apps are on smart devices, what personal information they require before downloading, and what the potential risks are in having those apps. Scrutinizing emails for suspicious activity on phones and home computers is also important. Essentially, any cybersecurity strategy employed in the workplace carries into the home and impacts personal devices.
It’s time to be more cautious on the internet. Technology has come a long way and the most reliable security guard for your information is you.
Read on to learn how to further revolutionize your existing cybersecurity program and respond to the growing onslaught of cyberattacks.
4 Methods to Revolutionize Your Cybersafety Program
by Joseph Kasbaum
Cyber analysts often declare 2014 as the year the internet fell apart due to a series of high-profile hacks on Sony, J.P. Morgan Chase, and Apple’s iCloud. In 2015, cyberattacks on Ashley Madison, Anthem, and the FBI were front page news. In 2016, political hacks took center stage with the DNC’s email breach, the hack on election systems in Illinois and Arizona, and Guccifer’s “October Surprise” threat of releasing Hilary Clinton’s private server emails. 2016 will be remembered as the year cybersecurity was exposed as an ever-evolving game of cat and mouse. And we’ve just realized that we’re the mice.
While most breaches in the news come from the worlds of retail and geopolitics, other industries should not ignore the threat of cyberattacks. Everyone is at risk. In fact, healthcare, manufacturing, and financial services companies have the highest incident rates. For any company, elaborate software alone will not prevent a hack or data breach. Why? Because 91% of all targeted cyberattacks rely on “social engineering” to persuade employees to reveal confidential company information. Below are four methods to help you build a more comprehensive response to the growing cyber onslaught.
1. Revise your attack radius
The main fault of many cybersecurity programs is that Finance and Operations leaders inaccurately believe the IT guys can block out the hackers by themselves. But cyber criminals will attack all employees, not just your experienced IT staff. In a comprehensive cybersecurity plan, the attack radius extends to any system with sensitive data, as well as the people who could access those systems. It’s critical that the ownership of the cybersafety program rests on an executive-level leader (i.e. Chief Risk Officer or Chief Information Security Officer). This confirms that the cybersecurity initiatives are company-wide initiatives, not solely IT-related ones.
2. Rethink cybersafety awareness training
It’s crucial to make employees aware of methods used by hackers and the company policies and procedures for addressing the following types of social engineering schemes:
- Phishing – Emails with malicious links that can be individually targeted or sent as a mass email blast
- Pretexting – Pretending to be someone else to gain confidential information
- Baiting – Deceiving someone with a fake incentive (“You’re a winner, download now!”) or a threat (“You have viruses on this device”)
- Quid pro quo – Asking for secure access in exchange for providing something
- Tailgating – Following someone into a secure physical location, usually one requiring a unique ID card for access
The importance of training employees on how to identify and avoid these threats can be just as financially important as training employees on how to maintain the organization’s physical assets. In addition to a robust awareness training program, Trenegy believes in the power of the “cybersafety minute,” a CRO/CISO sponsored minute at the beginning of meetings that provides consistent awareness about the state of the organization’s cybersecurity.
3. Remodel risk assessments
Testing controls is traditionally a reactive practice. For example, pervasive testing of internal controls over financial reporting came about as a response to SOX. Testing of environmental, health, and safety controls is a response to EPA regulation. Some organizations effectively test cybersecurity controls only because they’ve had several breaches in the past. Cybersecurity controls do not receive the proper testing focus because the risks are not correctly assessed. Creative hacking calls for creative preventative measures. Many organizations outsource annual penetration testing, but since most hacks rely on the vulnerabilities in human nature, standard penetration testing is not comprehensive. During the risk assessment, the CRO/CISO should sponsor testing that has an internal employee attempt to socially engineer other employees. It is likely that any cybersecurity risk—technical or social—will be rated the highest threat level.
4. Rework incentives
It can be hard to draw the connection between a mysterious email and the loss of millions. Even so, ensuring employee compliance with a cybersecurity program is key to the program’s success. Incentives, like bonuses for completing a cybersafety training, can drive positive behavior and encourage engagement. Including cybersecurity in performance evaluations and day-to-day training helps people understand on an individual level how they can make an impact on the company’s overall cybersecurity program.
