CEO Richard Blech Weighs In
Cyber attacks are going to happen, say experts, so companies should be more concerned with preparation than prevention.
Last fall, the multinational cybersecurity firm Kapersky Lab surveyed 5,500 organizations in 26 countries on the costs associated with security breaches. According to the study, 90% of businesses surveyed reported that they had experienced a security “incident.” On average, large enterprises spent $551,000 recovering from an attack, with small to mid-sized businesses spending $38,000. And, according to Kapersky Lab, these are just the direct costs related to a breach, which generally include not only the hiring of outside IT expertise, lawyers, risk management consultants, and PR services, but also the expense of downtime and compromised brand reputation. The indirect cost of security breaches––dedicating funds to making sure the company isn’t attacked again––cost large organizations an average of $69,000 and small to mid-sized businesses $8,000.
Granted, these statistics should be taken with a grain of salt. Kapersky Lab offers security-related products and services, and therefore stands to benefit from generating concern among business leaders who are, for all intents and purposes, potential clients. But numbers aside, Kapersky has an extremely valid point: When it comes to security breaches, no one is safe. Remember Target, Sony…the U.S. government? And while it’s the big firms that make headline news, small to mid-sized businesses are just as vulnerable.
“Anyone with money in a bank account, any sort of personal identity information—including [that of] employees—or intellectual property is a target,” said Bob Weiss, CEO and chief technician at IT services firm WyzGuys. Sometimes hackers will attack a smaller organization in the interest of accessing a larger one that does business with it. “A small vendor with network access to a large customer company may be targeted as an entry point to the customer company,” he explained. Case in point: Target was hacked through an HVAC vendor.
The tendency among many organizations is to attempt to prevent breaches outright––a noble concept, but one that some security specialists argue isn’t very effective. “Instead of trying to prevent a security breach, I recommend anticipating one,” said Michael Santarcangelo, founder of cybersecurity consultancy Security Catalyst and author ofInto the Breach: Protect Your Business by Managing People, Information, and Risk.
This mind-set, Santarcangelo argues, leads to the questions that set up organizations to prepare appropriately: What information does a business have that would interest an attacker? Who are its suppliers? Who are its customers? What customer information would hackers potentially want? How is the business connecting with its suppliers and customers? “When a business starts answering these types of questions, the process starts to work differently,” he noted.
One of the ways a business can prepare for––and in this case, possibly prevent––a breach is to minimize its risk exposure. Santarcangelo encourages businesses to offload certain noncore functions, citing credit card processing as an example. “Although getting paid is important, most firms aren’t in the credit card business,” he said. “There are credit card processing companies that are in the business of making sure their clients’ payments are processed securely. Using a reputable one might be a better solution for some organizations because it creates less risk.”
While security breaches are often associated with attacks from the outside, companies must also pay attention to what’s happening internally. However, Santarcangelo warns that just because a breach appears to be an inside job perpetrated by an ill-willed employee, that doesn’t mean it’s really the case. “What we’re seeing more often––especially in smaller organizations—is an employee’s credentials get compromised and the attacker makes it look like the employee is doing it,” he explained. In other cases, an employee will make an honest mistake —like clicking on a link to malware unintentionally setting off a breach.
This is why it’s important to control which employees can see and manipulate what information by applying what is called “least privileged access.” It’s not the most popular term, but Santarcangelo explained it this way: “I’ll give employees exactly what they need to get their jobs accomplished, but I won’t give them any more than that.” Not only does this protect the company, but also it serves to protect employees. After all, what honest staffer wants to be accused of being a malicious hacker?
There should also exist a set of checks and balances that apply to encrypted information and, more specifically, access to decryption keys. “Decryption needs to be done [so] that there’s a system to ensure data’s not compromised and an alert system to know if it was compromised,” explained Richard Blech, CEO at cybersecurity solutions provider Secure Channels. This involves several layers of authentication to determine what he calls “identity trueness”: “That means that the real authorized user with the credentials is the true person who will have access to get something, whether it’s the decryption keys or access to a database —whatever the case may be. There has to be several layers built in,” he said.
Peter Hesse, chief security officer at 10 Pearls, a product and application development firm that offers security assessment services, noted that in preparing for a breach, every organization should develop an incident response plan that outlines what processes to follow if and when the company is attacked.
“While the incident response plan doesn’t have to be complicated or very detailed, it does have to clarify what actions the organization is going to take and who will need to be involved in those actions,” Hesse explained. This should involve deciding who makes up the response team and a plan for how the organization will notify outside suppliers and customers that there has been a breach (and at what point that’s necessary).
“It reduces stress so that the company isn’t trying to pull that information together at the time [of the breach] because there’s a lot of work to do following a breach,” Hesse added. “The firm has to figure out what data is at risk, what’s being done to protect the data, and how to continue to protect it but also make it safer. Having all that ready at a less busy time is a smart idea.”