Posts

How to deal with cyber-attacks: publicly or privately?

/in , , /by

StrategyDriven Risk Management Article | How to deal with cyber-attacks: publicly or privately?Cyber attacks spiked 164% in the first half of 2017, compared to the same period in 2016, entailing 918 disclosed breaches-according reports on broadcaster CNBC. Threats vary from sector to sector. Healthcare, for example, is more susceptible to crypto-locker ransomware like the infamous WannaCry.

Internet-connected consumer devices often fall prey to malware that shackles them to remotely controlled botnets such as Mirai. Varied though the threat may be, and staggering though these numbers are, the word disclosed highlights a central paradox: While transparency contributes to the overall fortification of cyber-security protocols and procedures, battening down the hatches presumably mitigates further financial risk.

Sure, a disclosure is immensely beneficial in terms of buttressing industrial safeguards, national and global security, and customer protection – not to mention mitigating the longer-term repercussions of an attack – but so too can disclosure exact lasting damage on a bottom line.

Fighting back

The nature, intent, and consequences of an attack notwithstanding, the way companies have responded to breaches is closely related to their designation: public or private. CFOs at public and private companies face different risks and pressures when it comes to cyber-security and disclosure, and exhibit divergent perspectives when it comes to preparation.

Broadly speaking, public company CFOs are more likely to outsource cyber-security to third-party firms, while private CFOs tend to invest in in-house IT teams. Regardless of who secures a company’s network, breaches are often known by CFOs before they are made public. By disclosing a breach, CFOs of publicly traded companies might trigger investor panic and sell-off, whereas private company CFOs risk irreparable harm to consumer and employee confidence.

On one hand, foreknowledge of pending disclosures can put unique pressure on public company executives, who often own considerable amounts of company stock. The ongoing federal investigation of three Equifax C-suite managers for insider trading arose due to alleged stock dumping prior to the revelation of the company’s catastrophic cyber-attack.
Equifax underscores the tension between a public corporation’s responsibility to its board, shareholders, and customers, and the financial implications of both the breach itself and legal requirements governing its reporting and remediation.

On the other, while private companies aren’t under the same legal obligations in terms of disclosure, and while the short-term consequences may be less impactful, these companies still face long-term pitfalls, such as lost trust and tarnished brands. Moreover, a medium-sized business may not have the capital or reserves to recover reputationally or financially after a major data breach the way a multinational corporation can.

Additionally, the moderate scale of many private companies sometimes instills a false sense of security. Middle-market businesses often assume they’ll be overlooked by attackers, whether due to a large number of similar companies, or a lack of enticing assets. After all, isn’t it the bigger fish that stockpile the type of data and info that hackers tend to target?

Be prepared

A lack of proper preparation only exacerbates the panic once an attack does occur. Attempting to deal with an attack on the down low can earn private enterprises a reputation as easy marks, and provoke subsequent attacks. Further, if the rearguard strategy backfires, or is exposed by the press, this can amplify the damage to a company’s brand and leadership, not to mention potential legal consequences if a court can prove negligence.

In terms of the bigger picture, the lack of reliable data pertaining to attacks on private companies leads to lopsided analysis regarding the multifaceted aims and motives driving these attacks, resulting in a sort of half-finished portrait of the threat landscape.

While cybersecurity prevention could be vastly improved by greater information sharing, some surveys of CSOs indicate that only one in seven attacks are reported to authorities. Alas, as it stands, adequate event modeling, and risk and security assessments, are being stymied by a lack of shared intel on private company breaches, effectively hampering the development of comprehensive prevention and management strategies.

This lack has precipitated the introduction of numerous cyber-security regulations around the world, and though the regulatory ecosystem is in a state of flux, the global trend is invariably toward greater transparency. CNBC notes that “governments around the world are introducing legislation which will force more companies to disclose data breaches,” a reach that already extends to private enterprises.

Regulatory environment

Both private and public companies are compelled to comply with local, national and global disclosure regulations, including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and the EU’s General Data Protection Regulation (GDPR).

The GDPR, which regulates the collection and storage of customer information and data, and can levy fines of up to €20 million, requires that private companies disclose if they have a footprint in Europe, or otherwise handle the information of European citizens.

