“It’s not who you are but what you’re not doing that makes you a victim to cybercrime,” said Joe Oleksak, leader with Plante Moran’s information technology consulting team, in laying out the importance of developing a proactive cybersecurity plan.
As a recognized national expert dealing with highly technical subject matter – among other responsibilities, Oleksak is a Qualified Security Assessor (QSA) for companies seeking PCI compliance – he has the unique ability to make such material highly accessible to those less tech-savvy, all the while underscoring the operational imperative of protecting customer data.
Make no mistake, despite our best intentions, our data is at risk. Everything from our personal information seemingly locked behind a smartphone’s four-digit passcode (which is not nearly as secure as we are led to believe, requiring a simple voice command to bypass the lock screen) to a company’s massive database of customer information (the headlines continue to reveal breaches of escalating magnitude), we are continually playing catch up to a growing number of predatory hackers who seek to capitalize on our lack of security vigilance.
While such vulnerabilities appear daunting to address, Oleksak maintains otherwise, citing the latest research:
- The majority of data breaches – 78 percent – are not the result of highly sophisticated attacks but those ranking low (68 percent) or very low (10 percent) on the complexity scale. According to a recent report by Verizon, 97 percent of recent breaches were avoidable.
- Most attacks occur indirectly, through social media. “Hackers know this, and have developed social scams by the thousands, hoping but one will fall victim,” he said. Indeed, since 2010, the number of annual phishing attacks have escalated exponentially, jumping from 187,000 in 2010 to 445,000 just two years later.
Meanwhile, the increase in data breaches has brought with it a commensurate rise in the percentage of breaches that have gone undetected for one month or longer. As a result, the corporate focus must extend beyond initial network design into monitoring, as today’s data breach will not present itself as an alarms-blaring intrusion. “Detection and response represent an extremely critical line of defense,” Oleksak said. “What you don’t know can hurt you.”
No industry is immune from cybercrime, including insurance firms, which have been victim to several recent, sizable data breaches:
- A Texas Life Insurance firm suffered a data breach that compromised the medical records of its members, which were selling in bulk on the black market for under $7 apiece.
- Nationwide Insurance incurred a breach that affected more than one million of its customers across the country.
- Triple-S Management mistakenly exposed personal data of more than 13,000 of its Dual Eligible Medicare beneficiaries, incurring a fine of $6.8 million by the Puerto Rico Health Insurance Administration.
The Triple-S Management breach should be particularly worrisome, for it attached a cost component to data breaches. “You must be thinking about this for your organization,” Oleksak said, before ticking off the steps organizations should take to protect their networks.
A framework for success
“First, this is not an IT problem but an organization wide problem,” he said. “To be successful in data security, you must have representation from key business units.”
To begin, there must be a distinct information security budget, along with a security officer who reports to the CFO or CIO independently of the IT department. “Remember, security is an organizational issue, not just an IT issue” Oleksak said. “IT historically has played a major role in security, but until the business embraces all aspects of security, avoidable breaches will continue to plague organizations.”
Once that initial framework is established, companies must undertake a complete risk assessment, understanding where their data resides and what controls are in place to protect them. “Once you understand the types of data you have, where it’s stored and its impact, you can then evaluate the threats.”
Securing the network comes next, which is accomplished across multiple layers — perimeter security, wireless security, remote access — and with a number of tools, including firewalls, encryption, and anti-virus software. Network monitoring and testing are critical here, to ensure existing controls are effective.
While securing the physical elements of one’s network is essential, so too is securing those who access your network. Target Corp. suffered one of the most extensive data breaches in U.S. history, with hackers stealing tens of millions of customer records. They did so not by penetrating Target’s network directly, but through an access point for one of its vendors. As a result, it’s essential to carefully screen and secure those who use your network, which may include employees, consultants, vendors, customers, and temporary visitors. Additionally, you must understand how access is granted and removed for each user, along with the type of access you are granting, and implement a real-time monitoring program that is capable of uncovering unauthorized access or use of information systems.
Oleksak said there is nearly universal confusion about what it means to create a secure password, which isn’t a reflection of obscure symbols and alternating letter cases. Because software today can generate several billion attempts per second to guess a password, even the most random sequence of letters and symbols can be hacked relatively quickly, as long as it is an uninterrupted string of characters. “On the other hand, it would take much longer to guess a password that’s a phrase, such as ‘I love my dog Fido!,’ and likely the phrase would be rotated before a hacker would be able to crack it.” he said.
Of course, the most well-intended security measures must contain an equal measure of common sense. While we are familiar with those emails that solicit our bank account information “for verification purposes” or a money transfer to a stranded relative overseas, those campaigns are evolving into more sophisticated schemes that seek to defraud, requiring both vigilance and prudence.
As a result, in order for our sensitive data to remain protected, a collective shift in attitudes must take place, one where we educate ourselves as well as those who use our networks, to ensure that our data is as safe as it can be. Successfully combating cybercrime will take a multi-layered, enterprise wide approach, Oleksak concluded, one that is ongoing, deliberate and strategic. “It takes people, processes, and technology,” he said. “That’s how you’re going to do it.”