Cybersecurity

Cybersecurity due care for officers and directors

Dave Nelson, CISSP, is president and CEO of Integrity.

Individuals serving as officers or directors of an organization have a responsibility to investors and clients to ensure that the organization is being run well. This includes multiple facets of the organization’s operations such as finance, regulatory compliance, people management and risk management. There is so much responsibility placed on these individuals that an entire insurance market is devoted to protecting them through the sale of officer and director liability policies.  Evidently the roles of officers and directors are so important that a mistake in their judgment could create significant losses. Why is it, then, that so many in this role continue to allow a blind spot in their oversight to exist? This blind spot is information security.

Officers and directors need to take a more active role in assessing how well organizations are handling the threat of a data breach. Here are some practical examples of steps that can be taken to provide board-level visibility into cybersecurity preparedness.

  • Implement an IT risk management program to identify, classify, track and address technology risks within the organization. This not only helps identify risks but also provides a prioritized action list to ensure time and money are being spent on the largest risks, not just pet projects.
  • Require a quarterly or semiannual report on cybersecurity including any incidents, performance metrics or other data to ensure progress is being made toward your security goals, and that a positive return on investment is being realized for information security expenditures.
  • Ensure the individual responsible for information security has at least a dotted-line reporting structure outside of the technology group. This is extremely important to ensure that security voice is heard and not squashed by the very management it is reporting on.
  • Require that a robust incident response plan be generated with predefined team members, third-party experts and general counsel. The time to determine how to respond to a breach is not during the breach. Test the plan annually in order to continually adapt to changes in business practices or regulatory requirements.
  • Use a common information security framework such as NIST, ISO, HITRUST or PCI to guide security activities and expenditures. These frameworks have been fully vetted over the years and ensure a consistent approach to information security.
  • Consider using an external security firm to perform a security assessment to ensure the standard of due care and due diligence have been met.

Officers and directors will be called upon more frequently to defend an organization’s information security practices as legal proceedings increase due to data breaches. By requiring a basic level of protection and receiving regular updates on security activities, board members will be better prepared to answer questions about the maturity of their organization’s cybersecurity posture.

Email: dave.nelson@integritysrc.comDave-Nelson-2015-resized

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

The election's effect on the future of cybersecurity and privacy

Dave Nelson, CISSP, is president and CEO at Integrity.

The 2016 presidential election will have long-lasting implications for cybersecurity and information privacy. While Congress has its hands full debating adoption of or updates to legislation, such as updates to the Electronic Communications Privacy Act, the president will be influencing cybersecurity from other directions.

As commander in chief, the next president will provide significant direction to the Department of Defense and the national intelligence community in how to engage America’s enemies in cyberwarfare. Will America continue to develop a cyberwarfare capability within the Defense Department? What will the rules of engagement be during cyberattacks against information systems used by the U.S. military, government agencies or critical infrastructure providers? Should the U.S. unleash a fully offensive and pre-emptive cyber strike in an attempt to deter or prevent a war in the physical world? Are civilian cyber targets such as manufacturing, banking and critical infrastructure information systems fair game in order to attempt to prevent the need to send our troops into the field? 

The next president will also name at least one new justice to the Supreme Court, possibly more. How will those justices view privacy in an electronic world? Will they work to limit the types of information that can be collected by the public and private sectors? Will they work to ensure the Fourth Amendment to the Constitution is applied to the new digital world we live in? Will the U.S. finally begin to be a leader in the digital privacy fight instead of following in the footsteps of Europe, Canada and even to some degree Russia?

While answers to these questions may not be looming as large as how to address health care, Social Security, the economy or gun control, they are nonetheless critical to the future of this great republic. We are just now beginning to see how decisions we made just 10 to 15 years ago are impacting cybersecurity and privacy of individuals and organizations. With the speed of technology innovation and adoption by governments, corporations and individuals, we can no longer sit on the sidelines and “wait to see how things play out.” Significant discussions must be had and decisions made on how we, as the leaders of the free world, view information security and privacy. Elected officials at all levels, including the local city leaders and school boards, are impacting your digital world and that of future generations.  So I encourage you to ask candidates questions on their stance on information security and use that information to help you decide who to cast a ballot for this November.

Email: dave.nelson@integritysrc.comDave-Nelson-2015-resized

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

Are cybersecurity attacks on the rise?

ISSA-secure-iowa-2016- Dave Nelson, CISSP, is president and CEO at Integrity.

Information security professionals and business leaders from around the state will converge on Ankeny on Oct. 4 for the fifth annual Secure Iowa Conference. There will be sessions on digital forensics, developing information security programs, and everything in between. (Attendance is free and you can register at www.secureiowaconference.com.)

A theme in many of the presentations will be the rise of specific attacks. Presenters will discuss the nature of current threats against companies and technology platforms. Attendees will hear from the FBI about the types of cybersecurity attacks they are seeing, specifically in Iowa.

What I wish we had, though, were better statistics. We’ve got data, statistics, analysis of big data and so on to prove any narrative we want to espouse. The problem is, we can’t believe all of it.

The reason isn’t that the data is faulty or inaccurate. The problem is that the data is incomplete. We are missing huge, and I mean huge, chunks of data about breaches.

The Verizon Data Breach Investigation Report has been published for a decade now. In the last report they even noted that some statistics may be skewed because a firm that participated in previous reports did not participate this year. That firm specializes in a certain type of breach, and therefore a lot of that data is missing from this year’s report.

Because of these large chunks of missing data, we don’t truly know how many unpatched servers were compromised or how many incidents actually resulted in a breach. The vast majority of incidents are never reported.

Think of it this way: Are you going to call the police every time you have a virus outbreak that takes a system offline or encrypts your files? Probably not, but it was a reportable security incident that would affect breach statistics. Are you going to call the FBI when someone sneaks a peek at personnel records to see what salary everyone on the team makes? Doubtful, but that’s still a security incident.

Millions of these events go unreported each year because they either don’t result in much if any monetary damage or you simply handled the issue in-house or you didn’t want the potential media exposure.

Don’t get me wrong, cybersecurity is absolutely a huge problem and we are under attack every minute of every day. The evidence we have suggests things are getting worse. I just hate to say for sure how much worse or in what ways when we don’t have all the data.

So I’m going to ask for your help. When you have a security incident, file a report with the FBI at www.ic3.gov. Most of these cases will never be investigated. However, the information you provide will help us have better statistics about the types and source of attacks we are facing today. This will only help in determining the best way to overcome our adversaries.

