Let’s first break down the actual meaning of cybersecurity. The word “cyber” means “computer”, “computer network”, or “virtual reality.” In practical application, “cybersecurity” is synonymous with information security. Information security deals with protecting the confidentiality, integrity, and availability (CIA) of your organization’s data. Here is a real world scenario to better understand the context of those words.
- The IT Department failed to add access restrictions to the Human Resources network folder. (Confidentiality)
- A disgruntled employee figured out they had access to the Human Resources network folder and began making changes to sensitive personnel data. (Integrity)
- A few hours go by, and the HR manager gives you a call to tell you that changes have been made to personnel data. You check with your IT Department on restoring the data from a backup, only to learn that the Human Resources folder was never included in the backup job. (Availability)
Defining an Incident and the State of Cybersecurity
As technology becomes more intertwined with our daily lives, it provides convenience but also increases our exposure to threats and risks. There are numerous threats that can put the CIA of your sensitive data at risk. Your organization may be faced with physical threats such as theft or dumpster diving, cyber threats that include malware and phishing, and threats to the human element like social engineering or rogue employees.
A successful attack results in confidential data being stolen or compromised. This is often labeled as a “data incident.” The National Institute of Standards and Technology (NIST) defines an incident as “A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” Based on an IBM study conducted this year which analyzed data incidents of 350 companies in 11 different countries, the average cost of a data incident was $3.8 million per incident. Most organizations paid an average of $154 per stolen record while healthcare companies paid an average of $363 per stolen record. IBM estimates that the cost of data incidents will continue to increase 10% every year.\
Common Threats Your Organization May Face and Opportunities for Improvement
The “human element” is often a company’s downfall when it comes to preventing social engineering attacks. Social engineers aim to seek confidential information or credentials and access to sensitive areas or equipment.
In-person social engineering often will involve in-depth planning with custom equipment, signage, uniforms, and an elaborate back story. The social engineer may be knowledgeable about company operations, including locations and hours of operation. They may name drop to make the story sound more convincing (“I’ve worked with <CFO or CEO’s name> before. They know who I am") and they will likely make mistakes. They may be unsure who placed the work order, unable to provide a business card or government-issued ID, or appear to be in a hurry. Social engineers will often be polite and courteous until they don’t get what they want; then they may act intimidating or start making threats. This is a low-tech method and high reward approach.
All the technical controls that money can buy are worthless if you have employees who hold the door open for unauthorized individuals. To combat this threat, implement and enforce a visitor escort policy. Ensure a verbal verification process is in place. Ask visitors to provide both a company and government-issued ID. Ensure visitors are ALWAYS escorted by an employee when they request access to non-public areas of the facility, even if you know them. To ensure employees are adhering to the policy, test them periodically.
Social engineering can also occur over the phone. Your employees are the first line of defense when speaking with customers/members. Social engineers may pose as a technical support representative, relative of a customer/member, or vendor. If they are calling as technical support personnel, they will likely ask for employee login credentials or information about computer systems such as IP addresses. If they are calling as a relative of a customer/member, they will likely ask for account information such as balances or outstanding loans. Employees should verify the caller’s identity by asking “out of pocket” questions such as last deposit amount or date of last branch visit. If the caller is calling on behalf of a company, the employee should verify the caller’s information in a phone directory or perform an Internet search, as well as ask for a call back number. Test your employees periodically to ensure they are not disclosing sensitive information over the phone.
Dumpster Diving is the act of sorting through garbage to find sensitive documents and information that have been improperly discarded by employees. Credit cards, technical documentation, data backup tapes, loan applications, floor plans/schematics, and core banking processor reports are just a few examples of items TraceSecurity has found in dumpsters while performing on-site social engineering testing.
If possible, restrict unauthorized access to the dumpster area by using locks and physical barriers such as a fence. Shred your sensitive documents cross-cut style. If your company hosts a “Shred Day” encourage your customers/members to participate. Use this as an opportunity to educate them about the threat of dumpster diving.
Work Area Security
Document theft can occur when employees leave sensitive information on their desks. Unauthorized access can occur when employees write logon credentials on sticky notes and attach them to their monitor, place them under their keyboard, or leave their work area but do not manually lock their workstation. Shoulder surfing, which is commonly seen in reception areas, becomes a threat when a workstation monitor is positioned so that non-employees can see the screen.
To minimize work area security threats, implement and enforce a clean desk policy. Conduct periodic audits to ensure employees are adhering to this policy. Do not allow employees to store their passwords in any clear text format and use password manager applications which utilize encryption. Ensure employees are manually locking their workstations by pressing the Windows + L key. Perform a walk-through of your facility and identify any monitors which could potentially be seen by non-employees. If any monitors are identified, consider purchasing privacy screens, or if possible, physically move the monitor.
Mobile Device Security Solutions
Cell phones and laptops make our lives easier, however, they are easy to lose and are prime targets for thieves. To help protect mobile devices, set complex passwords or PINs and encrypt all devices. Use an anti-virus solution; this helps to protect against malicious apps and websites. If you provide corporate cell phones, include an “acceptable use” agreement when the device is issued to ensure employees are aware they are accountable for the safe-keeping of the device. A mobile device management solution should be in place to help ensure unauthorized changes cannot be made to the cell phone, including changing the authentication method and downloading applications. Most importantly, you should be able to “wipe” the device if it’s lost or stolen.
If you provide your customers/members online or mobile banking solutions, encourage them to setup “out-of-band” notifications such as balance notifications, bill pay payee added notifications, and failed logon attempts. This will help alert customers/members of any suspicious activity so they can notify you in a timely manner.
Lastly, consider implementing a hard drive encryption solution for laptops. If the laptop is lost or stolen, this helps prevent unauthorized access to sensitive data stored on the hard drive.
Removable Media Solutions
These devices can easily be used for malicious purposes, including copying over sensitive company information (data theft) and loading malicious data onto the network. Removable media usage should be highly restricted in a corporate environment. If it must be used, a monitoring solution should be implemented, and the data on the device should be encrypted.
Malware, Viruses and Phishing
Always check to ensure anti-virus solutions are functioning correctly and updating on a regular basis. If an anomaly is found, notify your IT Department immediately. Always check the sender’s address in emails. In addition, look for grammatical and spelling errors. If the email contains a link, check the URL by hovering your mouse over the link.
Seasonal passwords are easily guessable or crackable and very common. A “secure” password should consist of at least eight mixed-case alphanumeric and non-alphanumeric characters and change on a regular basis. Passwords should not be reused for a specified period of time (6-12 months for example).
Key Takeaways and Action Items
- Ensure your company has formalized incident response procedures in place as data incidents are inevitable
- Implement a formalized visitor escort policy and test employees on a regular basis
- Implement a formalized clean desk policy and perform audits on a regular basis
- Implement a formalized mobile device use agreement
- Implement a security awareness training program for employees and conduct training on a regular basis
- Perform a walkthrough of your facility and identify any monitors that can potentially be seen by non-employees
- If possible, restrict the use of removable media
- Ensure sensitive documents are shredded, cross-cut style
- Encourage the use of encrypted password management solutions
- Encourage the use of anti-virus solutions on all devices
- Encourage the use of data encryption on removable media devices
- Stress the importance of using secure passwords
- Encourage employees and customers/members to check URLs by hovering their mouse cursor over the hyperlink before visiting a website
- Use your company’s website and social media presence as a resource to provide general cybersecurity awareness information to customers/members