Earlier this year, the malware program VPNFilter infected hundreds of thousands of office and home routers and networked devices around the world. The cities of Atlanta and Baltimore experienced ransomware attacks, the latter causing the 911 dispatch system to be offline for 17 hours. Confidential data were breached at numerous companies—Adidas, Dignity Health, Honda, LabCorp, MyHeritage, and Ticketmaster, to name only a handful. Cyberattacks, with their potentially deleterious consequences, are a constant threat to all businesses.
“It’s not a matter of if it will happen; it’s a matter of when. Don’t wait for when,” said Nancy Thompson, a Reno-based cybersecurity and privacy consultant.
Consequently, companies must make cybersecurity, or information security, a priority, said Mike Yoder, co-founder and CEO of WinTech LLC, a Las Vegas company that provides virtual receptionist and visitor management solutions to businesses.
“Cybersecurity is the process of protecting information in the cyberworld,” Thompson said. “We are more and more reliant on computers and the data that’s on computers for everything. The more that we’re reliant on it, the more risk there is.”
Risk & Costs
Information security is so critical today because companies, and society in general, continue to depend more and more on the Internet, which has become an essential tool for doing business, said David Langford, vice president of technology, Smart City Networks, headquartered in Las Vegas. Smart City provides telecommunications services for convention centers across the U.S. and three National Football League stadiums.
Cyberattacks are a daily occurrence. Now, with the cloud and Internet of Things (IoT), the risk is elevated because the potential sphere in which attacks can occur is broader. Take, for instance, the example of the Las Vegas casino-hotel that got customer information stolen by hackers who accessed it via the “smart” fish tank’s thermostat.
“[Cybersecurity] is no longer about inconvenience but a financial war,” said Darren McBride, CEO, Highly Reliable Systems Inc. in Reno, which sells and supports networks and computers in Northern Nevada.
A cyberattack can damage the reputation of a company, get it sued, and cause business and revenue loss. Worst case, it can take down a business entirely.
In the U.S., a data breach costs an organization an average of $225 per compromised record, statistics from the Ponemon Institute and IBM Security’s “2017 Cost of Data Breach Study” showed. Costs are higher for highly regulated industries. In healthcare the cost is $380 per file and in financial services, $336. These figures include notifications, legal fees, hiring additional staff, providing identity monitoring services and loss of business.
Despite the potentially catastrophic effects of a cyberattack on a business, experts said in large part commercial organizations in Nevada fall into two camps: those that aren’t doing anything about cybersecurity because they haven’t yet been attacked and those that are making genuine efforts but aren’t doing enough to truly protect themselves and the data they hold.
“They do it with a lick and a promise,” Thompson said. “Until they’ve had a problem, an audit problem or an actual breach, quite often they don’t do it with enough care and rigor.”
Predominant Cyber Incidents
Today, cyberattacks are more sophisticated, but not always, and the perpetrators more experienced than they were, say, five years ago, said Jonathan Davies, founder and president, Southern Nevada Cybersecurity Alliance in Las Vegas. SNCA is a non-profit, no-membership organization that’s open to anybody and free to attend.
“[Cybersecurity] is an industry that has moved very quickly and continues to move very quickly,” Thompson said.
These types of attacks are the most common today:
Phishing/social engineering: These are often-occurring, low-tech incidents in which the perpetrator, via e-mail, elicits personal information or money from their target by posing as another person or entity.
Business e-mail compromise: These are a form of phishing in which a cybercriminal impersonates an executive, often the CEO, and attempts to get an employee, customer or vendor to transfer funds or sensitive information to the phisher.
Ransomware: These prevent access to a networked device until a sum of money is paid.
Cryptojacking: These secretly use one’s device to mine cryptocurrency.
Viruses/malware: These aim to damage or disable networked devices.
Attacks can be categorized as crime, espionage, warfare or hactivism (hacking whose purpose is to promote a social or political cause). The IBM/Ponemon survey showed that malicious or criminal attacks were the primary cause of data breaches in the U.S. in 2017, accounted for 52 percent of all incidents and were the most costly. Human error and system glitches each were responsible for 24 percent.
Internal Data Protections
Effective corporate cybersecurity includes three types of controls: administrative, technical and physical, Davies said.
“Today’s security arsenal employs a layered approach, utilizing a variety of different software- and hardware-based tools that analyze multiple sources in real time to detect and prevent sophisticated attacks,” he added. “There are affordable solutions for companies of all sizes.”
Also recommended is a financial policy that, for one, prohibits employees from sending money to anyone or anywhere without first conferring with the company’s CEO or chief financial officer via the phone, said McBride.
