Key Takeaways from cStor’s 2016 Executive Leadership Cybersecurity Summit
My Cybersecurity mentor wears a grey hat. That explains why when it comes to Cyber stuff, I’m leery of trusting “experts”. With that said, Former FBI Agent, John G Iannarell, was a keynote speaker at the cStor 2016 Executive Leadership summit, addressing the state of ransomware and how to manage systems while keeping up with the latest tech advances. I found Mr. Iannarell’s insights valuable in creating the path forward. I hope you will too. Here is a recap of the presentation.
The FBI has a history of being at the forefront of technology. At the cStor Leadership Summit, Former FBI Agent, John G Iannarelli, addressed the state of ransomware and how to manage systems while keeping up with the latest tech advances.
THE STATE OF RANSOMWARE
Ransomware will be a $1 Billion industry this year. The street price of stolen internet items is daunting. For example:
▪ 40M credit cards stolen from processing center in Tucson—$20 Billion loss!
▪ $3.4B from fraud
▪ $52.6 b credit card fraud
This means there is a lot to worry about and details to handle. Keeping up can seem like an unforgiving task.
In this growing threat, more than 52% of businesses say they are not prepared for an attack—and ransomware it’s far more likely than a fire or flood. Sensitive industries such as healthcare are under attack. This is a huge deal where cybercriminals are holding hospitals hostage, shutting down facilities and health care.
Hackers are testing access via IoT devices. This is a vast frontier with new facets emerging on the scene every day. Companies must assess vulnerabilities on IoT devices within their company, and protect every data access point.
Business email is a key target for cybercriminals. Simply by changing the personal information of a senior manager, take on their identity, the hacker can compromise data security. By pretending to be CEO of Snapchat, a cyberstalker accessed the company payroll and personal information of employees. This single act represents 8,000 victims and $1.2 billion in losses.
VICTIM COMPANY EXAMPLE—Document Security Policies & Non-Compete
No policies can lead to lawsuits, financial losses and bankruptcy. For a particular debt consolidation company, collecting sensitive information is part of their sales onboarding process. This company with 100 employees generated 12k leads per month, spent $450k on marketing.
The IT staff noticed a suspicious IP address logging onto their network. It belonged to a competing company, started by a former employee who had been VP of Ops. When he resigned and started a competing company; they had NO non-compete in place, therefore, NO legal recourse. Before resigning, he had filed for a corporate name, website and articles of incorporation. So there was digital evidence of what he was about to do.
Another former employee had given his two-week notice; then, over the two weeks he downloaded company data. He logged on, accessed the network from his home computer, and gathered lead data, sales data, customer data, etc. This company went bankrupt. There was no policy— nothing in writing that said these former employees could not do what they did.
BREACH REALITY BY THE NUMBERS
- 30% of data breaches are cyber attacks
- 70% are people, not malware
- 1 in 8 employees pose a high level of risk
It is critical that companies establish clear, thorough security policies. Install intrusion flags—early detection is key. Typical behavior of attacks is identified, requiring a verbal confirmation of requests. For instance, beware of unexpected urgency — (hackers watch social media, they know when the boss is traveling, they send urgent emails to employees for data right away).
Rethink giving access to your network via personal phones and computers, and rethink allowing those who resign to continue having access to sensitive data. Watch for red flags on user activity and online activity. Set clear written policies. Prevent malicious insider threats with education and integrity testing among employees.
Identify what is important; companies can’t retain everything. Focus on what is necessary and have a plan for securely storing the information. Tailor access levels with checks and balances.
The reality is you will be attacked, so create a plan. Be ready. Spend time. Companies are spending four times as much on reparations versus the spend on planning before an attack. Designate a lead responsibility, determine critical personnel. Ensure procedures to notify law enforcement, FBI, and InfraGard. Establish relationships to be sure that there is an open line of communication.
In today’s environment, almost everyone is using their own phones. Android is the most targeted phone—#1 for attacks and in theft, about 3.1 million have been stolen. When a cellphone is infected, and it’s used on the network, it could infect the network and other cellphones. This arena requires strict policies on what one may or may not do on a BYOD device.
Hackers are use WI-FI for spying. When devices are plugged into a wall, sniffing devices pull data off of wifi network in order to spy on competitors, etc. When traveling abroad—in any country—be aware of what you take with you. Is your laptop secure—what’s on it? Are you carrying sensitive data? Do you have multiple devices? Are any of them unsecured? Be vigilant about where you leave your devices—even just going through customs, people image a hard drive, move things, change data.
The reality of CyberAttack is that it’s not if, it’s when. Most importantly, it’s how you are prepared to respond. The CISO or CSO doesn’t get fired because they are breached, but they might get fired because of their response! HOW will you respond?