Email: dave.nelson@integritysrc.com Dave-Nelson-2015-resized

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

Pokemon Go - cybersecurity threat?

Pokemon_go_logo- Dave Nelson, CISSP, is president and CEO at Integrity.

It seems harmless right? Just a way to burn off a little steam.  Simply download this little app and go capture some Pokemon.  Whew…don’t you feel better now? Great, glad to hear it. By the way, all of your company’s servers have just been compromised and your email system was hacked.

Yes, it is just that simple. Mobile apps are a real threat to the information security of every organization. According to Verizon’s 2016 Data Breach Investigation Report, data breaches from mobile devices such as smartphones were not a significant threat last year. However, there are known exploit packs available and as smartphones increasingly take on daily computing functions, it is only a matter of time until a major data breach occurs due to a smartphone hack.

There are three areas of concern when using mobile apps. First is the proliferation of fake apps. Because apps are often restricted by device type, operating system version, country of origin, etc., there are many fake apps in the app stores. These applications are often filled with malware and malicious tools. Users who are not paying attention or have problems downloading the original app can end up welcoming this malware into their mobile phone.

A second problem is how users authenticate to the application. When the app allows users to use their Apple ID, Google ID or Microsoft ID, the manner in which the permissions for those logins requires close inspection. For instance, when released, the Pokemon Go app allowed users to login using their Google ID.  The app requested far more permissions than needed, which gave the creators of Pokemon Go full access to your Google Mail, Drive, Calendar, Docs and other site features. Wow…talk about an invasion of privacy and huge security breach. If your company uses Google products for any of its confidential data, you effectively gave the folks at Pokemon Go full access to your confidential information.

The last concern I want to cover is the permission level of the mobile app itself. Does it have the ability to access protected storage? Can it access stored credentials on the device? Can it record keystrokes, voice commands, search strings, etc. All of these could send confidential data back to an application developer and give them full access, not just to the device itself, but potentially to your internal network or virtual private network (VPN) used for remote access. Whoops again…

As you can see, there are real dangers from mobile apps. To date, there have not been many reports of data breaches from this threat angle, however, it’s simply a matter of time. Organizations need to remain vigilant in restricting access for Bring Your Own Device (BYOD) programs and implementing strong controls for mobile devices such as smartphones and tablets. Don’t let the Pokemon capture you or your company.

Email: dave.nelson@integritysrc.com Dave-Nelson-2015

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

After a data breach, talk is cheap

- Dave Nelson, CISSP, is president and CEO at Integrity.


Breach-supportI had lunch with a friend today who was affected by a recent data breach at a restaurant his wife and kids frequent. I will not name the company, but it is publicly traded with restaurants in 35 states. So, this isn’t a mom and pop shop.  It’s a large enterprise. My friend had concerns about the data breach, and emailed the company to see what support it was going to provide as a result of the breach.

To his amazement the company offered no support, other than to say he should be careful and watch his bank account closely. I haven’t seen the actual correspondence yet, but he promised to share it with me. Given my relationship with this friend, I have no doubt about the accuracy of his description.

This got me thinking about my own experience with one of the top five fast-food chains from about a year ago. Some of you may follow me on Twitter and remember me calling out Wendy’s about a payment card concern I had after visiting one of their stores in the Des Moines metro. A VP of operations for the local franchise group told me to investigate the issue myself and they were not concerned. He then ignored every email I sent after that requesting additional information and support.

Lo and behold, about a year later, Wendy’s announced a major credit card data breach. In fact, last month Wendy’s admitted that the cybersecurity incident was worse than it originally thought.

This brings me to my point. If you have a data breach, respond to your customers. You might not like what they have to say, and some of it might get nasty.  However, not responding, not owning the problem and appearing to be unconcerned or aloof will only make it worse. 

During and after a cybersecurity incident or data breach there are many things that are out of your control. You have to accept this. However, the things that are in your control should be made a high priority for your team. Have a pre-defined response that doesn’t contain the emotion of the hour. As a CEO or business owner, one of the hardest things to swallow is the loss of reputation. It’s difficult to put a dollar amount on this. Don’t you want to do everything possible to assure your customers that you care about them during your darkest hour? How much goodwill can be bought by timely and polite communications? There really is no cheaper insurance against losing a long-term customer than valuing the relationship. 

One last word of advice: If you deal with any sort of personally identifiable information (PII) such as financial account numbers, health care information, Social Security numbers, etc., you need to buy data breach notification insurance that includes credit monitoring. Even if some studies show the monitoring is ineffective, you are buying back some of your clients' trust in your brand. In the end, talk is cheap, trust is not.

Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

Your greatest cyber weakness? People

- Dave Nelson, CISSP, is president and CEO of Integrity.

In past blogs, I’ve talked about the impact end users have on an organization’s information security posture. Users are often the first and last, and sometimes only, line of defense an organization has against hackers. This has never been more true.

Percentage-of-breaches-per-assetAccording to the 2016 Data Breach Investigation Report (DBIR), the top three assets attacked in confirmed data breaches are servers, user devices and people, in that order. The chart to the right from the 2016 DBIR shows the current trends. Of those three, server breaches are on the decline and have been for several years. Attacks through both user devices and people are steadily increasing. 

The uptick in user devices being used in data breaches is commonly attributed to mobile devices such as smartphones. This, however, is false. Mobile phones account for about .01 percent of data breaches. This means that desktops, laptops and point-of-sale devices are the true culprits. 

What is really happening is that IT and security teams are getting better at protecting critical assets like servers.  They are being patched more frequently, they are being isolated from other devices and they are being monitored more closely. Therefore, even if a security incident occurs, it can be detected and addressed before an actual data breach occurs in some cases. 

User devices in most cases are not deemed “critical” and therefore do not have the same controls. They are also susceptible to errors made by their primary user. People. This means that hackers are moving to assets they know they can attack. People and the computers they use daily.

Organizations should begin to consider adding all end-user workstations, desktops and laptops to their security information and event management (SIEM) monitoring systems. This added visibility will help detect the source of internal threats faster and aid in remediation efforts. This saves time and money during incident response activities and breach investigations.

This brings us to people as targets. I’ve written on multiple occasions about social engineering attacks, or those attacks that target humans to gain access to a system or data. In this year’s report, it is the No. 3 attack vector, behind malware and hacking.

As I’ve said before, providing security awareness training for your employees is one of the most beneficial security controls an organization can invest in. Simple 30-minute online learning courses don’t cut it, though. If you really want to see benefits, have your employees attend security sessions in small groups where they have to participate and be engaged. Once employees become not just educated in security awareness but actually invested in preventing attacks, an organization can have some assurance that many of the attacks coming their way will be identified and thwarted by the targets themselves, their own users.

