All businesses, from corporate giants to mom and pop enterprises, have data that needs to be protected. This is one instance where the size and type of a business is irrelevant.
“That’s a real challenge that small businesses haven’t quite learned to cope with,” said Brian Fricke, chief information security officer, City National Bank. “You can outsource a lot of things, of course, and that’s one benefit they have, but they still have to own their own risk and understand their own risks.”
This requires business owners to make assessments based on what their cybersecurity risks might be. They have to understand those risks, which isn’t always the easiest thing to do when the company works in widgets, not information technology (IT).
The primary goals of information security are to protect confidentiality, integrity and availability of data and systems important to the company using the data and the systems to generate revenue. Fricke calls it the “CIA Triad” and points out that different attacks target different angles of the triad.
“If you’re worried about the wrong people gaining access to your data, you’re trying to protect confidentiality,” said Fricke. That means watching out for phishing scams looking to take data or gain access to the system.
Availability of data might mean ransomware attacks or threats of denial of service, as seen recently when the cyberattack on the Colonial Pipeline shutdown the computerized equipment managing the pipeline. Integrity means protecting client data.
The top tip most experts share on protecting a company’s data is to start with an inventory.
“Know where your system data is in the organization, and what’s important to you. Give them some sort of valuation ranking, because if you try to protect everything, you’ll end up protecting nothing,” said Fricke. “You have to really understand what steps you’re going to take first, and what protection you’re going to apply, and where.”
Once there’s an inventory in place a company can take steps to control who in that company, or in trusted partnerships, has access to what information. Once it’s determined what information is important, it’s possible to create an adequate backup in order to restore systems in the event of a ransomware attack or hardware failure.
“A lot of workloads go into the cloud these days, instead of it being locally built or on-premise system, so it’s important for businesses to understand the risks of operating in the cloud,” said Fricke. “Again, you can outsource operations security risk development but ultimately you own the risk at the end of the day. You have to make wise decisions and understand how people are accessing, controlling and managing the data you have.”
Taking an inventory of what data and systems need protecting helps decision makers not overspend or deploy the wrong controls. An overly complex security system is hard to manage appropriately. By giving valuation to information, businesses can protect the most important data inside layers of security.
Antivirus and antimalware software are common sense steps businesses can take to keep information safe, as well as having trained employees scanning the network and monitoring it.
“[Business’] need to have security awareness, have employees have security awareness and know what sort of things to look out for,” said Cameron Call, technical operations manager, Network Security Associates. “You can put strong locks on a door but if someone goes and unlocks the door and lets anyone right on in because someone lies about who they are, those protections won’t do much for you.”
Stopping Weak Links
Banks are highly regulated in terms of what data security they’re expected to provide: continuous monitoring and reporting systems, encryption and security controls.
Banks have enough safeguards in place that, more often than not, it’s the clients who get compromised and in turn, compromise the financial institution.
One of the cheapest and most effective, nontechnical, administrative things a company can do is put in place role-based access control. The fewer people who have access to information, the less that information is exposed.
For employees who do need access, training and awareness are paramount. Equally as important as knowing what information to defend is the training and awareness of those people who work with the data. Training staff is vitally important because of the number of times they’ll encounter deep fakes, fraud, spam and phishing.
BEC—business email compromise—is one way threat actors gain access to systems. It can be as simple as typing an email into the address bar incorrectly. Sensitive information may then be shared with the wrong parties.
Once a business email is compromised, threat actors can use it to communicate with the bank, which believes it’s still dealing with a trusted customer. Essentially an imposter has compromised the business email account, and is communicating with the financial institution, trying to execute wire transfers or steal information.
Banks have controls in place to detect wire fraud and other types of fraud, but if the business protocols aren’t recorded on paper, if staff isn’t aware how to identify social engineering, there’s going to be a problem.
“What this really means is a bad actor will misuse someone’s reputation and pretend to be coming from that source, or they’ll misuse a site and trick someone into some kind of urgency in order to steal their credentials and part of that is just any type of information they can get,” said Marlene Veum, director of information security, Nevada State Bank.
The stolen information may then be used anywhere, not just on a banking site. Threat actors know that most people have so many user names and passwords they’re probably just recycling them. Once they get into the system using guessed or stolen credentials, they can use that information to appear credible and convince their target to sign into a trusted site, like U.S. Census, having provided a link to another site where they can steal more information.
“Once they get those user credentials, they’ll sell them on the black market, and they’ll try to break into legitimate services,” said Veum.
If the stolen credentials lead to a bank account, the information sold is likely used against both the bank and the customer. The financial institution is regulated to have systems in place to detect when a request looks suspicious, including where it came from, time of day, type of request and other information the bank already has about how customers usually log in. Anything unusual is investigated.
