Plante Moran recently sponsored Chicago's WBBM News Radio’s Spotlight on Cybersecurity webcast featuring Joe Oleksak, a partner with our IT consulting practice. Cybersecurity experts Jerry Irvine, chief information officer of Prescient Solutions and member of the U.S. Chamber of Commerce Cybersecurity Leadership Council, and Adam Levin, chairman and founder of IDT911 and author of Amazon Best Seller Swiped, also participated.
As the discussion began, Oleksak performed a real-time hack, showing just how easy it is to access our personal and professional data. A poisoned wifi site he created tricked his demo laptop into sharing the encrypted network access password string and username. Then, with his password-cracking rig making millions of attempts while he spoke, it deciphered the password — a disappointingly predictable "September2016." He had control of the laptop in seconds.
Oleksak and his team impersonate hackers at clients' requests, to test their IT and data security. Recently, for a client celebrating its 50th year in business, his group sent a fake e-card and offer of a $50 gift card. About 70 percent of recipients downloaded the file, unwittingly handing over remote access to their machines.
All participants agreed: When it comes to cybersecurity, people are the weakest link, which is why companies need to instill a culture of cybersecurity. Despite good intentions, employees' sense of urgency to provide fast service can eclipse good judgment. Maybe it's an email that appears to be from a client, asking them to look at important case files. The employee clicks, and that one mistake can expose the whole company.
When it comes to cybersecurity, people are the weakest link, which is why companies need to instill a culture of cybersecurity.
Education and culture change must start at the top. Gone are the days of the board and C-suite sloughing off cybersecurity as an IT responsibility. Information security is a business issue, and security demands more than technology alone. People and processes are as, if not more, important. Unfortunately, Oleksak sees too much "executive nonchalance" for comfort. Given how dynamic cybersecurity and cyberthreats are, boards need to discuss these issues. Frequently.
Here are a few additional insights shared during the hour-long webcast:
Be careful about the information you share on social networks, Levin noted. Think twice about installing third-party apps on your phone. Use two-factor authentication. Don't give out information by phone or email — much less wire funds — even if the domain name or caller ID suggests it's your bank or the IRS.
In the past three months alone, Irvine has seen at least a dozen companies wire anywhere from $10,000 to over $1 million to scam artists. He pointed out that over 90 percent of hacks are phishing scams caused by users clicking email links. Don't redirect, ever. The same applies to links in text messages.
Oleksak recommends long passwords, such as "i [space] love [space] my [space] dog [space] fido," which are harder to crack than shorter combinations of letters, numbers, and symbols. Use caution when typing domain names into browsers and connecting to wireless networks.
Cyber liability insurance is important, Levin said, and confirm the policy covers extortion, in the event of ransomware on your network. Add a cyber fraud endorsement, Irvine added, since in cases of phishing scams, the criminals didn't actually breach your system. Rather, they convinced you, under false pretenses, to let them in.
As Oleksak pointed out, companies must have a base level of security and controls in place in order to purchase cyber insurance. "It's even more important to maintain that level of control," he said. The policy won't pay otherwise. In addition, "the threats are always changing...that constant vigilance, that constant assessment of your environment, is just as critically important."