Read below for a deep dive into two of the most common hacking strategies—phishing and pharming.
5 Ways to Avoid Phishing and Pharming
by Peter Purcell
“Give a man a fish and he’ll eat for a day. Teach a man to phish, and he’ll steal your identity and eat on your credit forever.” —A proverb (probably)
Man has relied on fishing and farming for survival for thousands of years. Fishing involves dropping a line and hook in the water and waiting for the right fish to swim by and take the bait. Farming requires more steps and more time. A farmer must plant the seed, nurture the seed, and wait to harvest the fruits of his labor.
The same concepts apply to the cyberattack counterparts of these terms. While different their approach, phishing and pharming have the same end goal: to trick unsuspecting people into revealing sensitive personal information, which hackers can then use to fatten their bellies, or wallets. The worst case scenario for a victim of a phishing or pharming attack is identity theft.
Phishing
In phishing, a hacker drops a line and hook in the form of an email that appears to be from a popular website or subscription service, such as Bank of America Online. The email will tell the recipient something along the lines of, “Our system has experienced an update/change. Please log in using the link below to verify your account information.” The phisherman will bait this email with official-sounding language, and official-looking logos to get the phish to bite. These emails vary in levels of sophistication, but upon first glance, many phishing attempts appear authentic to unsuspecting victims.
When the phish clicks the link in the email, they are routed to a site that might look similar to the authentic site they expect. However, this site is a replica built by a phisherman. The phish will be prompted to enter sensitive information, like usernames, passwords, and sometimes bank account information and social security numbers. Once the phish enters this information, he has unlocked his account (and all sensitive information therein) for the hacker. Poor phish. They’ve been caught.
Pharming
Just as farming is more labor intensive than fishing in the traditional sense, pharming takes a bit more work than phishing in the cyber world. Pharming was named as such because hackers herd large populations of people to fake websites in one fell swoop. The metaphor has a deeper meaning from an agricultural standpoint, which is explained below.
In pharming, a hacker manages to redirect users from the authentic site they are trying to reach via a web browser to another fake site. Pharmers accomplish this by poisoning something called the DNS cache of a computer, network, or server. The DNS cache is a stored list of previously visited websites on a user’s computer. Suppose an unsuspecting user is attempting to access Bank of America’s website. When a pharmer poisons the DNS cache, they can manipulate a user’s computer settings such that when the user starts typing, “bankofa,” in the address bar, the auto-filled suggestion redirects from the correct IP address to an IP address leading to a fake website. The pharmer is essentially planting the seeds for corrupt websites in the DNS cache. They fertilize these seeds by convincingly replicating the log in page of the authentic site, and then they wait to harvest. If the pharmer has created a convincing replication, users will be unknowingly directed to his bogus website when they type the web address into their browsers. They will log in as usual, thereby handing over their personal information to the pharmer. They’ve now been harvested.
How does this keep happening? It might come as a surprise that high-level executives and upper managers are the most likely targets of phishing and pharming. Now, before any execs reading this are offended, I don’t mean folks in these positions are dumb. They are just being profiled, since hackers believe they have several factors working against them. Executives have money, receive many emails in a day without closely scrutinizing each, and hackers consider them to be less tech savvy.
How to Avoid the Hook and the Harvest
1. Educate yourself. The easiest way to decrease the likelihood of being phished and pharmed is to simply be aware these types of attacks exist. Read our other articles on cybersecurity. If you’re reading this, you’re already ahead of the game.
2. Embrace cyber-skepticism. The more you learn about potential threats, the more cyber-skeptical you will become. This is always a safe bet. If it sounds phishy (see what I did there?), err on the side of caution. You may miss out on a free cruise to the Bahamas or $5 million from a Nigerian prince, but delete that email. Trust me, no one has ever won on that deal.
3. Train employees. Companies should mandate cybersecurity training for all employees in which they discuss different types of cyberattacks and explain how to identify them before they happen.