In the US, Sarbanes-Oxley (SOX) indexes the responsibilities of both public and private companies, including rules pertaining to compliance with federal prosecutors, and criminal penalties. Further, HIPAA governs how any company, public or private, handles personal health information.

Though public companies, traditionally, may have shouldered an inordinate amount of the fallout from disclosure, this has left them better readied for the implementation of legislation designed to enforce transparency. Even more advantageous, public companies now have hard-won practice mitigating the financial risks and ramifications resulting from disclosure.

Private companies, by contrast, are less aware and agile in terms of prevention and response; protecting their brand, for example, or proactively communicating with clients. Simply put, having been in battle, public CFOs are stepping up and getting more involved with cyber-security, while private CFOs, hovering on the sidelines, appear far more circumspect.

Make no mistake: this problem is only getting worse. The situation could improve rapidly if execs from companies of all stripes and sizes shared details of attacks with the larger corporate community.

Whether you are a CFO of an international, publicly-traded conglomerate, or a mid-sized regional business, it is well within your portfolio to do everything possible to properly prepare for the threat. Engage with the board, secure funding for proper security controls, and encourage leadership to be forthcoming when not if, your company’s cyber attack occurs.

About the Author

Andrew Douthwaite has over 17 years of technology experience joining VirtualArmour in 2007 as a senior engineer. Now as Chief Technology Officer, Andrew focuses on leading growth in the managed security services business and ensuring VirtualArmour is a thought leader in the security industry.

Getting Started with Small Business Protection

/in , , /by

Safety is paramount to the success of your business, which is why larger companies dedicate entire departments to protective measures. Small business owners don’t always have that luxury, leaving them to handle unique risks without a massive amount of protective resources. That creates a real challenge, one that can often lead to digital, physical, and even legal issues most are unprepared to handle.

StrategyDriven Managing Your Business Article
 
So, what can you do? Before leaving your failsafes and security protocols to the wind, check out these tips to help make protection a top priority at your small business. From simple office rules to management tools, here’s the ultimate safety strategy.

Get Rid of Personal Devices

Step one to your plan of action should be eliminating personal or bring-your-own devices in the workplace. This reduces the risk of weak links in your security plan, helping to keep the lid tight on your operations.

While this isn’t always possible, there are workarounds to achieve the same result. Instead of removing these devices from your place of business, adopt a universal security package for your employees. The usefulness of managing and auditing your entire IT infrastructure’s user access rights with a tool like SolarWinds can’t be understated.

Malware Matters

As tight as security may be on your employee end, the world of the web is a malicious place. Malware protection is a vital safeguard for your business, manning the front lines while data enters and leaves your servers. It’s still important to train employees on security and safety measures, but this set-it-and-forget-it protection is something you can’t do without.

Unique Passwords

StrategyDriven Managing Your Business Article
 
While this 90’s rhetoric shouldn’t need restated in 2018, the number of hacks from even seemingly airtight corporations in the past few years suggests that it hasn’t set in just yet. With a single data breach costing upwards of $1 million on average, this is one area of security you literally can’t afford to overlook.

Ensuring every member of your staff uses a strong password is crucial these days. Have them keep the word used unique, add numbers, and make sure they utilize symbols if possible for the best results. Also, it helps to have your employees change their password every six months to a year.

Physical Security

It isn’t something most business owners want to think about, but individuals within your operation can be just as dangerous as those on the outside. While it is important to trust your employees, it never hurts to utilize cameras and locks when possible. Plus, these tools are an excellent means of theft prevention.

Backup Your Data

From contracts to daily sales, today’s businesses record almost everything online. Technical malfunctions happen at the most inconvenient times, which is why backing up your data is essential. Instead of opting for pricey equipment, consider cloud storage as a frugal yet secure alternative. There are numerous cloud storage services available that can help you create “hard” copies of important information.

Insurance

Even if you’re in the earliest stages of operation, business insurance can save you an enormous headache. Depending on what your business entails, you may need varying types of insurance. Public liability, home business, and indemnity are a few popular examples. Regardless of which kind your business needs, protecting yourself in the event of a worst-case scenario is vital.
Other small business insurance needs include:

  • General liability
  • Professional liability
  • Errors and omissions
  • Owners policy
  • Workers compensation
  • Property
  • Home-based
  • Product liability
  • Vehicle
  • And business interruption

Physical Protection

No, not bodyguards. Physical protection and security come in a wide variety of forms. Each of which is equally as important as the digital ones you’ve set in place. A simple example would be ensuring that your brand is unique to avoid any litigation or legal ramifications.