If the 2016 DBIR does nothing else, it shows us that cybercriminals are no different from other types of criminals. They will adapt with changes in their environment and will target the areas they find weakest. The only way to combat them is to fight back with better training and tighter monitoring.

Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

PCI compliance v3.2 - what's new

Dave Nelson, CISSP, is president and CEO of Integrity.

PCI Compliance Version 3.2

If you accept credit cards as part of your organization's operations, you should take note that the PCI Council recently released version 3.2 of the Payment Card Industry – Data Security Standard (PCI-DSS). There are quite a few changes and clarifications along with some new requirements. Before I cover what’s new with v3.2, let’s review who needs to be PCI compliant.

Who is required to be PCI compliant

If your business processes, stores or transmits any cardholder data, you must be PCI compliant. What this means is if you accept credit cards for payment via a website, telephone, in person, etc. you must comply. Even if you simply have the card numbers on file but don’t actually accept payments, you must comply. This is why the standard covers anyone who processes, stores or transmits cardholder data.

There are quite a few levels of compliance. In essence if you handle fewer than 6 million transactions annually you typically are able to self-certify using a Self-Assessment Questionnaire (SAQ). There are different versions of the SAQ, which are used depending on how your organization handles credit card data.

Often organizations believe they have fully outsourced their payment processing and therefore have no internal PCI compliance requirements. This is absolutely false. There are still requirements you must meet and you should be completing a Self-Assessment Questionnaire to avoid penalties and taking on additional risk of financial liability from fraudulent charges. For those who do have responsibility to comply with PCI-DSS v3.2, here are some of the changes coming with the new version. 

The most impactful PCI Compliance updates

The biggest change is a new requirement that anyone with non-console administrative access to the cardholder data environment (CDE) must use multi-factor authentication.  The PCI Council definition of non-console administrative access is “Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.” This means even local domain or network administrators who are not sitting at the keyboard of the system they are administering must be authenticated via multiple factors. 

This is a very big change.  It will require most organizations to implement additional controls and possibly re-architect some of their infrastructure to allow this to occur. This becomes effective Feb. 1, 2018.

Another evolving requirement is that your change management process must address how any changes to the CDE will impact PCI requirements.  In the past, the change simply had to be addressed through the process. Now, an impact assessment must accompany this change.  For some changes this will be simple and easy to document. Others will require more detailed documentation. This should have been done in the past but it frequently was very informal. This will force the impact of these changes to be formally discussed and documented. This becomes a requirement on Feb. 1, 2018.

Many of the other changes are simple clarifications that either reinforce the existing requirements or provide additional flexibility in how the requirements can be met. The majority of these changes go into effect immediately as all assessments after Oct. 31, 2016 will use the v3.2 requirements. Compliance with PCI-DSS is becoming harder and harder. Organizations should expect additional information security and privacy legislation from the government as well as enhanced requirements from private sector groups.

 

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Managing your IT vendors

Dave Nelson, CISSP, is president and CEO of Integrity. 

IT-vendor-managementOutsourcing of information technology services is common. Companies from the largest to the smallest outsource some part of their information technology needs. Larger companies have the benefit of senior level leadership, which can provide solid oversight to these third-party IT vendors, but smaller organizations are at a great disadvantage in this arena. Completely reliant on their IT vendors, small organizations must trust their providers to fully understand their business when making recommendations for technology solutions.

Selecting an IT vendor

Selecting IT vendors should be like selecting the right doctor. You have one vendor that can provide most of your day-to-day requirements, but you might have a couple of others who specialize in certain areas and can help develop a strategy that best fits your business. Certainly, you may pay a little more for those specialty vendors, but that additional cost is justified by eliminating the risk of going with the generalist for your specialty needs.

Understanding the statement of work

When outsourcing IT services, it is important to establish a roles and responsibilities matrix. The IT vendor knows exactly the services they will and will not provide based on the statement of work. Do you? This is one of the biggest gaps we see during data breach investigations. The organization believes they have outsourced a function to their IT vendor, but the vendor believes only a portion of that function is their responsibility. Critical tasks are then left with no one to perform them, which leads to a cyberattack.

The price of miscommunication

A common occurrence is in anti-virus management. An organization outsources anti-virus management to a vendor and assumes the vendor is providing end-to-end management of this solution. Based on their contract interpretation, the vendor believes they are only responsible for installing the anti-virus solution and providing a centralized management console. They believe the client is responsible for monitoring the console for malware activity and systems, as the client did not sign up for the “Platinum Level” of service. This leaves the client out of compliance with the definition update or daily scanning policy.

As you can see, there was a breakdown in communication. The client didn’t understand their responsibilities based on the service they had actually purchased. Who’s at fault? Is it the client, for not getting a clear picture of what they bought? Or, is it the vendor, for not clearly communicating risk that wasn’t being addressed? Each party has some responsibility in this scenario.

Roles and responsibilities

Organizations that use outsourced IT vendors need to understand that they are ultimately responsible for protecting their systems and data. They should require a roles and responsibilities matrix to help develop an understanding of what the vendor is doing and not doing for the organization. This is especially true now, as many IT vendors are backing away from including many information security tasks in their standard service offerings.

Following a security framework

This roles and responsibilities matrix should be aligned with some form of best practices or security framework such as NIST SP 800-53. Organizations should also require their vendor to have some sort of oversight for their service delivery. Vendors should be required to go through an audit each year, either by the organization or a qualified auditor. This will ensure that the vendor is providing the service levels and security activities required by the contract.

The impact of your organization’s regulations

If you are regulated by HIPAA, FDIC, NCUA, NERC or other federal agencies or regulations, IT vendor management will become very important to you in the coming months and years. Regulators are taking a much closer look at how well you manage risk to your systems and data. They are checking to make sure you are providing oversight to the vendors who provide information technology services for your organization.

 

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

3 questions to ask your technology leader

Dave Nelson, CISSP, is president and CEO of Integrity.

3-questions-technology-leader“Time is of the essence.” “Time is money.” Yadda, yadda, yadda.  You’ve heard it all before. Every business leader is pressed for time in one way or another. That’s why today’s post is quick and simple: Three questions every business leader should be asking their technology leader or IT service providers.