4. Don’t trust email links. Never provide information for a personal account by following a link in an email. If you receive an unsolicited email from a personal account asking for account verification that you might believe to be authentic, call the company’s official customer service phone number—not the one from the questionable email. Speak to a human being to confirm the legitimacy, or just go directly to the website via your browser. Navigate directly to the website via a separate internet browser—not by clicking the link in the email. If it’s a legitimate request, you should receive a similar message once you log in to your account.
5. Take note of your URL while browsing. When browsing, always pay attention to the URL of the website you are visiting. Legitimate sites will always have the name of the site followed by .com, .edu, .net, etc. For example, www.netflix.com. If you tried to log in to Netflix but saw something like www.netflix.ad.com, or even a minor misspelling like www.neftlix.com, you can bet your DNS cache has been compromised. Contact your IT personnel immediately so they can remediate.
Phishing and pharming are two of the most common cyberattacks. The good news? Both are two of the most easily prevented. Taking the basic precautions listed above can stop phishermen and pharmers in their tracks, and we can just keep swimming in secure waters.
While we’re on the topic of hacking techniques, let’s talk about another target—the Internet of Things (IoT). Learn more below.
This article has been adapted from a chapter from Trenegy’s book, Jar(gone).
A New Frontier: Securing the Internet of Things
by Chelsey LeMaire
The Internet of Things is a new frontier. Projected to surpass 50 billion objects by 2020 with the potential to boost the global GDP by $142 trillion, the Internet of Things (IoT) offers private consumers the ability to create app-controlled smart homes and offers businesses unprecedented access to real-time operational data monitoring, collection, and analysis. With the ever-evolving, demand-driven industry of IoT devices, technologies are being introduced faster than they can be protected.
For individual consumers, IoT security breaches have the potential to violate privacy, reveal personal information, and generally terrorize unsuspecting people by manipulating their home devices. On the industrial or business side of the IoT, the threat of a hack presents far more widespread consequences. Unsecured IoT devices present a perfect opportunity for hackers to wreak havoc by compromising operational and/or safety data being tracked by IoT devices, causing a distributed denial-of-service (DDoS) incident for customers (like the October 2016 Internet Outage), and accessing, compromising, or ransoming financial systems and data by using connected IoT devices to infiltrate the corporate IT firewall. It is becoming increasingly clear to private consumers and businesses that more focus should be dedicated to securing the IoT.
Manufacturers and consumers have focused on ease-of-use over security. The vast majority of IoT devices are designed with ease-of-use as the first priority, which traditionally means security must take a back seat. In the name of ease-of-use, many of these devices do not require a username and password reset at the time of setup, relying instead on a manufacturer-provided default username and password. These devices will remain actively connected to the internet without additional credential input indefinitely. These default settings are about as secure as having no password at all.
IoT devices often fall outside of the corporate IT cybersecurity structure. IoT devices are typically categorized as operational technology and therefore are managed by Operations departments. They are often excluded from the corporate IT strategy. When employees connect unsecured IoT devices to company-provided workstations, they inadvertently provide hackers a direct portal into a company’s secured IT environment.
Physical security is often impractical. In traditional IT security, physical security is one of the basic tenants. IoT devices may be spread all over the world, on oil rigs, or on remote sites, making isolation impossible. By nature, IoT devices are easily accessible, residing in common operational areas of businesses or common living areas of homes.
There is currently no “McAfee” equivalent. The average internet user knows it would be reckless to leave a computer vulnerable without the protection of antivirus software. However, this type of software has yet to be developed for most IoT devices. This means that not only are most of these devices unprotected, but that they’re also unmonitored. Devices could be hacked, and the end user would never know unless the hackers make their presence known. A potential solution would be for each manufacturer to develop security software for its own devices. But the IoT is made up of thousands of devices by thousands of manufacturers, and these companies do not have the expertise or motivation to develop this kind of software.
Inevitably, sufficient security measures will be developed, but these developments will take time. Until then, here are several ways consumers and companies can keep hackers at bay:
- Set strong usernames and passwords. The easiest way to secure IoT devices is to change factory default credentials to a strong, unique username and password. Some devices are difficult to change, and some offer no credential change functionality. If a device does not appear to offer a credential change option, contact the manufacturer to be sure. If in the market for a new IoT Device, the ability to change credentials should be a critical measure when choosing between products.