Another example would be the use of physical documents for contracts and agreements. Aside from creating a professional look, it further protects agreements made between you, your employees, and your clients with a hard copy. Adding arbitration clauses to those contracts is another physical security measure that can prevent legal ramifications down the road.

StrategyDriven Managing Your Business Article
 
Finally, physical protection for a small business can be as simple as creating a safe work environment. Working to prevent accidents and encouraging non-discrimination as well as non-harassment policies might not be the first thing on your mind when the word protection comes to mind, but they are just as important as cyber security measures.

Protecting Your Business

Security isn’t something to take lightly in any business venture, but you don’t have to shell out your earnings on an entire department just to make sure your organization is protected. By following the tips and advice above, you can keep every aspect of your small business from digital to physical secure while keeping things affordable.

Top Cyber IT Security Trends in 2018

/in /by

StrategyDriven Risk Management ArticleThere are few businesses that don’t rely on the transmission of sensitive digital data in the course of their day to day operations and because of this, cyber security is an ongoing concern. Unfortunately, the businesses that are caught in the crosshairs are small to medium size enterprises, or SMEs, since most lack the financial resources to employ full-time IT staff. For those companies looking to keep their data secure in 2018, it helps to become familiar with what is trending in cyberspace security.

From there, owners and directors are in a better position to know how to protect their company’s sensitive data and that of any clients or customers who may also be harmed by even a single breach. Are you concerned over the data held on your computers and connected devices? If so, it pays to understand what you are up against.

Compliance with GDPR Regulations

Probably the biggest trend in cyber IT security is the newly launched GDPR regulations which are to be strictly adhered to by any member state of the EU. Also, anyone who does business with residents in the EU must be in compliance or face a stiff penalty. But, what are these regulations and why are they in place?

The first thing to understand is that the GDPR (General Data Protection Regulation) is in place to provide necessary layers of security to digital data, especially during the transmission of this data. With such a growing concern over data breaches and dangerous system hacks, the EU devised a set of requirements which member states and anyone doing business with member states must adhere to. Summed up, these regulations include:

  • Consent must be given by subjects for the processing of data
  • Privacy is to be protected by keeping collected data anonymous
  • Notifications must be sent if there is a data breach
  • Data must be handled safely across borders
  • Certain companies are required to appoint a DPS (Data Protection Officer)
  • Compliance is mandatory

You will notice that “certain companies” are required to appoint a DPO and it will be this person who oversees the internal IT support necessary to keep data secure. However, SMEs are probably ‘exempt’ from this requirement based on size and company worth. This leads us to the next top cyber IT security trend.

Managed IT Services to Ensure Data Protection

Since it isn’t typically possible for small to medium size businesses to afford full-time IT support staff, a growing trend is to contract IT support providers that specialise in cyber security. Not only is it essential to keep a network up and running but the integrity of data is of ultimate importance to ensure compliance with GDPR. This is a growing trend, second only to understanding the basic guidelines which are to be followed. Even though most companies understand the rules, they are also unprepared for the technical applications which ensure compliance.

Another of the benefits of contracting IT support providers is that they can match your cyber security needs in a bespoke manner. Not all companies have the same needs and so a team of professionals can tailor your cyber security to the type of information stored, the places it is likely to be transmitted and keep any ‘risk’ factors to a minimum based on your system.

Putting AI to Work

Here is one specific task which will almost always need the services of IT professionals. Artificial Intelligence, AI, is on the cutting edge of cyber security. Now IT professionals are using AI to help them quickly identify possible threats without human intervention in order to prevent attacks before they happen. Bear in mind that cyber attacks happen so quickly that by the time anyone is aware that your system has been breached, it’s most often too late.

Then it becomes a matter of making patches to areas through which the hackers were able to gain access to your data. Unfortunately, there is a down side to this as well. There is some amount of concern that hackers will begin using AI because, as is the case with defense, machine learning can assist cyber criminals to find weak spots where doorways can be created. To date, no AI attacks have been noted, so cyber security teams are still one up on would-be criminals.