1. How are we coming on addressing the top risks identified in our latest IT risk assessment?

This assumes you have performed a high level risk assessment with your CIO, CFO, Legal, HR and Insurance teams within the past year. Technology is changing daily. The way we use technology is changing just as fast. Are you up to speed on the risks that your organization is facing from the use of technology in your business operations? Are you addressing the biggest risks first? Are your investments to lower risk working? Are there new laws that could change your risk? Can new insurance products transfer some of the risk?  Ask questions of your leaders. Make sure sufficient progress is being made to reduce risk where necessary.

2. Do we (you, for vendors) have the expertise on staff to deal with the changing threat and regulatory landscape?

This is a tough question to be asked. Everyone hopes to have the best and brightest on our teams. The reality is we always have gaps.  Make sure your leaders know gaps are OK. They do however need to be identified and dealt with. Perhaps you have a security team already. Great, but do they have all the skill sets needed to fully protect the organization? If not, can they get them? Should they? Are contracts or retainers with experts a better solution?  Either way, it’s best to be prepared. You can’t afford to be caught flat footed in this rapidly changing security environment. When using external IT providers, don’t assume they have security expertise. Ask for proof.

3. Can you provide reasonable assurance that we’ve not had a system breach in the past “x” months and will your evidence stand up to an independent third-party review?

The idea here is to make people uncomfortable. You don’t want to be placated. You don’t want to hear someone touting their belief in the team. You want concrete evidence. Make them show you months of event logs that have been reviewed for anomalies or malicious activity. Ask for something, anything. Just don’t settle for “We believe our systems are safe”. Even if you have no plans to get an independent review, ask them to be able to support their conclusions. As Ronald Reagan said, “Trust, but verify”.

Business leaders who get answers to these three questions will be far ahead of their peers and competition. While there is a “right” answer to every one of these questions, the “right” answer will be different for everyone. The important thing is to ask the questions and that you feel comfortable with the answers you’ve been given. That’s what IT risk management is all about.

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Why the iPhone encryption battle matters to you

Dave Nelson, CISSP is president and CEO of Integrity. 

Apple-vs-FBI

There is no doubt, the stakes in the battle over the San Bernardino terrorist’s iPhone encryption are huge. You need to be involved in this fight, pick a side and then be vocal. Call your legislators, write opinion letters to your paper’s editor, or any other means necessary to inform and engage others.

Certainly the terrorist actions were horrific. Families have been forever damaged. Our way of life has been attacked. These is no denying the pain and suffering caused by this senseless act of terror. On the surface it makes perfect sense to want to force Apple to break the iPhone encryption so that authorities are able to discover other terror links and those involved with this brutal attack.

We must, however, take a step back and look at two critical components of this argument. Setting aside our emotion, lets think rationally for a moment about the long-term consequences of the government’s request of Apple. We must also acknowledge the fact that while breaking the iPhone encryption may be the easiest or fastest way to the information, it is absolutely not the only way to get that information. That distinction must be made perfectly clear.

Let’s first consider the demand for a company to build something that it does not currently possess. The basic premise of our capitalist free market system is that the government is not involved in setting product strategy, pricing, or other day-to-day activities of private enterprise. Once we open this door, where does it end?  I understand this is a matter of national security, but we cannot continue to erode the basic principles on which our republic was founded in the name of national security.  This has happened for far too long, and there must be a limit to how far America changes before we are not America any longer.

The second issue of concern is actually the one of greater importance. It is the government’s insistence on breaking into encryption. In general this is a very bad idea. Think of all the things that are protected by encryption: every “secure” internet transaction from online banking to shopping and secure email. Protection of protected health information (PHI) in your medical records is accomplished with encryption. All of your tax records with the IRS including your Social Security number, earning history and charitable contributions are encrypted for your safety and security. Bigger picture - our nuclear arsenal, military communication, stealth technology, troop movements, battle plans…yep, all encrypted.

The fact of the matter is that encryption is a core component to just about every facet of our lives today. Both our personal and work lives are dependent on the bedrock of security that is found through the use of encryption.  Creating a backdoor or methodology to undermine the security of encryption could be devastating.  If you couldn’t trust the “SSL” used to do online purchasing, would you?  If people stopped buying online, how would that affect our economy?

The notion that the government is willing to let Apple keep this technology after they create it is absurd. Something this valuable wouldn’t be kept a secret for long. All the money the U.S. government has spent to protect military secrets has failed. China has built a stealth fighter jet based on stolen US technology. Who can honestly say this technology wouldn’t be even more valuable?

For those of you thinking I haven’t considered the other side of this argument, you are wrong. I was on Capitol Hill last year speaking with a Senate staffer working on national security issues for the Senate Judiciary Committee.  He asked, “If your child was kidnapped and the only way to find him was through a backdoor to the encryption on the kidnapper’s iPhone, would you then be in favor of a backdoor?” I looked him square in the eye and said, “No.”  I come from a long line of veterans who served during WWII, Vietnam and Iraq. One thing I know is that sometimes the sacrifices of a few must be made to protect the many.

While not having immediate access to encrypted criminal or terrorist information may have direct consequences, think of the bigger picture and the long-term consequences of a world where encryption cannot be trusted.  That’s not a world I think any of us want to experience.

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Cyber insurance advice

Dave Nelson, CISSP is president and CEO of Integrity. 

 Cyber insurance

Let’s start 2016 off with a bit of advice for any company or non-profit organization who uses technology.  You should purchase cyber insurance this year. In today’s world of high profile cyberattacks, a few things have become crystal clear.  irst, it’s not if you will suffer a cyberattack, it’s when. Second, data breaches occur at companies of any size and in any industry. And finally, no matter how much you spend on information security a breach will be costly.

Just as when purchasing insurance to protect any other asset, it’s a part of a risk mitigation strategy. You can’t simply buy insurance and take no other precautions. Insurance is designed to limit your exposure to loss after a series of other steps have been taken. 

The question is, what kind of cyber insurance is right for you? Let’s look at some of the coverage options available today.  Every carrier is different and these policies are nowhere near standardized like general liability, auto, life, or home policies. Each carrier may call their coverage something different but you need to understand what is covered and what is not.

Network Security

This type of policy typically will cover the costs associated with the downtime and clean up from network security issues such as a virus outbreak. You need to read carefully because this may not cover actual hacking attacks.

Incident Response

This policy will cover the costs for a security expert to lead the effort to assess the data breach, coordinate the reaction plans, document remediation, and work with law enforcement on your behalf or interface with regulatory agencies. Having an expert lead incident response usually results in quicker resolution. They often provide a more complete assessment of the true cause of the breach, can help suggest remediation actions, and provide counsel during and after the incident.