While banks work to keep customers safe, those customers, in turn, need to not be the weak link. Threat actors don’t just steal credentials from imposter emails and fraudulent sites. Social media sites are a great source of information. A social media friend posts the color of a user’s shirt plus the last thing they ate, their favorite pet and their first car. Separately that information seems innocent enough. Except those are knowledge-based identification questions banks use to challenge identity when a user logs on: favorite color, first car, type of pet. It’s one of the reasons for the switch from knowledge-based questions to time-based authentications that involve a PIN sent to a trusted mobile phone or email, which expires in a short set time. Time-based authentications can protect data when it’s in transit, at rest or in use – meaning being sent online, in a database or in use by the rightful owner.
Keep it simple is one of the first rules of managing data. The more data that’s stored in multiple systems the more exposure is expanded. Businesses need to determine whether information needs to be online, or if it’s just convenient to house it there.
Data minimization means determining what data a company needs to keep about its customers, and what information its employees need. Role-based access control (RBAC) is a key concept of data minimization, encryption and role-based access.
RBAC means, if the marketing department needs to have contact with a company’s customers, then maybe they have access to email or mailing addresses, but not to more sensitive data like payment information. If there’s a data breach, it’s easier to clean up when what’s been exposed is contact information and not Social Security Numbers or payment information.
Cybersecurity is a constantly changing game of cat and mouse. Where there’s money to be made, people are capable of being amazingly creative. Unfortunately, it’s the same with threat actors. “The attackers are always coming up with new things to do and security professionals are doing what they do to counteract those things and put protections in place,” said Call. “It’s an ever-changing environment. You have developers for companies releasing new features, [as well]. Maybe a system wasn’t vulnerable yesterday but they rolled out a new feature, there’s a typo and you have this attacker who is constantly on the lookout who can leverage that and get in.” A technique called fingerprinting is one way threat actors even know anything has changed. “They go in and they talk to these services, and the response they get back is different, so they know something is different,” said Call. “They start poking at it and there’s a gamut of tools and scans you can run through to see if you get lucky. If you do that, some attackers, depending on their expertise, can take it a few levels deeper.”
Ransomware remains popular with threat actors. Originally it was designed to lock down a company’s data so they didn’t have access and had to pay a ransom to get it back. Now, Fricke said, attackers first target confidentiality and availability of data. “They will first try to steal a copy of the unencrypted data and then encrypt it so you can’t gain access to it. These days, ransomware attacks are on confidentiality and integrity of unencrypted data.”
Once businesses started getting smart and creating their own backups, Call said, then saying no thank you to paying ransom for their own data, attackers changed to threats of releasing sensitive information.
“Once the first person did that it wasn’t long before other attackers were doing the same thing and got to the point where the attacks are so common there’s an infrastructure in place to facilitate it,” said Call. “So you have different parties that fill different roles, like a broker. One group says, “Hey, I can get you malware; I can get your ransomware on servers. [Then], the people that actually lock it down run the encryption and take a cut. It’s almost like affiliate marketing for ransomware where ransomware is the service. Where there’s money to be made people get motivated, unfortunately in the wrong ways,” Call added.
Businesses aren’t always as motivated to invest time and money in cybersecurity. Many are increasingly willing to simply pay insurance premiums and pass along the cost of an attack.
“If it were measured as a country, then cybercrime—which is predicted to inflict damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China,” said Shaun Rahmeyer, administrator, Nevada Department of Public Safety, Office of Cyber Defense Coordination. “Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.”
Workforce and Education
Universities are creating cybersecurity training programs aimed at people transitioning careers, and bootcamps are very successful for individuals who have aptitude for IT but don’t necessarily need to be an expert in cybersecurity. Most programs are 10 to 12 weeks and allow students to be hands on in safe environments, working with real world data.
At University of Nevada, Reno, the Cybersecurity Center covers research, education, training, outreach and dissemination. “It’s interdisciplinary, not necessarily just looking at cybersecurity from a computer files standpoint,” said Shamik Sengupta, executive director. The interdisciplinary view means the center works with other schools including the College of Business, School of Journalism, Departments of Political Science, History, Public Health and Psychology, showing effects of cybercrime on various industries.
The Center also works with businesses in the community, placing interns, inviting employers to provide guidance on real world challenges and providing assistance to local startups and businesses.
Cybersecurity firms are growing at a rapid rate. Worldwide spending on information security products and services exceeded $114 billion in 2018, an increase of 12.4 percent from 2017, according to Gartner, Inc., Rahmeyer said. The market is forecasted to grow to $170.4 billion in 2022.
“Globally, there is a massive skills gap in the cybersecurity industry,” said Rahmeyer. “In the U.S. there are approximately 956,341 individuals employed in the cybersecurity workforce with an additional 464,420 job openings in the industry, according to Cyberseek.org.”
“The cyber threat landscape continues to shift, and with few mature cybersecurity programs in existence—whether government or private sector—the need for organizations to increase investments in agile and resilient cybersecurity programs is paramount,” said Rahmeyer. “Efforts to combat the growing cyber threat requires a proactive approach to increasing education, awareness, collaboration and action. The public, business decision makers, and government officials can no longer afford to discount the cyber threat to their organizations and the community,” he added.