By Peter Bassill
Companies often assume that, like fish in a large school, safety comes from numbers, not from self-defence. However, in cyber crime, scale is not such a big issue: given the opportunity, hackers can access many sites and databases. Hackers will harvest data at whatever scale the companies themselves will allow – given time, this may be a great deal. Ignoring these threats can cost millions in lost revenue, and more often than not, affected businesses never recover after being victims of cybercrime or cyber espionage.
The recent “Red October” wave of concerted cyber assaults demonstrates that social engineering is by far the most potent tool in the hacker’s arsenal. These attacks occur nearly every day and are often successful, regardless of technical controls and countermeasures deployed within corporate networks.
The Red October malware infected its victims through a targeted spear-phishing email. Thanks to gullible employees downloading the customised Trojan dropper or bringing it into the organisation on infected USBs, the attackers managed to infiltrate companies across the world.
The illegally harvested data was compiled with the purpose of being re-used for a variety of attacks. Thus, when they needed to figure out a password for another document for instance, this could be easily achieved based on the already harvested information. In addition, 60 domain names and several server hosting locations based in Germany and Russia were created in order to control the infected PCs.
In essence, many companies’ approach to data security is little more than glorified insurance. The rationale for most businesses behaving this way is that online security is not a board level issue and can be handled further down the command chain.
However, statistics paint a different picture. In a recent CSI/FBI cyber crime report, 73 out of 80 experts asked said that data protection would be the most critical security issue. In comparison 58 of the experts interviewed agreed that policy and regulatory compliance should be priorities, whereas identity thefts, viruses and worms are immediate threats to businesses and should be mitigated for accordingly.
To contextualise this, Europol set up the European Cybercrime Taskforce in 2011 which works alongside the European Cybercrime Centre, trying to raise awareness and create points of contact for organisations that need support.
The initial step for companies wishing to protect themselves from cyber threats should be an evaluation of current systems and processes, after which time a plan of action for countering IT security risks should be produced. Penetration testing is one of the key ways in which a company can stay safe and protect its data.
Business owners should look for comprehensive penetration testing services that are fully integrated into ISO27001 and ISO9001 security and quality management standards. This provides an extra layer of confidence when it comes to the quality and confidentiality of the process.
Ironically, basic data security is not that expensive to implement, yet many SMEs believe that it is not affordable and underestimate the beneficial effect it will have when implemented. However, affordable Virtual Chief Information Security Officer (CISO) and My Information Security Officer (MISO) programmes, managed by senior level people experienced in the CISO role are worth considering.
If your organisation is large enough to require a security leadership role, but not quite ready to dedicate an internal resource to the task, these tailored CISO programmes can help achieve your objective by working as a member of your senior management team leading security programs and initiatives.
About the author
Peter Bassill is managing director and CEO of Hedgehog Security, an information security and penetration testing specialist. Peter’s expertise extends from risk management and security to business development. A trusted adviser to a number of UK organisations including Microsoft, Peter is also a frequent keynote speaker at international information security events such as RSA and Infosec Europe. Peter sits on the ISACA Cyber Security Board and is one of Microsoft’s trusted advisors for cyber security.
About Hedgehog Security
With over 100 years’ worth of accumulated information security consulting, gained across a variety of sectors, Hedgehog Security helps businesses to secure people, processes and technology in a continually evolving digital world. The company offers creative information security consulting solutions across the security sphere that can be applied to any business, enabling customers to save vital capital, increase their profit and avoid unnecessary regulatory, compliance and legal issues. The company specialises in penetration testing, virtual Chief Information Security Officer (CISO) and My Information Security Officer (MISO).