Is your data secure?
In light of numerous recent data breaches, cyber security has become an executive level issue for organisations of every size and in every sphere of activity. Customers, business partners and investors are asking management tough questions, seeking assurances that their data is secure. This is especially true for organisations who handle confidential, financial data and personal information such as medical records.
Where to start?
For organisations who are contemplating enhancing their level of information security, it can be a daunting task. The first step to complete is to identify what data is important and needs to be properly secured. This is referred to as data classification. Although this may seem like a trivial task, many organisations are unaware of where and how their most critical data is stored and secured. Once that has been established, the data needs to be looked at through the lens of the CIA. This does not refer to the United States spy agency, but the principals of confidentiality, integrity and availability.
Case in point; in the spring of 2016, the Cayman Islands Monetary Authority (CIMA), issued a Cyber Security circular. CIMA stated that they will soon commence reviews of licensees’ approaches to data security. More
specifically, they said that “…the Authority will also consider licensees’ ability to protect the confidentiality, integrity and availability of sensitive customer and other information.” In a nutshell, these principals ensure that data is protected from unauthorised use (confidentiality); is complete and accurate (integrity); and available for use and processing (availability).
Although CIMA’s cyber security inspections will only affect Cayman Islands entities, readers should expect other regulators to follow this global trend which was initiated by the United States Securities and Exchange Commission (SEC) in 2014.
Employees as firewalls
As part of any cyber security program, employee awareness training needs to be included; cyber security is not only about technology, it’s about people.
Cyber-attacks are often enabled by ill-informed employees who, unbeknownst to them, facilitate the compromise of critical data. For example, in a recent study, researchers at the University of Illinois dropped 297 USB sticks around the Campus; 48 percent of the devices were inserted into a computer by individuals who were unaware of the risks. Had this been a targeted attack against a company, the hacker would have likely succeeded in achieving the goal, which may have been to infect the systems with a ransomware or a virus.
Kevin Mitnick, who I recently had the privilege to meet, is arguably the most famous hacker in the world. Amazingly, he relied heavily on social skills to obtain usernames and passwords to gain unauthorised access to the computer networks of his victims; this technique is commonly called social engineering.
A classic example of social engineering would be someone posing as a legitimate IT employee that requests the targeted employee change their password to “test123” and then use the recently changed credentials to access confidential data. Another example of social engineering that has become widespread, is the CFO attack. It starts with a bogus email received by an employee in the accounting or finance department. The email appears to come from the CFO with a request for an urgent fund transfer. Since the email seems legitimate, the employee is deceived and funds are transferred to the hacker, thus resulting in financial losses.
Employees need to be made aware of these attacks so that they can spot them when they occur.
Employee IT security awareness training has become a key component of cyber security. It takes many forms; classroom training, periodic educational communications, etc. The success of an IT security awareness program can later be measured by simulated email attacks and simulated social engineering.
Regular checks needed
Now that employees have been trained and are able to thwart attacks directed at them, let us focus on the technical parts, which are as important.
Recent hacking incidents highlight the need to perform regular tests on computer networks to assess their vulnerability to hackers. Normally, an organisation will test the vulnerability of the corporate website, the email server and other critical systems which are exposed on the internet. When performing these tests, companies need to be sure that web applications such as client access portals are not overlooked and are tested properly. Web applications are prime targets for attackers since they can provide quick access to highly confidential information.
Organisations also need to consider the insider threat. An insider threat is defined as an employee or consultant who has access to the internal corporate network and who has malicious intent. These individuals may seek to gain access to corporate secrets, financial or personal data or other sensitive information. Regular security audits which, for example, test password controls, measures for revoking accounts of terminated employees and periodic review of access permissions are all tasks which will assist in mitigating the insider threat. For more sophisticated networks and organisations, it may be worthwhile having an internal penetration test performed, where a simulated insider attack is executed in order to identify where and how a rogue employee may be able to gain access to information they are not entitled to. Through these penetration tests, we have been able to demonstrate that a regular employee can easily gain full administrative access to databases which contained all of the confidential client data.
Where breaches do occur, multiple layers of security will likely be an organisations’ saving grace. The fact that a hacker gained access to systems in itself is obviously not an incident to be pleased about. However, if the organisation created a layered approach to security, the fallout may be mitigated. For example, a hacker that was able to capture an entire database of credit card numbers or medical records. If the data is properly encrypted, the information will likely not be accessible. Organisations which store sensitive data need to consider various scenarios which may occur; a firewall and anti-virus software alone are no longer sufficient. Multiple layers of security need to be in place to effectively block attacks.
Where to find help
A third-party organisation should be hired to assist with periodic testing even if the company has internal cyber security skills. When hiring a third party, the company should take the time to clearly explain their concerns and the overall objectives for having a test performed. It is important to ask the testing organisation about its methodology, its reliance on automated testing tools and the skill set of the individuals who will be performing the work.
The bottom line
In this day and age, simply relying on the traditional controls such as a firewall is no longer sufficient. Companies should regularly test their internal and external networks for vulnerabilities. Employee awareness training is a key element of data protection – employees play a vital part in protecting your confidential data.