Digital Forensics

Knowing you suffered a breach is one thing.  Discovering how it happened, the depth and breadth of the breach, or discovering other existing breach points is another thing.  Digital forensic coverage will cover the costs to fully investigate the incident and discover any additional threat actors in your environment.

Remediation Efforts

Some policies will only cover the costs to stop the active breach.  While that certainly helps, it doesn’t mean that same attack vector will not be used in the future.  A policy that covers at least a portion of the costs to fix the problem can be helpful.

Breach Notification

Notifying clients that a breach has occurred is required by state breach notification laws, HIPAA and many international laws. This type of coverage will pay for the costs associated with identifying the affected parties and notification of the victims according to any regulatory requirements.

Credit Monitoring

Providing credit monitoring or other post-breach assistance to victims is often a common way to buy goodwill with your affected customers. This policy will cover these costs.

Legal Defense

Many data breaches end up in some form of litigation. Either between you and a vendor, you and a client, you and a regulatory body, or you and just about anyone. Policies vary on how and to what extent the insurance carrier will defend you in litigation. 

This is just the tip of the iceberg in terms of cyber liability insurance. This is still a relatively new field and due to significant losses to insurance carriers, they are scrambling to create policy limits and exclusions to limit their losses.  Most general liability policies now explicitly exclude any coverage for network and information security related issues, thereby forcing you to purchase coverage for this inevitable loss.

It’s imperative that you discuss cyber insurance with a broker who is well versed and specializes in cyber coverage. A vast majority of the brokers today are inexperienced in dealing with cyber insurance due to its relative newness in the marketplace and the ever changing products offered by carriers.

One last word on why you should buy cyber insurance. You may have the staff and expertise to deal with a data breach internally, but the time spent by your internal resources responding to a breach is not covered by insurance.  Your team is taken away from their daily jobs to address the breach, leaving other important tasks on the back burner for days, maybe even weeks.  Cyber liability insurance typically only covers the costs for external parties to address the breach. It is important to ask yourself if having insurance that covers the cost of external help will outweigh the costs of internal resources being pulled away to handle the incident.

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Security event monitoring myths and truths

Dave Nelson, CISSP is president and CEO of Integrity

Security-monitoring-myths-truths

 

Credit monitor, health monitor, baby monitor, hall monitor. Do you see a pattern here? We utilize monitoring in all areas of life to both proactively detect suspicious behavior and thwart bad actions or to provide reactive assistance in determining the details after unwanted actions take place. Nearly two-thirds of all successful data breaches also have something in common; either substandard, or a complete lack of, security event monitoring.

Devices Generating Logs

You know how people often say only the dumb criminals get caught? That’s only partially true. Even the dumbest ones get away when nobody cares enough to watch. Every technology device creates an event log of some type. Now some are very verbose and have more information than you could possibly want, while others are relatively simple. Every firewall, server, desktop, smartphone, tablet and other computing device has a log file. Even security cameras, door badge systems, electronic time clocks and other “smart” devices have logs. The question is, what happens to all of those event logs?

Well, in most cases they are simply overwritten with new logs when the log file gets full. Nobody ever reviews them to look for suspicious behavior. They are not stored in a safe place or backed up. Lots of useful information that could either help detect and prevent a cyberattack or provide details to post attack investigators is simply lost.

Myths and Truths

Today I want to debunk some myths about security event monitoring to help encourage you to take the next step.


Myth: Turning on event logging will impact system performance.

Truth: Most of the event logging you need turned on is on by default and systems are designed to handle the creation of event logs for security review. Only in extreme cases will event logging create a performance impact to your system.


Myth: Security event monitoring takes too much time.

Truth: There are tools that are designed to collect the event logs and correlate those events to identify suspicious activity and provide alerts based on predefined patterns of behavior. In most cases this can take millions of event logs and turn it into a handful of actual incidents to review.


Myth: Security event monitoring is too expensive for anyone other than a large enterprise

Truth: There are several SIEM tools that are well within the reach of most businesses. There are even services called Managed Security Services Providers (MSSP) who can provide the tools and the expert staff to review the incidents for under $20/day.


Myth: We don’t need to review security logs because we’ll know if we’ve been hacked.

Truth: The average time to detect a breach today is 6 months, and more than two-thirds of data breaches are discovered by someone other than the victim company.


In the information age we live in today, security event monitoring is essential. When used properly it can help alert to suspected cyberattacks.  It also ensures that a bread trail is left for investigators to pursue after an attack happens. Ask your IT team what type of security event monitoring is in place at your organization, and make sure someone is reviewing your logs daily.

Dave Nelson 2015 IowaBiz BlogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

2016 cybersecurity predictions

2016-cybersecurity-predictions

- Dave Nelson, CISSP is president and CEO of Integrity

With all of the information security breaches of 2015 in our rear view mirror, let’s take a moment to look ahead to my predictions for cyber threats and trends in 2016. It’s important to remember that these aren’t really random thoughts from some guy spelling doom and gloom for the future. They are based on research data from the likes of the Ponemon Institute, FBI, Secret Service, Verizon, Microsoft, Symantec and other well known organizations.  They also reflect the real world experiences of the incident response and consulting teams at Integrity. 

#1 Continued attacks against health care

Healthcare records are far more valuable on the black market than simple credit-card or bank-account information. There are several reasons for this. Financial information has a short lifespan. Compromised accounts are quickly closed or funds are depleted. Health care records however can be used over and over again. They can also be used for different purposes. Extensive fake identities for criminals or terrorists can be created using physical characteristics. People can be blackmailed into performing actions in order to stave off the release of private medical information. These records can also be used for financial gain in committing billing fraud through organized crime rings.

#2 Increased attacks against manufacturing

Research shows that intellectual property is one of the top targets during a data breach. Companies both domestic and foreign are under increasing pressure to compete in a global marketplace. For companies who spend billions each year on research and development, protecting this intellectual property is essential. Foreign nations are setting up advanced cyber warfare divisions to steal intellectual property for use in military applications. And those countries with nationalized industries are also looking for any commercial idea they can find to capture market share and increase revenue. Even smaller companies that make unique items or have a niche market are at serious risk.

#3 Increased use of social engineering tactics

As we continue to build more secure networks and applications, it gets harder to hack them in some respects. As this occurs, hackers will try to find other avenues to get what they want. Using our humanity against us through social engineering attacks will continue to rise until everyone understands our digital lives at work and at home are becoming indistinguishable. Our eating or exercise habits don’t change from work to home. Nor do our computer habits. We must train society at large to take information security seriously wherever and whenever they use technology.

