A version of this article was previously published in the July 2019 edition of Healthcare News.
As the business world becomes increasingly digital, it’s more important than ever that companies invest in cybersecurity.
Data breaches can put not just a company and its employees at risk, but also its customers. The aftereffects of a data breach can be just as costly as the loss of the information itself. Depending on the scale of the breach, a company’s reputation could become significantly damaged, driving down profits and jeopardizing customer and client relationships, leading to future loss of business.
Cybersecurity focuses on protecting what’s valuable to your organization. For some, that may mean protecting valuable customer data, such as credit card information, Social Security numbers, or patient health care records. For others, it could include protecting internal data such as trade secrets, financial statements, or business leads.
Below, we explore five concepts and strategies businesses owners need to understand to keep a company’s valuable information safe.
1. You will be compromised.
It’s no longer a question of if a network will be compromised, but rather when a network will be compromised, and numbers associated with attacks are quite alarming.
According to the Ponemon Institute’s 2018 Cost of a Data Breach study, the average cost of a data breach for a company in the United States costs $7.91 million, up from $5 million in 2015. Cybersecurity Ventures predicts that the cumulative cost of cybercrime will reach $6 trillion by 2021.
According to Verizon’s 2019 Data Breach Investigations Report, 43% of breaches in 2018 involved small businesses. Of total breaches, 10% occurred in the financial industry, while 15% were in the health care field, and 16% were in public sector entities. Another alarming trend from the report found that the average dwell time—the amount of time an attacker is present on a network before being detected—takes months to discover, while containment of the breach can take several additional months.
2. Perpetrators attack from many angles with varying motives.
Businesses face four main types of cyber adversaries.
The motive of an attacking nation state is to gain an advantage, whether that be economic, political, or military. These attacks target trade secrets, sensitive business information, details on mergers and acquisitions, or critical financial systems information.
If your company is a victim of these types of breaches, you risk the loss of a competitive edge or a regulatory inquiry or penalty, as well as a disruption to crucial business infrastructure.
Organized Crime Networks
Organized crime attacks are often motived by immediate or future financial gains. These criminal groups tend to target financial payment systems, personally identifiable information, debit or credit card information, or protected health information.
These breaches can lead to a regulatory inquiry or penalty, consumer or shareholder lawsuits, damage to your brand and reputation, and ultimately, loss of consumer confidence.
Hacktivists seek to influence political or social change or put pressure on a business to change its practices. These hackers usually target corporate secrets, sensitive business information, or critical financial systems.
When company insiders engage in cyberattacks, they’re often motivated by personal advantage, monetary gain, or professional revenge. Sometimes motivations may be linked to bribery, coercion, or a sense of patriotism. Insiders may target sales, deals, market strategies and corporate secrets, business operations, personal information, and administrative credentials.
Insider breaches can lead to the disclosure of trade secrets and operational disruptions.
3. Attack entry points are plentiful and often rely on unsuspecting personnel.
Cybercriminals have several attack methods at their disposal. Some of the most used methods are described below.
Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency. Mining cryptocurrency is a legal activity and the way in which cryptocurrency is verified and added to a blockchain’s digital ledger.
Attackers use cryptojacking to make money off this mining activity by setting up malicious websites and software that will run on the victim’s computer to mine cryptocurrency for their benefit.
Hackers can gain access to a company’s system using malicious software, commonly known as malware. Once inside your system, hackers can encrypt and hold sensitive data hostage—along with your ability to conduct business—until payment is met.
Even if an organization pays the ransom, it doesn’t guarantee that access to the data will be restored.
A fileless attack, also known as a nonmalware, zero-footprint, or macroattack, differs from traditional malware in that it doesn’t need to install software to infect a machine.
Instead, it exploits a machine’s existing vulnerabilities and uses common system tools to add malicious code into normally safe and trusted processes, such as memory. Fileless malware attacks use commonplace software, applications, and protocols as a launching point for malicious activities. Examples of an attack can include:
- A user clicks on a link in a legitimate-looking file that loads into memory and remotely loads a script to locate confidential data that’s sent back to the attacker
- Native system tools, such as Microsoft Windows Management Instrumentation (WMI) and Microsoft PowerShell scripting languages, that typically would be trusted are targeted to get scripts to run remotely
With this tactic, a hacker sends an email to employees posing as a trustworthy source asking for information, such as IT system access data or bank details, in hopes of the recipient innocently providing details. Once the culprit receives passwords or other company information, they can then access a network.