Because data breaches often result from employees doing something they shouldn’t or not doing something they should, training them on all things cybersecurity and on the company’s related policies/procedures, especially around phishing attacks, is crucial. Langford’s company, for example, has its employees trained in anti-phishing by KnowBe4 to prevent employees from getting lured unsuspectingly into a phishing scam.
Also essential is constantly updating systems, both software and hardware, and applying patches to applications, proprietary and not, as is possible and quickly.
Monitoring and testing of servers and network systems can be done regularly to ensure they haven’t been penetrated, Yoder said. Re-evaluation should be done routinely.
“Conduct a risk assessment and business impact analysis at least annually and prioritize your remediation plan according to criticality of assets,” Davies said.
Technical controls are tools and mechanisms to prevent attacks from even penetrating the network, reaching employees’ e-mails for instance. They include firewalls, encryption, multi-factor authentication, antivirus software, unified threat management routers and backup systems that can recover data from an infected computer within two to three hours, which is “business critical,” McBride said.
An array of such products is available. Some of the latest ones include Cisco Umbrella, a cloud security platform that provides the first line of defense against threats on the Internet. SonicWall routers feature unified threat management security. Mobile device management is software that secures and monitors employees’ cellphones. SolarWinds’ Orion platform allows users to view real-time statistics of their network directly from their Web browser.
Gaining popularity are automation and orchestration platforms that filter out false positive breaches and thereby, reduce a security team’s workload. Machine learning and artificial intelligence are being used to detect and halt suspicious network traffic, including new threats, ones that previously haven’t been seen.
Finally, physical controls are walls and fences, locked doors, security cameras, guards and the like. How much protection and what kind a company needs should be on par with its risk level, Davies said.
“An organization’s security posture should be of a sufficient level of maturity to protect that organization from the threats it faces, based on the likelihood of any identified threat being realized,” he added.
Assistance is Available
Companies may take cues from or adopt an existing set of cybersecurity measures, created by various organizations and perhaps even specific to their industry. For instance, the National Institute of Standards and Technology offers the “Guide to Protecting the Confidentiality of Personally Identifiable Information.” The International Organization for Standardization’s ISO/IEC 27000 standards help organizations manage the security of assets such as financial information, intellectual property, employee details and information entrusted to them. Another source is ISACA, previously known as the Information Systems Audit and Control Association, the organization now goes by its acronym to reflect a broader range of IT professionals. ISACA engages in the development, adoption and use of globally accepted knowledge and practices for information systems.
“These frameworks now are developed to such an extent that there’s no reason to develop your own,” Thompson said.
Businesses may either hire employees internally to manage their cybersecurity, outsource to one or more of the providers in the growing field or employ a combination of strategies. For instance, Smart City Networks has an in-house network operations center staffed with 17 people who are tasked with monitoring the company’s networks across the U.S. Each employee bears some cybersecurity responsibility. Three are dedicated to configuring and monitoring firewalls for maximum protection. Another three ensure Windows and antivirus programs get updated and the Linux systems and Windows servers get patched, as necessary.
“The outsourced cybersecurity marketplace is growing exponentially, as savvy chief information security officers choose to ‘buy it rather than build it,’” Davies said. “Common security functions such as security operations centers, vulnerability management, identity and access management are now available ‘as a service.’”
Evolving Regulatory Environment
A primary challenge for companies is staying current with and meeting the requirements of the data protection/privacy regulations effected by industry and government. The number of these laws is growing, and each has different mandates.
For instance, the European Union’s General Data Protection Regulation (GDPR), which went into effect in May, regulates how companies protect the data and privacy of EU-based people. Because the GDPR applies to organizations outside the EU that collect or process personal data of individuals in the EU, Nevada companies who, say, sell their products or services in the EU are subject to it.
The U.S. may follow the EU’s lead and enact similar legislation. Earlier this year, the Canadian government considered updating its own personal information and privacy laws to allow its citizens more regulatory tools to protect their personal information online. In June, California passed the Consumer Privacy Act of 2018, which goes into effect in 2020. In part, it affords consumers the rights to know specifics about the data a business has on them and to have a business delete their personal information, with some exceptions.
Regardless of the difficulties involved in implementing, managing and updating various protections, cybersecurity is a must for Nevada businesses.
“Don’t ignore it,” Langford said. “Don’t stick your head in the stand and say, ‘It hasn’t happened to us…yet.’ Make sure that you have some awareness about cybersecurity and the types of systems that can detect, prevent and correct cyberattacks. And make the commitment to spend some resources in making sure that all of that is up to date and kept up with because it’s constantly changing.”