#4 Attacks will become increasingly targeted and sophisticated

The cyberattacks that companies face today are different. They are shifting to targeted attacks looking to capture specific information or inflict specific damage. Because of this, these attacks are more sophisticated than ever.  The old days of simply patching systems to remove vulnerabilities in order to prevent cyberattacks are long gone. Cybersecurity defenses will need to become more advanced to keep up with the threat.

2016 will be no different than 2015. Successful cyberattacks will continue to occur at an alarming rate. We must adapt and take this global threat seriously at the individual, corporate and government levels.

Dave Nelson 2015 IowaBiz BlogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

The human element of information security

 Dave Nelson, CISSP is president and CEO of Integrity

Human-element-info-sec

When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. While no information security program can be effective without them, there is one key element that is often underestimated: the human element. The reality is that humans are responsible for designing, implementing and following all of the controls put in place to protect information. One failure in the human element can spell disaster in terms of information security. And the sad thing is that it often does.

The good news is we can make large gains in information security by simply providing effective training to our users. According to the Verizon Data Breach Investigation Report nearly 1 in 3 successful cyberattacks has a social engineering component. Social engineering is nothing more than a hacker attacking a human rather than a computer.  They use their knowledge of human behavior to con a user into giving them information over the phone, clicking links in emails or giving them physical access to systems or data. If we can prevent more successful social engineering attacks, we can reduce the number of successful cyberattacks.

Targeted Attacks

Raise your hand if you took an information security awareness course for work this year. If that course explicitly trained you to spot and respond to specific social engineering attacks that would be targeted to you, keep your hand up. I’m guessing there aren’t many hands still in the air.

Traditional information security training is failing.

Attacks are becoming more targeted to companies and individuals. They are coming from groups that have done research into your organization’s people and practices. They have a specific target objective and have been designed specifically for this purpose.

Small but Mighty

The Verizon data breach investigation reports that 23 percent of users open phishing emails and more than one in 10 click on links in these emails. This may seem like a small number, but let me put this a different way. One of every 10 users in your company will take a single action which will allow a hacker to compromise your security when presented with the opportunity. In a company of 500 people, a hacker will have 50 or more people who will provide credentials or open a machine to compromise by clicking on a link in an email. Does this paint a different picture? 

Information security training has to be more than just a review of regulatory guidelines, company policies and good password selection. It has to show users examples of the types of attacks they are facing right now. It has to transcend computer use in the office and needs to show how our digital life is connected to both work and personal computer use. How can we expect people to combat digital con artists when they don’t even know how to spot them?  Security awareness training is a cost-effective method for fighting back against the onslaught of attacks against your organization.

Dave Nelson 2015 IowaBiz BlogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Preparing for a cyberattack or data breach

Dave Nelson, CISSP is president and CEO of Integrity

Incident-response-plan

 

In today’s world of nonstop cyberattacks, companies must prepare for when, not if, they are attacked. It is important to remember that these attacks come in various forms and severity. Your company may suffer multiple attacks this year. One may be in the form of a virus or malware outbreak; another could be significant compromise of intellectual property.

To minimize the impact of a cyberattack, it is vitally important that your organization have a well-defined incident response plan. 

This plan should be documented to ensure the process is repeatable in the event of an emergency. Team members who will be responding to the incident should be trained on using the plan. A good way to do this is to test or exercise the plan. This also helps identify weaknesses or gaps in the plan. The test can be in the form of a tabletop exercise where the plan is simply reviewed and discussed or an actual walk-through of a scenario in which each step of the plan is tested to ensure it provides accurate guidance.

A key area often overlooked when developing an incident response plan is to document the external parties you may need to call on in the event of a cyberattack.  Data breaches never announce the time and date they occur. They are always a surprise and can create a lot of confusion and anxiety. This is not the time to be trying to identify an attorney with cyberlaw experience or a security firm with digital forensic and incident response experience. Having a computer security incident response plan in place will help ensure you have the right resources at your fingertips.

Another common question during an incident is whether or not law enforcement should be notified of the incident. By defining the criteria which would dictate the need to contact law enforcement before a cyberattack occurs, you have the luxury of making these decisions in a low-stress environment. At Integrity, we often recommend contacting law enforcement at some point during a breach investigation, but there are valid reasons not to do this as well. Taking the emotion out of the decision can help ensure you make a rational choice that is in your best interest.

If you use an outsourced IT provider to help you manage your systems, you may or may not want to rely on them to drive your incident response plan.  In most cases we recommend that the business be the owner and driver of the incident response plan. This ensures that business decisions are made by the people with the knowledge and authority to make those decisions instead of a network engineer or account manager.  Often, IT providers are not experts in information security and leading incident response teams, and they may make decisions that are not in the best interest of your company. An incident response plan isn’t one of those things you hope you never use. It will be used and can help bring order during the chaos of a cyberattack.

Dave-Nelson-2015-biz-blog

Dave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Remote access can sink your business

Dave Nelson, CISSP is president and CEO of Integrity

Providing the ability to access critical systems and data via remote locations is critical for most organizations today. Allowing employees to work from home if they have sick kids, employing remote office workers to attract and retain top talent, and enabling disaster recovery and business continuity procedures are all valid reasons that companies implement remote access.

If not implemented properly however, unauthorized users are just as likely to gain access to the crown jewels as your employees. One of the easiest ways to hack an organization is through the remote access provided to employees. 

Windows 2003 is still frequently used to provide remote access to employees, students, contractors and vendors. This operating system was released 12 years ago. Consider the following things that happened in 2003. Apple iTunes was released with just 200,000 songs. The movie "Finding Nemo" was released. LeBron James was an NBA rookie. And the first iPhone was still four years away.

Kind of makes 2003 seem like an eternity ago, doesn’t it? From a technology perspective it might as well have been a century ago.

Often we implement technology solutions which seem to continue to work well and serve their purpose. Because they are working, we leave them alone. What we fail to do is continually review the risks to our business as the technology matures and the threats evolve. Remote access is a perfect example.

It is not just Windows 2003 Terminal Services that are out of date. Firewalls, VPN concentrators, Citrix Remote Desktops, and other tools have had vulnerabilities discovered which need to be remediated. Not using two-factor authentication or not using application virtualization and proxies to deliver applications remotely are areas where organizations are assuming too much risk as well.

