Expert warns of growing cybersecurity threat
Hacking, cyberattacks, call it what you will. The phenomenon has been evolving for decades. And today, more than ever, it is imperative that businesses protect themselves robustly.
With that in mind, Buddy Doyle, chief executive officer of Oyster Consulting LLC, has given a number of key pointers for businesses to consider when creating a cybersecurity programme.
He said that in the early days the biggest reason for confidential or valuable information ending up in the wrong hands was the clumsiness of what he termed “boneheads”.
Hapless mistakes and errors, such as having a company laptop stolen from the back seat of a car, were the primary source of data breaches.
Today, the scenario has flipped and it is malicious attacks by “bad guys” that now account for almost half of all data and cybersecurity breaches. The rest are split between human error and system glitches.
Mr Doyle has substantial experience with data and cybersecurity. He addressed the topic at The Oyster Regulatory Compliance Seminar, held at the Royal Hamilton Amateur Dinghy Club yesterday.
The event was presented by Oyster Consulting (Bermuda), which provides compliance, operational and consulting to financial services and related firms in Bermuda and around the world.
Mr Doyle advised businesses to formulate a programme for implementing robust cybersecurity and dealing with breaches.
“When you build a programme you start with the risk assessment. What are your risks, where are your crown jewels?” he said, referring to core data that would be of most value to a cybercriminal.
“You better have a good barrier around that, because otherwise it is really expensive.”
Mr Doyle mentioned a number of high-profile data breaches and said the average cost of a data breach is now about $4 million. In the US, the average data breach results in 29,000 confidential records ending up in the wrong hands.
Aside from the financial cost of fixing things after an attack, companies run the risk of losing customers either harmed or spooked by the incident.
Mr Doyle said it was also prudent for companies to conduct due diligence on their service providers to see how secure they were when handling confidential data.
“There are a number of things that you can do to protect information and keep it safe. The number one thing is encryption,” said Mr Doyle, explaining that full disk encryption is one option.
While encryption is not a silver bullet — researchers have managed to crack the toughest encryption by listening to sounds made by a computer's CPU — it goes a long way towards making life difficult for cyberattackers.
Businesses creating a cybersecurity programme, having identified their most valuable core data, have to implement a security policy “that puts controls around those risks — and make sure those security policies are aligned with the organisation's”.
Mr Doyle said: “Are people in the right places with the right access to data? Maybe they have too much access. Limit the data to the people that need it.”
Asset management is also important. “Do you know how many laptops you have, and where are they? Laptops can walk out of a company; you can have a closet of old laptops with data on them and someone goes in that closet and picks one up.”
A misplaced or stolen laptop can be used as a gateway into a business's inner sanctum of data.
Mr Doyle said a good cybersecurity plan would take into consideration human resources “to keep bad people out”.
“Criminals can sometimes come from within. Do background checks on your employees, know who they are,” he said.
Further considerations include physical security of buildings and facilities, system access controls that might cause some frustration to employees who have to work within restricted access levels, but this was a necessary trade off, according to Mr Doyle.
He added: “Have an information system plan for changes that gets formal sign off. Have a compliance programme and have an incident response plan and get outside counsel to be part of your incident response plan.
“Have a compliance officer and an information security officer. The new legislation in Bermuda calls it a privacy officer. Have someone in charge to build your programme.”
Oyster has a plan that uses two IT consultancy firms, one to configure and implement systems, and another to monitor the infrastructure and security around the clock. As if that were not enough, the company also conducts regular penetration tests by using the services of an outside agent to conduct unannounced “ethical hacking” to test the company's IT security.
Mr Doyle said it was also important for employees to understand the dangers of social engineering, where cybercriminals harvest personal details from social media networks and can then create a “rational, reasonable scenario” to take advantage of someone.
Things have moved on from the days of dumpster diving, where criminals would gather sensitive data, such as tax records and personal information, from scouring bins. But even today this can be a vulnerability for some business.
“Train your employees. Nothing goes in your trash can except your lunch. You have to lock up your computer. Make sure your screensaver locks every couple of minutes,” said Mr Doyle.
“If you have personal devices, have a way to know what is on them, and how to track them and shut them down. Don't use free wi-fi. Free wi-fi is easy to monitor what is going on — just don't do it unless you are doing something that you just don't care about.”
And most crucially have really good passwords. “Size and complexity are important,” said Mr Doyle.
Wrapping up his presentation, he said: “You have to pay attention. You have to have plan, or at least start thinking about it.”