- Bring IoT Devices under the responsibility of IT. While Operations will remain the primary end users of industrial IoT devices, the security of these devices must be included in the corporate IT cybersecurity structure. Whenever possible, bring IoT devices behind the corporate firewall and ensure that IT tracks and deploys any updates provided by device manufacturers.
- Educate employees/users about IoT security. As in general cybersecurity, the greatest defense against hacking is a well-educated user base. By informing employees/users about the threat of IoT hacks and how they can prevent them through proper device setup and use, companies can minimize the risk of a hack occurring.
- Prioritize increased security features. End user demand will drive manufacturers to improve security features and software companies to develop an antivirus program for IoT devices. As long as consumers continue to purchase devices with no regard for their security, manufacturers will continue to produce status quo. If currently owned devices offer insufficient or no security features, consider upgrading to something newer and more secure. Consumers should continue to voice their security concerns in the marketplace, and when in the market for new IoT devices, it’s crucial to treat cybersecurity as a top priority.
As the technology community begins to unravel and understand the concept of protecting vast amounts of personal data, IoT users must remain vigilant about securing their own devices. Increasing dependence on internet-connected objects makes securing them a top priority. While alluring, the new frontier of the IoT could leave many people vulnerable.
As technology advances, it’s crucial to employ cybersecurity measures, but many traditional corporate methods aren’t working. Listen below to learn the key to preventing attacks.
Cybersecurity Reality Check
by Peter Purcell
The traditional corporate methods for preventing cyberattacks (hacking, phishing, ransomware, etc.) are not working and corporations are spending millions. Cybersecurity threats can only be prevented by people. Leading companies are taking a different approach toward threat prevention by focusing on the people side of the equation. Listen below as IT strategist and Trenegy co-founder, Peter Purcell, shares how corporations are taking proactive measures to successfully prevent cyberattacks.
“Cybersecurity Reality Check” from Trenegy’s podcast, Jar(gone).
As we move into the future, we cannot neglect cybersecurity. AI-based cyberattacks are coming. Read on to learn more.
AI-based Cyberattacks Are Here
by Peter Purcell
Experts predict hackers will conduct AI-based cyberattacks for the first time this year. Really? Hackers are creative, especially those backed by nation states. Does this mean companies should revisit their cybersecurity programs and invest in AI-based responses? AI-based cyberattacks sound ominous yet should not be treated different than any other attack. AI-based cyberattacks aim to gain access to information to steal money or gain access to control systems to cause harm. No different than today. The AI-based cyberattacks will simply make hacking faster. After all, AI-systems don’t have to stop to drink Red Bull, go to the bathroom, or nap.
Companies can be well protected from AI-based cyberattacks with the following:
1. Operational systems
SCADA, ECM Monitoring, Power Grid and other process control systems often fall outside the purview of the IT organization. Basic table stakes security is often overlooked. For example, changing default passwords or updating software and firmware on a regular basis is a must. Software updates and passwords are vulnerabilities all hackers exploit when trying to shut down power grids or take over process control systems.
Functions responsible for operational systems should work with Internal Audit and IT to do the following:
- Establish a cybersecurity champion
- Implement a cybersafety program
- Change all default passwords and update all systems on a regular basis
- Create and test recovery procedures
2. ERP
Most ERP systems have been secured, but hackers will try to access employee information for identify theft or access vendor tables to change bank information to redirect payments. Companies should assume ERP systems are vulnerable and should establish the following basic controls:
- Encrypt employee HR information
- Strengthen employee awareness of possible hacking
- Establish controls around the payment process
- Monitor changes made to supplier bank information
3. Employee social media
Most employees have no idea what hackers can do with information posted on social media. Hackers spend significant time culling through social media to create and execute successful phishing and “spear phishing” campaigns. AI-based hacking can easily marry company website information with posts of pictures taken in the same country where a deal is being negotiated to acquire assets. Why? To create an email from the CEO requesting wire transfer of funds for a down payment. And the employee could fall for it.