Two of the recent data breaches Integrity has investigated started with attacks against remote access. Once the hacker was able to control the remote access system, they had the opportunity to gain access to vital systems and data at the victim organization.  Because this was expected behavior and the systems weren’t closely monitored, the hacking activity went unnoticed for months.

Systems that haven’t been patched, or where the architecture hasn’t been updated to address the evolving threats of today’s world, are most at risk. The security event logs from these remote access systems must also be closely monitored to identify attacks and provide appropriate response times.

The risks to your business and customers from remote access is great. This is one area of technology that requires constant risk assessment, technology updates or upgrades, and thorough security monitoring. Protecting against hackers is often hard work, but sometimes it’s simply a matter reviewing what’s already being done to ensure those efforts are still yielding the results you expect.

Dave-Nelson-2015-biz-blogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

October is National Cybersecurity Awareness Month

 - Dave Nelson, CISSP is president and CEO of Integrity

Cyber-security-monthWould you like to know the single biggest weapon for cybersecurity? Awareness.

Think about all the other risks we face and the huge awareness campaigns designed to educate us on how to protect ourselves or others. We have Smokey the Bear for forest fire safety, Stop, Drop and Roll for fire safety, McGruff the Crime Dog, pink ribbons for breast cancer awareness. The list goes on and on.

Creating awareness for the risks that affect us is one of the best things we can do to help minimize the threats. That’s why Integrity is an official champion of National Cyber Security Awareness Month. This October, as we have in years past, Integrity will be working hard to bring cybersecurity awareness to people of all ages, in all walks of life.

Educating people about cybersecurity threats is foundational to creating a safer computing environment for everyone. What many don’t fully comprehend or at least consider is that our computing systems all coexist in one large digital ecosystem. What one person does at home or at school has profound impacts on what happens to a computer in a corporate data center or embedded in a medical device in a hospital. 

Cybersecurity isn’t just a work issue. It’s a life issue. Identity theft, fraud and financial crime can make life generally unpleasant for those affected by it. We can only protect the digital ecosystem if we begin to educate people about the risk they face wherever computers are used. Protecting passwords and having good cybersecurity practices at work are worthless if those same precautions are not used at home. Many people who use computers at work also have access to work resources from their home computers. However, if those employees don’t carry over the same information security best practices from work to home, those home computers are not protected and expose company data.  It also exposes personal bank or retirement accounts, Social Security numbers of dependent children and other critical information.

Think of cybersecurity best practices like you would general hygiene. Washing your hands frequently and covering your mouth when you cough protects not only you but others as well. Using good information security best practices whether you are using a home, work or public computer will protect you and everyone else as well. If we all get better at cybersecurity, the world becomes a safer computing environment for us all.

Integrity, along with Ankeny's Kirkendall Public Library, will be hosting the following events to celebrate National Cyber Security Awareness Month. We’d love for you to join us.

Topic: Internet Safety and Security Tips for Adults

Focus: Email Phishing, Online Banking and Identity Theft

Date: October 19, 2015
Location: Kirkendall Public Library - Ankeny, Iowa
Time: 1:00 p.m. – 3:00 p.m.
Age: Adult Program, 18 years + 

Topic: Social Media and Online Security for Students plus a discussion with high school students on cybersecurity career opportunities

Focus: Social Media (Snapchat, Facebook, Twitter and Instagram), Limiting Access, GPS, Truths about Deleting Items Online and Cybersecurity Career Opportunities

Date: October 19, 2015
Location: Kirkendall Public Library - Ankeny, Iowa

 

Dave-Nelson-2015-biz-blogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://www.integritysrc.com

Small business is big business for hackers

Dave Nelson, CISSP is president and CEO of Integrity

While big cybercrime incidents, like the Office of Personnel Management and Ashley Madison data breaches, are wonderful news stories, they are only a percentage of cybercrime incidents. Small business attacks are actually a larger percentage of information security breaches. You simply don’t hear about them because they don’t have the same broad appeal that is desired by global media outlets.

Small businesses are targeted by hackers for several reasons. One reason is they are easy targets. Let’s face it, if you’re picking a fight, you pick one with a weaker guy, one who is not likely to be able to defend himself. Hackers take the same approach. Small businesses are more susceptible to cybercrime and security breaches because they are more vulnerable.

Small businesses are often small for one of two reasons, either they want to be small or they are just getting started. For the company that wants to be small, it is likely that the entrepreneur who started the company likes the nimble, fly-by-the-seat-of-your-pants feel. They like the risky positions, doing more with less. This often translates into how they use technology in their business. It is seen as a necessary evil, so only absolutely necessary expenses are approved, and security is never necessary. The entrepreneur knows the business is vulnerable but is willing to take that risk.

Startups are another type of small business. These organizations often want to do the right things, but limited funding causes competing priorities. Information security is frequently pushed down the list as something that can be added after profitability increases. Unfortunately, it can take years for a startup to actually recognize any profits, and by then investors may be looking for an exit strategy.

One thing many small businesses fail to understand is that their clients make them a target for cybercrime. Hackers may look at a multi-billion dollar enterprise and determine it is too difficult or risky to hack. Those hackers then switch gears and begin looking for accountants, attorneys, audit firms, engineering and architectural firms, building maintenance firms and other vendors who may have access to the larger enterprise’s valuable data. These smaller firms may not have the focus on security, or the budgets to protect data, and they become conduits for cybercrime.

Lacking awareness of the types of attacks, and ways to reduce risk of a successful breach, is another area where small business is vulnerable. Simply knowing some small steps to prevent security breaches, which may not require a lot of time or money to implement, can help. Claiming ignorance of the laws or best practices for information security will not protect you in court.

Business is all about taking risk. How much is too much? That question has a million correct answers. However, fully understanding the risk is critical to making the right choices for your business.

 

Dave-Nelson-2015-biz-blogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://www.integritysrc.com

Phishing can cost you hundreds of thousands of dollars

Dave Nelson, CISSP is president and CEO of Integrity

Here’s a scenario for you to consider. An accounting team member receives an email that appears to be from your CEO, and the email reads something like this:


Spear-phishing“Good Morning Mike, You may or may not know, but Mary (CFO) and I are in Atlanta working to close a deal with our partners XYZ Company and ABC Limited on a $70 million dollar contract with Our Big Payday, Inc. In order to get the contracts signed, I need for you to wire $85,620 to XYZ Company and $67,980 to ABC Limited. Mary says this should come from our Bank Name Here account number 123456789. The routing and account number for XYZ is 12345678 – 7788994455 and for ABC is 98765432 - 336699774411”

“Because Our Big Payday, Inc. is a publicly traded company, the terms of this agreement cannot be disclosed until they file their SEC reports for the quarter, so your absolute discretion is expected. Under no circumstances are you to discuss this transaction with anyone in the department. A leak could result in SEC fines or imprisonment for both of us for insider trading. If you have any questions about this, please respond to this email with your direct line and I’ll call you when I’m out of the negotiation meetings. I appreciate all you do for us, which is why I’m trusting you with this key project. Keep up the good work. Sandy (CEO)”

This is what we call a spear phishing email, an email sent to a selected individual in an organization. Information about the employee, the company, its executives, potential deals or partners they are working with and other timely, accurate information is included in the email, which lends to its apparent authenticity. The sent from address, reply to address and other properties such as logos and signatures may also appear to be authentic.

