(c) Institute of Chartered Accountants of Scotland. Contact ICAS for permission to reproduce this article., Fintech, Information Technology

Cyberthreats: it’s coming from inside!

By Andrea Murad

Whether malicious or human error and no matter how many protections a company has, internal data breaches are just as significant and even more prevalent than attacks from hackers. How do companies tackle the human element of cybersecurity threats?

Since every company is susceptible to some type of attack and the consequences are costly, the best cybersecurity strategy is to be proactive rather than reactive.

Breaches happen in different ways. Someone could type the wrong email address or accidentally click on a link. A disgruntled employee may deliberately leak information or copy sensitive customer information.

While there are legal protections in some countries and government compliance requirements that do stop some leaks because sensitive data must be accounted for, leaks can still happen.

“It happens with people being irresponsible with how they communicate and also people not being protective of information, but it comes downs to training and awareness, and governance,” said Warren Zafrin, Managing Director, Risk Advisory Services, UHY Advisors NY, Inc.

Deploying enforcement policies and technology also help contain the exposure.

“The current numbers say that the average breach costs $3.8m USD per organization,” said Jonathan Steenland, Chief Operating Officer of the National Cybersecurity Center. “Those are hard dollars, but what is more difficult to quantify is the longer-term impact from a breach of trust.”

Identification and remediation

Once a breach occurs, there are expensive forensic costs to identify the root cause, the extent of what’s been compromised and the necessary remediation. “There’s a handful of things that are becoming common place for companies to do post-breach,” said Jonathan.

Consumers might be provided additional protections like credit monitoring for a number of years, for example, and there are also different types of lawsuits as a result. These costs are tangible and easy to understand and calculate.

Depending on how much intellectual property was lost however, the long-term impact of that loss and any resulting shift in the competitive landscape within that industry is harder to calculate.

This effect often takes a few years to play out, and the shift might be from a significant breach that happened a few years back and not from a new competitor with comparable technology or services. Connecting the dots to the breach is difficult, and the financial impact would likely be much higher than $3.8M, said Jonathan.

Companies can protect themselves with a heightened level of resiliency and operational readiness to be able to sustain a breach and move forward, but the strategy starts at the top.

This means having a comprehensive system in place so that companies can assess where to make any necessary changes.

Here are tips to develop an effective strategy that focuses on people, process and technology:

1. Training

People are always the weakest link, and the first defense is to train staff on basic cyber awareness; like how to spot phishing emails and social engineering attempts, and to be more careful when sending emails with sensitive information. Good technology can mitigate these threats, and having processes will give employees a way to report any suspicious activity.

2. Change password policies

A robust password policy with two-factor authentication, for example a text or a rolling token in addition to a password, will properly protect data and prevent 90% of breaches, said Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice.

Also, consider requiring this additional step on any cloud systems and to access sensitive information like intellectual property, data used by human resources or finance, or customer details, for example.

3. Use encryption

Encrypt data at rest on servers or a hard drive, or anything that’s transmitted. “If you do decide to encrypt, encrypt it properly so it’s stored securely,” said Andrew. “If you’re going to send an email with sensitive data, make sure that’s encrypted even if that email is internally in the office, because your biggest threat is the insider.”

4. Monitor systems

Know who interacts with assets and where those assets are located, for immediate response to unauthorized access. Monitor employee access to information and their actions so that if a disgruntled employee copies a contact list to a thumb drive, for example, you’re able to flag this abnormal behavior, investigate it and take any necessary actions.

5. Use the right technology

Deploy suitable technology, like firewalls, encryption, secure access and segregating networks with VPNs, but along with installing the technology, configure it as well. Firewalls, for example, are an essential part of any network and on many computers, but attackers get through because people don’t change the default passwords. Also, install software updates as these tend to also have security updates that protect against the latest threats.

“There are numerous ways of defeating firewalls, but just because they’re defeated doesn’t mean you’re wasting your money – put it in place, change the default settings, and make sure it’s updated to the most current version,” said Andrew.

6. Avoid public Wi-Fi

Fake Wi-Fi networks are often mistaken for a public network, and when people use the wrong network, someone else can see all their traffic, like login credentials and emails. Two-factor authentication can protect passwords as does using out-of-band communications.

7. Apply governance

A good first step is to set governance and appoint an employee at the top to take an active lead and be responsible for security. Even if there isn’t a regulatory requirement, there are dozens of standards that can be applied and used for monitoring purposes.

8. Create infrastructure

“Make sure that staff understand how to report suspicious activity on the network, have appropriate escalations and procedures, and have suitable external relationships in place,” said Andrew.

For some companies, this might mean having external counsel on retainer and an external computer forensics company to provide advice in the event of a breach, as well as crisis PR companies who can help with the disaster. Also, build relations with the local law enforcement to report cybercrimes.

This article was originally published in CA Today.