Five Cybercrime Considerations That Should Keep CEOs Up At Night

1990's Cyber Security

Twenty years ago, if you talked about computer security no one really knew what you were talking about. OK, so people had heard of encryption, but anything else, like access control, malware or software vulnerabilities were just not discussed. They really weren’t on anyone’s radar, other than a few tech geeks.

Even ten years ago, security was something that your IT admin would deal with when they setup the firewall, or when they informed everyone to use WinZip when emailing any documents out.

But we are now in a new era. An era where security has moved from the IT department threshold into the boardroom, where CEOs and CISOs have it on the board agenda as a company critical action item.

A Few Security Facts

This general movement into the mainstream of security issues has been brought about because of a changing cyber threat landscape. Hardly a week goes by without a mention of yet another major cyber attack against a well-known company. This week, we have seen a major denial of service (DOS) attack against Canadian government websites and employee email services. The week before it was an attack on federal government employees’ data through the Office of Personnel Management, and the week before that the IRS was breached resulting in over $50 million of falsely claimed tax credits being issued to hackers. In the past twelve months this has also included many commercial companies such as UPS, Dairy Queen, JP Morgan and Home Depot.

We only see the well-known companies who have their security breached hit the headlines. Small to medium sized organizations are fast becoming the target for hackers as well for several reasons. SMBs are considered by cybercriminals to be ‘soft targets’, not expecting to be hit and as ‘watering holes’, where the smaller suppliers of larger corporations are targeted as a way into the larger corporation, while also snaring the small one at the same time. No one is safe from cyber threats anymore.

How Threats Affect Your Business

Cyber threats can come into your organization from a number of places - emails, malicious websites, remote media, and even insiders, such as disgruntled employees or consultants. Once in, they impact your organization in a number of ways:

1. Confidentiality: Malware often targets data. In fact we can see that data such as personal identifiable information or PII is on the top of the hacker’s shopping list. Health data for example, is one of the most expensive items available to purchase within the hacking community at $363 per stolen record. As well as your customer data, cyber thieves are also after your confidential and proprietary data. Cyber espionage is on the rise and the USA is one of the most targeted countries in the world, with 54% of all cyber espionage targets being directed here and manufacturing being the most targeted industry.
2. Integrity: If you lose your proprietary information and intellectual property, your reputation can be seriously affected. Losing your customers’ data and showing the world you do not take security seriously has a huge impact on how your integrity is perceived.
3. Availability: Malware can cause severe system slow down and even cause catastrophic system failure. It can also migrate to critical systems. This can have a massive cost implication with 1 in 6 small companies going out of business within 6 months of a security breach.

The Five Things A CEO Needs to Know About Security

This brings us to the five things we need to think about and have as topics of discussion during board meetings.

1. Stealing data: You need to be aware that your organization, along with all companies, is a target for cyber criminals. Phishing is becoming a serious problem and the perfect vector for the insertion of malware onto a computer and a network. Once installed, malware is designed to exfiltrate data off your computer and network, out to a hacker server. Malware can also log keystrokes, so if you enter login credentials into your company online bank account for example, it will steal those, too. Malware is ruthless and needs to be prevented from getting onto your system in the first place. Educating your employees about phishing and how to recognize a phishing email is very important and a good first step.
2. Regulation and compliance: So many industries now have regulations setting the standards for securing data. HIPAA and PCI/DSS are the most well known. In April 2015, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act, which outlined the requirements for an organization to protect customer data and ensure its security. Because of recent major breaches, such as the stealing of PII from the Anthem system, regulations around protection of personal data are only going to get stronger, and the fines that go with non-compliance will get even higher.
3. Brand and reputation: Malware causes loss of data, as we’ve seen. This loss can affect your own intellectual property, causing loss of earnings and the market value of your business to decrease. If you lose customer data, your good reputation can be lost forever. Another area that can affect you adversely is through a cyber criminal gaining access to your social media accounts (by using malware to exfiltrate your login passwords for those accounts). If a malicious user obtains access to those accounts they can wreck havoc on your brand. An example of this is the Burger King Twitter hack of 2013 which saw the hacker post a message on Burger King’s Twitter account saying that the company had been bought by McDonald’s, changing their logo to the golden arches, just for good measure.
4. System Downtime: The Infosec Institute worked out that the average time to fix a malware related breach is 32 days. In this time your computers will either run so slow that you can’t use them, or you won’t dare use them in case data is stolen. All that while your company is footing the bill for the attack. The Infosec Institute also found that in their sample of U.S. companies the average annual cost of a cyber-breach was $11.56 million.
5. Customer Impact of Cybercrime: The recent attacks of JP Morgan, Target and Anthem have affected several million people. That data is used to carry out secondary attacks such as the one we saw recently on the IRS. If you lose customer data, it will be sold into the hacking community to be used for further attacks. If you put your customers at risk, not only do you risk fines for non-compliance of security regulations, but you risk losing them as customers, too.

The responsibility for preventing cybercrime needs to be part of the overall governance of an organization. It directly affects everyone in your company, and it must be part of the leadership’s strategy. The increasing sophistication of cybercriminals can only be dealt with by a company wide, holistic approach to tackling this problem.

To see how WatchPoint can help you with your security strategy and prevent malware infection check out our Security Platform.