Cybercrime is one of the world’s fastest growing industries, representing $1 trillion in revenue lost or stolen. Victims range from private businesses and individuals to government organisations.

The devastating impact of a cyberbreach was spelt out at Fireminds’ second annual Cybersecurity Conference in Bermuda. Attendees also heard about a set of rules that can go a long way to protecting a business from cyberattacks.

Among the speakers was Gilbert Perez of US-based cybersecurity company Fortinet. Highlighting major breaches, he mentioned the US Government’s Office of Personnel Management which, in 2015, suffered a cyber incident that exposed more than 20 million federal employees records. A few weeks later there was a major hack of Ashley Madison.com, a social networking website that enables extramarital affairs.

Mr Perez said that as the two attacks were so close together, it was assumed they were carried out by the same people.

“The attackers only had to correlate the data they obtained from OPM and the data they obtained from Ashley Madison, possibly to target a high official that may have created a profile. Now they can use that data to target that individual.”

Mr Perez used that as an example of how damaging a data breach can be. He said security was important for companies to protect themselves against financial losses, to adhere to compliance standards, to establish trust with customers and improve productivity.

A cyberbreach can start with a simple phishing e-mail. Giving another example, Mr Perez said it could be made to look like a misdirected human resources attachment with a file on the salaries of the company’s executives.

“You may wonder ‘how much are these guys making?’ and attempt to open that file before realising you just gave the [bad] guys entry onto the network,” he said.

Other methods could involve freebie USB drives, or mobile phone apps that covertly gather information on what the device is doing and the networks it is accessing. In the past two years there have been widespread, largely automated ransomware attacks such as WannaCry and NoPetya.

Mr Perez said the average life cycle of a cyberattack is 250 days. Based on a survey of companies, it takes 170 days for an attack to be detected, 39 days for it to be controlled, and a further 43 days for full remediation.

“That gives plenty of time for hackers to do whatever they please and steal information. We believe it is not a matter of ‘if’ you get attacked, but ‘when’ you get attacked.”

Mr Perez spelt out four rules for a proper cybersecurity posture, the first was “complexity is the enemy of security”. He described how, over time, a piecemeal approach to security often results in many different solutions being used to address vulnerabilities for various devices that access a network, and each has its own management portal.

“When your company has to create a security policy you have to go into these different devices to ensure that security policy is being enforced.” Mr Perez said a better solution is to have things, such as antivirus software, web filtering systems and applications controls simplified and consolidated.

He said the second rule is visibility.

“Visibility is critical. When you are being attacked it is important that you understand what is happening,” he said, explaining that as the Internet of Things grows and more devices such as mobile phones and laptops are added to a network, it is important to be able to control what those devices can do, and to have endpoint security.

The third rule is to have internal segmentation. Mr Perez said large companies have an internet firewall but go further by segmenting their networks internally and deploy firewalls that have different security policies for different devices accessing in the network.

“Where your mission critical data is, you may need to do additional segmentation, so if a hacker does get in through a branch office firewall or internet facing firewall they will be limited into how far into the organisation they will go,” said Mr Perez.

“Internal segmentation is one of the ways companies are looking at mitigating an attack, should one take place.”

The final rule for a proper cybersecurity posture, implement what is called a security fabric. touched on some of the previous three rules. A security fabric is a combination of security strategies and applications that includes end point security where policies are enforced at access points to a network.

Mr Perez said enforcing security policies at access point was a better way to protect against a network becoming infected all the way to its core.

Other elements of a strong security fabric could include a sandbox environment where incoming e-mails are initially scanned and attachments and links are launched to see how they behave in a Windows or Mac operating system.

Describing how his company Fortinet uses its Fortigate appliance, Mr Perez said: “If it detects some malicious software that tries to reach an external server or something to that effect, it can now create a signature on the fly and pass it back to the Fortigate.

“Now the next time the Fortigate sees that same e-mail come in, or that attachment, it blocks it. The devices are speaking to each other, understanding what role they play, and making your posture a lot stronger.”

During his presentation, Mr Perez explained aspects of Fortinet’s products that address the four rules of cybersecurity posture he described.

The cybersecurity conference, which was held in Hamilton, also heard presentations from Justin Silbert, of LEO Cyber Security, and Ricardo Rodrigues and Diana Silveira of Microsoft.

Michael Branco, chief executive officer of Fireminds, was delighted with the wide variety of attendees at the event, including professionals from law firms, financial services and government.

He said: “There is so much going on in this space. If we did this in six months it would be different.”

Bermudian-based Fireminds intends to host other events this year, with cloud computing and artificial intelligence among the likely themes.