Following are answers from a recent interview looking at the threat of cyberattacks and how cyber security has increased in recent years.
Q. What’s driving the shift in cyber security?
A. As the world becomes more digitally connected with a wide variety of available technologies and options, the need to secure the data has increased dramatically. The attack vectors or means to compromise the networks and their controls have outpaced the security community’s ability to analyze and protect their networks. Gaps or single layers of security have enabled hackers to bypass controls.
For many, such as the elderly, technology is a new concept, which puts them at risk to be easily fooled into providing the keys to access their data. Detection of these events are often very slow or even non-existent.
On a larger scale, the bar has been raised. Hackers in the past may have been content with the challenge of what they could get into. Today, success is often measured by the amount of financial or even political damage one can inflict.
Hackers today work as a group more often. They share their methods and tools and communicate extremely well in their own network. This has enabled a larger number of hackers to become extremely proficient in a much short period of time.
Q. How do we define the severity of a cyber attack? Is it the type of data stolen, number of people affected?
A. There is no one best answer to this since the impact of an attack affects everyone in very different ways. A single event could be small in size, but have a devastating impact to an organization. The Reputational Risk to a firm can prove to be more costly than a Denial of Service attack, which takes them offline for a period of time. How quickly and effectively a company reacts to the attack can be the difference in how the severity of the attack is measured and perceived.
Q. What type of proactive steps can firms take to protect their client’s data?
A. Know your data (classification). What is highly sensitive, such as PII (Personally Identifiable Information), PHI (Protected Health Information), and financial data (Credit Cards, etc.) including where it is stored. How you protect that set of data is more critical and expensive than the protection of public data. Know how it is transmitted and to where. If it is EU data, ensure that you consider the new GDPR requirements. Know what your access points are and how they are protected. Have the controls tested by a qualified professional who is aware of the many methods to compromise those controls. Finally, use a “Risk Based” approach to determine what resources are needed to apply the appropriate level of controls.
Q. When evaluating cyber security solutions, what do firms need to look for?
A. Define your most critical needs and consider everything. The answer may not always be a technical solution.
Never overlook the most basic layer of protection such as your own employees. Provide appropriate Security Awareness training and test the effectiveness of that training. Their online behavior is your first level of defense.
Ensure that you “discover” what data you have and where it is stored. Is it still needed, or can it be securely destroyed. Analyze who has access and more importantly, who needs to retain it using Role Based Access Control (RBAC). Implement periodic reviews of your access controls, policies and procedures. Develop comprehensive Disaster Recovery and Business Continuation plans and test them annually.
After confirmation of the effectiveness of your security program and implementation of “Best Practices,” you will be in the best position to determine the need for new technology solutions to close any gaps that have been identified through this process.
Q. Will the threat of cyber attack decrease as firms invest more in defending against them?
A. If you define cyber threat as the possibility to attack, disrupt, access, steal or damage data, unfortunately no. The “threat” will always exist and will only grow in complexity. How well we communicate, educated and protect our valuable data will be the measurement of how well we defend it.