What’s an employee to do? The CEO and CFO specifically requested this transfer of funds and obviously know our bank account information. Nobody else would know that information, right? Wrong. Everything in this email could be public record or obtained from other legitimate or fraudulent practices. And the routing and account numbers are on the bottom of every check you send out.

If your employees are not trained to handle suspicious emails, they have been setup to fail, and an information security breach is much more likely to occur. Hackers using our humanity against us is called social engineering. We train employees to follow instructions and act in certain ways. Hackers know this and try to put employees in situations where they can predict the outcome. Social engineering attacks, including phishing, are on the rise. According the recent reports as much as 30 percent of all breaches have a social engineering component. We have to invest in employee education and awareness if we stand any chance of fending off information security breaches.

Oh, and if you are wondering, yes this is a real example, that worked.

 

Dave-Nelson-2015-biz-blogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Security breaches happen all over the place

Dave Nelson, CISSP is president and CEO of Integrity

Iowa-cyberattackSeveral Iowa based companies have suffered information security breaches in the past 12 months. They have been from the banking, financial services and non-profit sectors. One breach resulted in fraudulent ACH transactions of close to $250,000. Another resulted in cleanup costs approaching $100,000. These are just the data breaches that my incident response team has been tasked to investigate. There have been others.

Of course Iowa companies get attacked

“Really? Companies in Iowa are targets of cyberattacks?” This response never ceases to amaze me. People in Iowa whine and complain when the rest of the country portrays Iowa as a backward state full of farmers who don’t know anything about technology. (For the record, I’d be willing to bet that many farmers in Iowa use more advanced technology than an average office worker). Why then are these same people shocked that Iowa’s thriving manufacturing, technology, financial services and biotech companies are targeted by cybercriminals? Iowa companies big and small are competing on an international scale. Why wouldn’t they be targets?

One of the biggest myths about cybercrime is that it’s all about stealing cash or personal information such as credit card numbers. The reality is that health care records and intellectual property, such as research and development, product designs or sales and marketing strategies, are far more valuable to cybercriminals than a low-limit credit card. These criminals are looking for the long-term, major payoff, not a quick buck. Targeted cyberattacks, as a result of corporate or foreign espionage, is on the rise. Don’t believe me? Even Major League Baseball teams are hacking each other to get a competitive advantage.

Training and security awareness

There is good news though. Many of the data breaches that are discovered could have been prevented. Data breaches are often the result of a lack of employee training and security awareness or a breakdown in process and procedures. Take the employee angle for instance. We often find that employees fail email phishing tests at the rate of about 35 percent. The reason is simple. The vast majority haven’t been consistently trained on how to identify fraudulent emails. If they had been well trained, they would know what to look for and spot the fraudulent emails before clicking the links.

The other common breakdown is complacency: We have people, process and technology in place and simply assume that everything is working correctly. Several of the breaches we’ve investigated were related to failures of the anti-malware system. It may have worked correctly when first installed, but as time went on the systems were no longer receiving anti-malware updates or scans were not running or performing properly. This resulted in infections and led to the breach. If better anti-malware management had been in place, these failures could have been detected and the breach avoided.

The truth is that every company -- big or small, urban or rural -- is a target for cybercrime. There are simple ways to protect your organization. You can start by assessing your current information security activities and monitoring their effectiveness. 

 

Dave-Nelson-2015-biz-blogDave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Cyberattacks: How much worse can it get?

Dave Nelson, CISSP is president and CEO of Integrity

Every single day we hear of another organization that has suffered a cyberattack. The victims span industries such as retail, healthcare, government, manufacturing, technology, education, utilities and banking. They range in size from multinational Fortune 100 companies to local mom-and-pop shops. The question I frequently get from organizational leadership is this…”How much worse can it get?”

Unfortunately the answer is we are still in the dawn of the cybercrime age and it will get much worse.

Consider this: widespread use of computer technology in our society has really only occurred for about the past 30 years. Even then, the interconnected way we do business today only began about 15-20 years ago. We’re still in the shift to the information age where information is more valuable than many of the physical things we produce. The cyber-attacks will become more sophisticated, cheaper to carry out and accessible to more criminals in the next 20 years. Think about how far we’ve come since the industrial age of the 1800s. In another 50 years, our computer systems of today will be laughable. Smartphones today have as much computing power as what we used to put a man on the moon.

In the past, cybercrime was largely deterred by making the risk of being caught or physically injured too high for many people to stomach. The little guy rarely picks a fight with the big guy because he knows he’s beat before the first punch is thrown. A country with no physical warfare capability wouldn’t invade a neighbor with an overwhelming force for obvious reasons. With technology, this power gap has been narrowed, if not eliminated in many cases.

Risk is identified as an asset which has a vulnerability that can be exploited by a threat actor. Today, there are many more threat actors willing to exploit cyber vulnerabilities than physical vulnerabilities. This is because the consequences of losing a cyberattack are much less significant than losing a physical attack. There are also new players in the cyberattack arena. Foreign countries are ramping up their cyberwarfare capabilities, and large organized crime syndicates are developing sophisticated cyber teams.

With this change in threat actors, the risk is changing as well. We’ve seen a steady rise in targeted attacks over the past several years. This shift is making it harder to defend against an attack. Over the past decade, information security has largely been about preventing “drive-by” attacks. You simply needed to be more secure than your neighbor. This approach is no longer feasible. Organizations must take a more proactive approach to information security, which takes into account large threat actors that are well-funded and willing to take a long-term approach to compromising your security perimeter.

Attacks are becoming more common. They are targeting your organization and are carried out by well-funded groups. Is your organization prepared to defend itself against this new generation of cybercriminals? 

 

Dave Nelson is president and CEO of Integrity.  Dave-Nelson-2015-biz-blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.