A Growing Emphasis on Patches

If there is anything the WannaCry ransomware attack taught us it would be the need to keep up to date with patches as they are released. In fact, statistics prove that there are more than 4,000 ransomware attacks daily and that WannaCry was responsible for at least 230,000 computers being attacked in a single day across more than 150 nations. The reason this particular ransomware attack was able to reach that many systems is because they failed to download and install the patch Microsoft released after recognising the hole.

These companies either didn’t understand the need for staying current with security patches or simply failed to do so based on time constraints of staff. When no one is in charge of IT security, someone needs to step away from their job to find a fix. This is often insufficient due to lack of knowledge and experience, so here again, it pays to use the services of IT support pros.

A Growing Need for Real Time Defense

Somehow the gap continues to grow between known malware and viruses and what anti-virus and anti-malware tools are able to protect in real time. As mentioned above, mutations of known malware and viruses are being released daily and it is almost impossible to keep up to date with the tools needed to guard against attack. However, that being said, IT security teams provide defence at the end-point so that they can check criminal behaviours before they impact your computer. Malicious behaviours are identified in real-time and stopped dead in their tracks before they are able to penetrate your computer.

Connected Devices Are a Growing Concern

Something else to look for in 2018 and beyond is a growing concern over the vulnerability of connected devices that are rolling out by the billions each and every day around the globe. The IoT is a wonderful boon for anyone seeking ease of use or remote access, but when it comes to the potential for hacking, they can be a real risk. Since each device is connected to your computer and through your computer to the network, hackers can now target the device in order to find a back door into your system. You will see a growing emphasis on IoT (Internet of Things) security in the coming years, but this one area is of high importance in 2018.

Why It’s Important To Stay Protected Online

/in /by

The internet has become an essential part of business management for numerous reasons. Primarily, it is an incredibly useful tool that enables any company to reach out to more people, conduct safe transactions, assess their processes, and source an immense range of tools and resources that can streamline your business management and grow your company. However, with the huge benefits that the digital age offers, there are also some significant risks. It’s vital for any company that is looking to improve and increase its reliance on the internet, to assess the possible risks and limit the chances of them happening. The reasons for this may seem obvious, but some of the issues may not have occurred to you, so here are the three reasons why you should be protecting yourself online.

The growing threat of cybercrime

It would be hard not to have noticed the prevalence of news articles and headlines that report on the latest incidents of cybercrime. Large and small companies are both at risk of costly and damaging cyber attacks, so it’s vital that you as a business owner are not merely aware of the latest threats, but also the reasons why protection is so important. The increasing sophistication of cyber attacks, in whatever form, means that you need to not only prepare yourself for the risks but ensure that your employees are as aware as you are. It is for this reason why staff training sessions on basic internet security are an essential part of your weekly business management.

It’s a business risk

One of the main reasons why you need to make a concerted effort to protect yourself from cybercriminals is down to the damage that they can cause. This is not simply a case of financial risk, although that’s certainly one of the issues that you need to concern yourself with. However, one of the primary targets of cybercriminals is not simply access to your bank details, but access to your data. That data, whether it’s that of you, your employees, your customers, or your suppliers, can be used in a number of nefarious ways, with identity theft and phishing targets the key issues to concern yourself with. The growing sophistication of hackers has led companies to optimize their security methods, with many opting to upgrade rather than update, and transferring to SonicWall firewall technology to create an extra layer of protection between the data that you hold and the criminals that want it.

Staying safe can grow your business in ways that you may not have considered. Having a strong security attitude is not only a good way to stress the importance of strong and secure internet use in your employees, but it can also become an additional selling point when it comes to attracting new customers. As consumers become ever more comfortable browsing and making purchases online, they are also becoming more aware of the risks when it comes to sharing their personal information. Having a robust security system in place is not only vital when it comes to protecting yourself; it could make the difference between a customer trusting you enough to click the transaction button or choosing your competitors.

