Cyber Risk - Why Every Organization is a Target?
Vice President, Regional Practice Leader – Risk Management (Ontario)
The comment I hear most often when I speak to company leaders about their network security and privacy risk is that they do not believe there is much of a risk. The exceptions of course are organizations in the financial services, healthcare, education and retail; they all seem to completely understand they have a target on their backs. We are now at a time when companies of all sizes and all industries need to admit that they are data companies and, in such cases, are a target. Everyone is a data company today because we all rely on computer to do our jobs.
Computers are designed to create, display, manipulate and store data. If you do not believe you are reliant upon data, unplug all the computers in your company right now and see what happens to your productivity and ability to service your customers. Even if you could get by for a few days, as time passes your operations will start falling apart.
Alternatively, wipe out your company data and see what happens to your product development, business development, and financial reporting. The house of cards quickly falls. We are all dependent on our data!
If you are a manufacturer, a contractor or a transportation company, why would you be a target for a cyber-criminal? What makes you and your data of any interest? Here are a few reasons:
- You are not a specific target….you just had an employee who took the bait when a cyber-criminal randomly sent millions of emails to anyone and everyone around the world. One of your employees got tricked into clicking a link or opening an attachment that unleashed a virus or malware. For cyber-criminals this is a game of large numbers. They craft something that looks legitimate and convincing, buy an email database (all stolen) for $50 off the black web (deep web), blast it out, sit back and wait to see who bites. When someone finally bites, they can now access the network and are free to sleuth quietly until they are detected or wreak havoc, whichever is their approach of choice. Statistically, 50 billion phishing emails are sent globally every month, and 50% of people will click on the link in that email, which is why this method is so popular and successful.
- It is not you, but rather who you are connected to that is of interest. Today many companies have their systems connected to those of their suppliers, vendors and customers via the internet in order to achieve efficiencies and streamline operations. This means that once one of the connected parties has been compromised, all the connected parties can also be compromised. Remember the Target breach? The criminals did not hack Target, they stole the login credentials of their HVAC contractor. This HVAC contractor had access rights to Target’s network to carry out tasks like remotely monitoring energy consumption and temperature within stores. Once the criminals were into the network they moved around quietly and undetected uploading malware onto the company’s Point of Sale systems. The end result? They stole 40 million debit and credit card numbers before anyone knew what was happening.
- Since you do not consider yourself a target, chances are you do not have sophisticated IT security, have never had a third party audit your controls, and have definitely not invested in training your employees. What does this make you? An easy target. Small and medium size organizations in particular do not always have the budget for expensive IT security infrastructure, or to bring in a third party to do privacy and security training. Unfortunately, this leaves them more vulnerable to be attacked. 75% of privacy breach and network security claims are the result of human error due to a lack of employee training.
- People use the same passwords at work as they do at home. Home computers are very easy to crack for cyber-criminals. People generally use simple personal firewalls and often do not keep up with security patches on their operating system and software. Once cyber-criminals have your personal password, they often have your work password. This is often the main reason why 41% of Fortune 500 companies have their credentials exposed.
- Malware is for sale on the dark web. You and I can buy it today and unleash it to the world. It is a $300 billion dollar industry and the malware often comes with Service Level and Non-Compete Agreements. There are firms today that are contracted by governments, companies and individuals to build malware that will be used to track and spy on their population or specific individuals, steal data, or inflect damage on a computer system. The volume of malware being produced makes it impossible for anti-virus and malware software vendors to keep up. Today the average amount of time it takes a company to even discover they have been breached is 229 days (which is consistent with what we have learned from the Target and Walmart breaches).
- Law enforcement is not set up to deal effectively with this type of crime. Cyber-crime is often cross-border in nature and requires tremendous resources to investigate, collaborate and enforce. As a result, criminals today have identified it as an enormous opportunity by which they can operate with almost complete impunity.
- 93% of employees knowingly breach their company’s own privacy and network security policy. This is primarily because they often see these policies as an impediment to getting their job done. Due to lack of training, they do not understand the implications of their actions.
- Your data on its own might not be of value, but when conglomerated with other data it becomes very valuable. What cyber-criminals are often trying to do is creating profiles. They have a social insurance number that they stole from one source but they only know it belongs to a person named Mary Smith who works for ABC Corp. However, from other data stolen, they are able to connect that this Mary Smith also lives at 123 Main Street, Toronto. With this information they can link this Mary Smith to a credit card number they stole somewhere else, and the completion of the profile of Mary Smith continues. Eventually where Mary shops, travels, what bank she uses, who her husband and children are, etc. is all put together. Sooner or later, the software will build a full profile of Mary, which will become extremely valuable to sell as it makes identity theft easy. As you can see, it may not be your data on its own that is valuable, but what it can do to complete a larger puzzle.
According to some experts, 100% of organizations (regardless of size) have been breached, but most do not know it. Whether this is completely true or not, it has been proven time and again that large organizations like Sony, Target, Home Depot and the Department of Homeland Security even with their large budgets have been breached, often unknowingly.
So what are the critical steps you need to take?
- Admit that you have data (customer, employee, intellectual property, etc.) that is of value to someone and that you are a target for no other reason than your existence.
- Acknowledge that any breach, no matter how small, has a very negative impact on your reputation with your employees, customers, suppliers and vendors. It can take a long time to restore your reputation and, as a result, be quite costly.
- Invest in training your employees on best practices when it comes to protecting network security and privacy. Explain why certain policies and procedures are in place and why it is important to follow them. If you have only $1 to spend, spend it on training!
- Have a third party firm that specializes in network security and privacy audits come in and audit your systems, premises, policies and practices. They will make recommendations that are often easy and inexpensive to implement and that can dramatically improve your risk profile.
- Since doing all of these things cannot guarantee you will be spared a breach, work with your insurance broker to quantify your risk and see if financing some of it with a Cyber Insurance policy makes sense.
As you can see, in today’s world everyone has valuable data and everyone is at risk. Being proactive on measures to reduce your risk will make you a harder target, protect your reputation, and avoid a lot of costs down the road.