Prevention is easy:
- Create and communicate a social media vulnerability awareness program for all employees
- Hold employees accountable for business controls compliance
- Perform regular cybersecurity training
Companies have no choice but to live with the threat of cyberattacks. Hackers are relentless and creative. They will develop new and varied methods to steal money or cause problems by taking over any system. Unfortunately, companies fall into the trap of spending more and more money on unnecessary technology for protection. Compliance to common-sense controls is the best defense against hackers, whether human or AI-based.
Cybersecurity is a battle that IT cannot fight alone. Read below to learn how your company can expand its defense.
HR Should Own Cybersecurity, Not IT
by Erika Clements
Cybersecurity is a battle fought on two fronts: technical and behavioral. Organizations tend to focus an enormous amount of resources on the technical front while seeming to ignore the behavioral side. On the technical front, there are three simple precautions to guard against threats: keeping third party software updated, rolling out antivirus software, and implementing corporate firewalls. These technical safeguards can be likened to building a heavily fortified castle with the most durable material. However, the reality is that more than 90% of cybersecurity attacks happen as a result of a behavioral problem, not a technical one, for example, an employee clicking on an unknown link. This is like taking a heavily fortified castle and opening the front door to the enemy knocking. No amount of technology will eliminate erroneous behaviors.
An emphasis must be placed on changing behavior for effective cybersecurity. The Human Resources department has traditionally been tasked with establishing and enforcing policies governing behavior in the workplace. Why, then, is HR not given the same role when it comes to cybersecurity?
Here’s why HR could be the right department for the job:
1. Expertise
The HR department is the expert in protecting both employees and the company through the creation, communication, and enforcement of personnel policies. When we think HR, we typically think policies concerning payroll, benefits, harassment, discrimination, etc. Similarly, cybersecurity directly affects the well-being of the employees and company and therefore should warrant HR’s attention.
An HR department’s competencies include effective company-wide communications. HR knows how to use straightforward terminology to express otherwise complex technical jargon. Think of the last time you received a communication from IT. Was it clear? HR is equipped to create and enforce cybersecurity policies, arguably more effectively than IT. Employees within the IT department are hired for their technical expertise. Many technologists may not appreciate the need to create policies for things that seem to be common sense in their own minds. The HR department has a better understanding of the way the typical employee will respond to various cybersecurity scams and may have insight into behavioral weaknesses IT wouldn’t have considered. HR can leverage this knowledge to create effective, preventative policies. While cybersecurity policies would certainly require collaboration with the IT department, they can be effectively spearheaded by HR.
2. Encouragement
HR oversees employee relations and benefits administration within most organizations. In many cases, HR holds the keys to job growth and employee well-being. When HR sends a communication, it often directly impacts everyone in the organization. HR is the employee advocate, and most employees do not want to lose their advocate, so they tend to be more receptive to HR than IT. In addition, HR has been the champion tackling issues including diversity, harassment, discipline, health, safety, discrimination, and compliance. Therefore, HR is well equipped to tackle cybersecurity.
3. Engagement
HR is engaged in just about every part of every job in a company, including interviews, hiring, promotions, transferring, and retirement. Therefore, HR has the opportunity to educate employees on the importance of cybersecurity at various touch points.
In the hands of HR, the importance of cybersecurity can be stressed even before employment. HR can ask questions in interviews to gauge a candidate’s understanding of cybersafety and willingness to comply with cybersecurity policies. During onboarding, cybersecurity can be included alongside other company policies and granted a similar importance. Employees should be adequately trained on the company’s cybersecurity policies as well as strategies to avoid falling for internet scams. As HR conducts periodic trainings on harassment, benefits, etc., HR can take the lead on conducting reinforcement trainings on cybersecurity policies (with technical input from IT).
Finally, HR can weave cybersecurity training and compliance into the performance feedback process. Including cybersecurity considerations in this feedback process through the use of incentive compensation ensures managers and employees take cybersecurity seriously.
Though non-traditional to propose HR own cybersecurity, at a minimum, HR needs to play a role in cybersecurity since IT is not equipped to do it alone. One thing is for sure: with the amount of information on our devices and the prevalence of cybersecurity attacks, we cannot afford to be negligent when it comes to fighting the behavioral front of the cybersecurity battle.
Connect with Trenegy for more non-traditional insights.