Think Like A Hacker, Protect Like A Pro

/in /by

In physical spaces, companies rely on security guards and cameras. They place these measures in areas thieves are likely to target. Cameras point to expensive products. Security guards stand at possible entrance points. Systems like these were built by getting into the minds of thieves.

But, when you take business online, internet security becomes the primary priority. Here, instead of security guards, you’ll have anti-virus software to take care of matters. But, with big companies such as Yahoo still falling foul to breaches, it’s easy to see that anti-virus software isn’t enough. It’s possible, in fact, that the best way to beat breaches online is to get into the headspace of hackers. Just as you would in a physical store, you should think about where such individuals will target you. That way, you can put much more informed protections in place.

Of course, most of us have had years of dealing with thieves. But, hackers are a whole new breed. What’s more, few of us get to watch them in action. While thieves are right there for us to study and understand, hackers operate under a veil of secrecy. But, that doesn’t mean you can’t at least go some way towards getting into the mindset. And, we’re going to look at how.

Work out which information matters most

You don’t need to understand what hackers do to realize that they only target specific information. They’re unlikely to care, for instance, about how many views your page has received that day. Instead, they’re going to target your more vulnerable information. For the most part, that means they’ll go after any credit card details you store. Email listings and customer addresses may also be points of interest. In short; all the information that you want to keep as safe as possible.

When you’ve worked out exactly what hackers are after, it’s time to spread those details thin in your storage files. That way, you’ll make life much harder for potential hackers. And, you can rest easy that a breach in one area won’t compromise everything. Once you’ve spread the information, consider ways to increase security in vulnerable areas. Obviously, you want to protect your site as a whole. Any breach is going to bring a hacker closer to this information than you’d like them to be. But, it’s worth taking extra measures with these files. It’s the only way to be sure they’re as safe as can be.

Know your security weak spots

It’s also essential that you recognize your weak security spots, and strengthen them. Before attempting to breach, any hacker will suss your business and find their in-point. This is no different from thieves who aim for the back door. The only problem is, you can’t just stick up a CCTV camera and have done with it. But, that doesn’t mean you’re helpless. If you know about these vulnerable areas, you can take extra care to keep them protected. Often, knowing what information hackers will be after can help you here. So, consider that first. Then, think about areas where this information will be at weakest. In most cases, this happens when customers are first sending information to you. Here, hackers could gain access to card details and such before it even arrives at your site.

But, there’s plenty you can do to cover weak spots like these. Taking payments from an outside source such as Paypal can go a long way towards security. This can also help keep addresses and email information safe, as Paypal covers all this. You can keep your non-Paypal customers safe by providing secure connections. Urge them to check for the secure padlock before entering anything.

Another weak spot you should be aware of is when you outsource services. When you pass information to another company, you compromise security. What’s more, hackers know it. If your process involves software development outsourcing, or even remote workers, hackers will attempt to gain information during transfer. Even if they fail here, you can’t be sure of the security used by your outsourced options. To get around this, speak about the issue with companies in question. Together, you can develop plans and passwords which work to keep things safe.

Can one breach lead to another?

It’s also important to consider whether one breach can lead to another. Hackers are out to take everything they can, and will attempt to get as far past your security as possible. Adding many layers to your security system will at least ensure they can’t gain access to everything in one easy hit. And, that’s crucial if you want to provide any reassurance for customers. There are different ways to do this. As mentioned in a previous point, keeping information in different areas can go a long way. It’s also worth operating with a few different security systems in place. That way, working out one doesn’t give a hacker instant access to another. If you’re unsure where to start here, you could always turn to an outside company who can take care of this matter for you. Companies like these make their livings premeditating the actions of hackers. As such, they’re sure to be in a better position here than you.

Conclusion

Thinking like a hacker isn’t always easy. As we’ve already mentioned, these individuals will also have anonymity on their side. As a business owner, you just don’t have the choice to watch them as they work. Hence, you’ll always be operating on guesswork here to some extent. But, that doesn’t mean you can’t develop a decent security system. In many ways, hackers aren’t all that different to physical thieves. Only, instead of a shop, they’re breaking into your website. And, instead of expensive stock, they’re out to steal information. With that in mind, you should be able to take any action necessary here. At every turn, think back to the hacker mindset. Remember, too that technology is developing all the time. As such, you should revisit security measures often to keep up.