Dave Nelson, CISSP is president and CEO of Integrity
Several Iowa based companies have suffered information security breaches in the past 12 months. They have been from the banking, financial services and non-profit sectors. One breach resulted in fraudulent ACH transactions of close to $250,000. Another resulted in cleanup costs approaching $100,000. These are just the data breaches that my incident response team has been tasked to investigate. There have been others.
Of course Iowa companies get attacked
“Really? Companies in Iowa are targets of cyberattacks?” This response never ceases to amaze me. People in Iowa whine and complain when the rest of the country portrays Iowa as a backward state full of farmers who don’t know anything about technology. (For the record, I’d be willing to bet that many farmers in Iowa use more advanced technology than an average office worker). Why then are these same people shocked that Iowa’s thriving manufacturing, technology, financial services and biotech companies are targeted by cybercriminals? Iowa companies big and small are competing on an international scale. Why wouldn’t they be targets?
One of the biggest myths about cybercrime is that it’s all about stealing cash or personal information such as credit card numbers. The reality is that health care records and intellectual property, such as research and development, product designs or sales and marketing strategies, are far more valuable to cybercriminals than a low-limit credit card. These criminals are looking for the long-term, major payoff, not a quick buck. Targeted cyberattacks, as a result of corporate or foreign espionage, is on the rise. Don’t believe me? Even Major League Baseball teams are hacking each other to get a competitive advantage.
Training and security awareness
There is good news though. Many of the data breaches that are discovered could have been prevented. Data breaches are often the result of a lack of employee training and security awareness or a breakdown in process and procedures. Take the employee angle for instance. We often find that employees fail email phishing tests at the rate of about 35 percent. The reason is simple. The vast majority haven’t been consistently trained on how to identify fraudulent emails. If they had been well trained, they would know what to look for and spot the fraudulent emails before clicking the links.
The other common breakdown is complacency: We have people, process and technology in place and simply assume that everything is working correctly. Several of the breaches we’ve investigated were related to failures of the anti-malware system. It may have worked correctly when first installed, but as time went on the systems were no longer receiving anti-malware updates or scans were not running or performing properly. This resulted in infections and led to the breach. If better anti-malware management had been in place, these failures could have been detected and the breach avoided.
The truth is that every company -- big or small, urban or rural -- is a target for cybercrime. There are simple ways to protect your organization. You can start by assessing your current information security activities and monitoring their effectiveness.