As soon as the untraceable currency Bitcoin emerged, the Deep Web – a vast district of the internet that is not indexed in the standard format – had everything it needed to grow into the Dark Web… to scale into a veritable ocean of threats. Your internal data – including your client data – is worth the fortune it’s worth because Bitcoin enabled users of the Dark Web to monetise every type of information. I’m not just referring to personally identifiable data, but to other forms, such as emails, intellectual property and phone calls. If you want to protect the types of data that are most important to you and your organisation, realise that every technology has two faces: one good and one evil. As consumers, we have been incentivised to focus on the shiny, good intentions of technology, but that is only half of the equation. From what I have observed, companies that are ahead of the curve in terms of safeguarding themselves from external threats typically follow these best practices:
If you don’t have one of these, then it is highly unlikely you are ready to do business with external vendors in the first place. You are simply not communicating and contracting with third parties in the correct way. The Target breach, of more than 100 million customer records, began with a third-party vendor that had poor cybersecurity hygiene.
I was defrauded by a trusted business colleague, who operated with such stealth that I was arrested for his crimes. Being accused of embezzling clients’ money – because my colleague used my bank details to cover his activities – was a significant shock to the system, with repercussions in every area of my life. Had I done one or two pieces of due diligence on that colleague, I would have known from his past employers that there were problems. The red flags were there to be found. All I had to do was a little research – but I never did it.
Think of the widespread issues that corporates now face with i) business email compromise (BEC); and ii) email account compromise (EAC). In May, the FBI reported that total BEC losses around the world between 2013 and this year topped $12.5bn. Plus, BEC and EAC activity rose by a whopping 136% from December 2016 to May 2018. With those grim figures in mind, it is vital for organisations to have an internal alarm system in place, designed to ensure that transactions above certain values are put through particularly rigorous checking procedures before they are processed.
Typically, organisations wait for threats to land upon their sandy beaches – and only then do they react. When I was defrauded, I was in that condition of waiting for the threat. I didn’t think proactively about it. But best-practice organisations are consistently projecting waves of security outwards. For example, you may consider your first line of security at home in terms of physical barriers: deadbolts, locks and so on. Then it may be digital – say, an electronic alarm system. After that, it may be human: hand-to-hand combat with an intruder. That’s our standard reflex. We’ve been trained to think physical digital human. But in cyber, you have to reverse the waves. They must go from your island outwards. You must think offensively, not defensively. That requires you to think about what you must do at first from the human perspective, then the digital, then the physical. There are threats that can surf right over the physical and digital stages, such as social engineering. That cuts straight to – and aims to directly exploit – the human element. That’s why it’s so effective. It’s a form of puppetry and manipulation. Daniel Kahneman’s book Thinking, Fast and Slow explored the phenomena we call System 1 and System 2 thinking. Social engineers take advantage of our System 1, fast-thinking processes. Which is not really thinking at all, so much as reacting. If you replace that habit of, “Yes, I will give you that important information you have asked for” with a new habit of greeting such enquiries with intense scepticism, you will gain an immediate advantage. Ask questions to ascertain whether or not you have a very good reason to divulge the relevant details. That change of habit also applies to situations such as finding a USB stick out in your organisation’s car park and being instantly tempted to plug it into your computer to find out who it belongs to. You could be unwittingly smuggling in a malware bomb.
Encourage members of staff to use password-management tools that will enable them to work easily and efficiently with longer passwords. Length is key here, and password-management software overcomes a typical human reflex of password setting, which is to backslide from long and complex strings to ones that are familiar and easy to remember. Also, firm up your account access with token-based, two-factor authentication procedures. I am aware that biometric data is becoming more and more popular, but again, it is data that could in some cases be harvested and used for fraudulent purposes. So I am much more inclined to recommend tokens.
For example, your unpatched cameras, printers or Windows 2000 systems. They are all back doors, ripe for exploitation. More than 80% of breaches we see are partially caused by out-of-date software. Both the WannaCry and NotPetya ransomware attacks were predicated on Windows software that was readily patchable.
To fully disclose such vulnerabilities, external security audits are critical. Don’t rely exclusively upon internal reviews. Outside inspections will ask questions that may never occur to you and show you problems you never knew you had. Your internal IT crew may not necessarily be sufficiently expert to hunt for some of those issues. A great auditing team will show you a ‘heat map’ of your vulnerabilities in priority order, which will be different from business to business. Work through that heat map methodically and refresh it periodically.
Right now, the average amount of capex that organisations spend on cyber defences is about 3%. However, best-in-class firms commit a minimum of 5%. This is an issue that usually needs to be addressed and supported at the board level of the organisation.
Being ready for each and every eventuality – for example, a ransomware plan for what happens when your systems get frozen – will save you millions of dollars in downtime. Breach plans encourage you to think through the solutions well in advance. So, if the worst comes to the worst, you won’t be caught by surprise.
John Sileo is a Colorado-based cybersecurity expert and keynote speaker. Find out more here.