Whaling and CEO Fraud
This method is the same as spear phishing but the request is designed to look like it’s being sent by C-level executives to personnel in accounting, human resources, or IT. The goal is get the person to conduct a wire transaction, send W2 information, or provide other sensitive information.
Internet of Things (IoT) Attacks
This strategy includes targeting different types of devices that can communicate or connect to a company’s network without sound security practices in place. Examples of these devices include:
- Fitbits and smart watches
- Radio Frequency Identification (RFID) inventory systems
- Smart video conferencing systems
- Wireless heating, ventilation, and air conditioning (HVAC) systems
Due to the lack of security, the devices can be compromised easier and, depending on what network the device is connected to, the attacker may have access to other corporate systems.
4. There are steps available to protect against an attack.
While cyberattacks are a risk that comes with doing business, there are actions you can take to mitigate the chance of having sensitive information compromised.
These include simple actions, such as always changing the default username and password on network devices, such as firewalls, routers, and wireless access points. Also, if your IoT devices are password-protected, immediately change default usernames and passwords to a stronger option upon first use.
It’s also important to backup critical data, make sure that offline copies exist, and that the backups are viable and can be used to restore systems. To help prevent attacks, keep your antivirus and system software updated through frequent patching.
Efforts to boost cybersecurity fall into three categories: identifying assets to protect, protecting these assets, and detecting malicious activity.
The first step to protecting data is simply to identify the type of data a company touches by taking inventory and categorizing data. You should also determine how that data is stored and how it moves through a network. Next, identify those who have access to this sensitive data. After data is identified, perform a risk assessment to identify threats and vulnerabilities to the assets.
Once you’ve identified your assets, protect the data by using logical and physical access controls. Logical access controls validate that personnel have been assigned access to the systems and data based on job responsibilities.
Additional protection methods include:
- Encrypting data at rest and in transit
- Establishing controls around data lifecycle management
- Employing change management controls for software and hardware
- Determining systems are fully patched and default usernames and passwords have been changed
You’ll also want to provide security awareness training to employees. Employees who have access or privileged rights to sensitive information should be trained to spot suspicious requests to disclose information or move assets, even if they appear to come from legitimate sources or within the organization. Employees should know how to appropriately question, challenge, and respond to these abnormal requests.
Companies should also continually monitor the activities of third-party service providers, such as cloud and SaaS operators, who come into contact with their sensitive data and information.
Even when you feel your data is securely protected, methods should be put in place to identify malicious activity. Detection controls are critical as they help identify activity that occurs on the network and can provide real-time alerts once exceptions are noted.
Security information and event management (SIEM) products will centralize the logs from all devices on the network, provide intelligence and correlation of events, and alert when a malicious event is triggered.
Other methods of detection controls include user access reviews, which detect issues that arise related to segregation of duties, and creating a vulnerability management program, which includes vulnerability scanning and penetration testing, to identify vulnerabilities and weakness on systems.
5. Act immediately if you’ve been compromised.
In the event of a breach, it’s important to have plans ready in order to react as quickly as possible.
It’s crucial to have an incident response plan in place to adequately address incidents. As part of this plan, you’ll want to identify roles for personnel and inform them of their responsibilities for responding to an incident. A response plan helps contain and mitigate incidents, which is why it’s important to review response plans and update them at least annually.
In addition to a response plan, you’ll want to have a business continuity and disaster recovery plan in place to help restoration of operations be completed in a timely manner. In order for your recovery plan to be effective, it’s important to review and test business continuity and disaster recovery plans at least annually.
We’re Here to Help
Protecting your data requires constant vigilance and it’s helpful to have the support of a trusted professional. To learn how more about how to protect your company from threats and breaches, contact your Moss Adams professional.