Cybersecurity Risk From the Break Room to the Board Room
How can CFO’s enable an organization to effectively combat cybercrime, while reducing IT security budgets? If this sounds too good to be true, let me explain how it can be done.
Cyber risk is present at every level in every company from the break room to the board room. In retail, data breaches occur in companies of every size; from Yellowfront, a one-store grocer in Maine to the massive Home Depot and Target breaches.
Cyber awareness of social engineering attack modes is a management priority, and all employees have responsibility in preventing phishing and spear-phishing attacks from launching malware. Employee training and cyber awareness are essential in reducing risk and the cost of data breaches, in addition to a defense approach with appropriate cybersecurity tools and software.
The CISO is responsible for cybersecurity in public companies and larger organizations and reports to the board, but in mid-market companies and SMB’s, often the chief financial officer (CFO) is the key cybersecurity stakeholder and enabler. CFO’s have fiduciary responsibility to protect the organization from financial loss and reduce the risk of negative brand exposure and financial impact due to data breaches.
In fact, CFO’s can substantially improve security posture by implementing protections against the following three attack modes:
- Funds transfer fraud via social engineering
- Data breaches causing loss of personally identifiable customer and employee information
- Theft of intellectual property
The CFO as a Prime Social Engineering Target
Mid-market companies and SMB’s are getting hit hard by CEO and CFO fraud. One tech company, Ubiquiti Networks, was recently swindled out of $47 million. Another Atlanta-based company was scammed out of $1.8 million. The FBI has reported over 12,000 victims globally with a loss of over $2 billion in just the last two years. And the numbers continue to grow, with a 270% increase in complaints to the FBI since the beginning of 2014.
Centrify fits into the SMB category and our executive team has received numerous social engineering “funds transfer” emails from scammers using look-alike URL’s, where fraudsters have attempted to dupe financial team members into wiring funds.
Tom Kemp, Centrify’s CEO, explains exactly what to look for and how to prevent social engineering attacks in your business in his blog, CEO Fraud: A First Hand Encounter.
Yet, awareness training is only part of the answer. A company-wide security policy as well as good internal controls, including the division of duties, are required. The policy and internal controls address access controls and payments processes, restrict access to accounts by individual role, work in the approvals process and keep password hygiene.
Breaches Cause Catastrophic Data Loss
According to Verizon’s 2016 Data Breach Investigation Report, 63% of confirmed data breaches involved weak, default or stolen passwords. Moreover, the average cost of a data breach in Ponemon’s 2016 Cost of Data Breach Study is $4 million and the average cost per record breached is $158. In the 2016 Ponemon SMB Cybersecurity Report, the financial impact of a breach in small businesses due to damages, theft and disruption to normal operations was $1.82 million.
With this level of financial impact, and the consequences of a failed Sarbanes Oxley audit and other compliance violations (in the form of a material weakness or significant deficiency), the board room is concerned with cybersecurity.
The CFO is on the front-line in representing the board in the cybersecurity battle and is often the executive responsible for:
- Preventing catastrophic loss of data and subsequent costs including mitigation costs, class-action law-suits, fines, loss of business and loss of customers.
- Reducing cyber risk, improving compliance and gaining cost efficiencies.
- Reducing cyber insurance premiums through enforcement of comprehensive cybersecurity policy.
- Protecting company brand and valuation by reducing risk of breach.
Theft of Intellectual Property
The 2014 Sony Pictures Entertainment hack, believed to have been masterminded by North Korean hackers, shows that Intellectual property theft can have a devastating effect, resulting in losses worth billions of dollars. In the Sony breach, full copies of unreleased movies, TV pilot scripts, embarrassing executive comments and employee PII were exfiltrated and published to Pastebin.
According to a 2015 Reuters report, hackers steal $160 billion worth of intellectual property every year. IP theft however, is not limited to big companies.
For example, Australian manufacturer of metal detectors, Codan had their metal detector designs stolen after an employee laptop was hacked through a vulnerable hotel Wi-Fi connection, while on a business trip to China. The company was unaware of a problem, until faulty metal detectors bearing their brand began showing up for repairs with completely different internals.
The counterfeiters of the metal detectors were eventually brought to justice, but the financial impact on Codan was a fall in net profit to A$9.2 million from A$45 million a year earlier as a result of heavy discounting to compete with the fake machines.
Magic Bullets? Improving Security Posture, Increasing Cost Efficiencies
The 451 Group 2016 Data Threat Report is a useful read and highlights that 60% of security investment is spent in the wrong places, i.e. on traditional perimeter defenses.
Senior 451 Group analyst, Garret Bekker states,
“Perimeter defenses offer little help defending against multi-stage attacks. Once adversaries pass the first line of defense, there is little standing in their way. Determined attackers will eventually find a way in, yet data-at-rest approaches such as encryption and access controls that have proven effective are not seeing the same acceleration in spending.”
Bekker points out that the barriers to effective data security are complexity and lack of skilled IT staff. The implicit message for security vendors is to make products that are easy to use and require less manpower to implement and manage.
CFOs can cut costs and improve security posture through vendor consolidation (replacing multiple incompatible point IT security products with platform solutions), more automation and services-based delivery.
Best Practices to Reduce Risk of Data Breach and Cyberthreats
The above visual is a summary of a high-level approach that can reduce risk and the cost of cybersecurity.
- With 60% of data breaches caused by weak, stolen or default passwords, it makes sense to consolidate identities, to develop a holistic view of all users and strengthen and enforce password policy or eliminate passwords where possible as a first step.
- Third party IT outsourcing contractors, business partners and associates are a preferred route for hackers to access the corporate network. However, it is only recently that third-party risk is being assessed, managed and monitored. Audits and assessments to evaluate the security and privacy practices of third parties are essential to improve security posture.
- Multi-factor authentication everywhere, including third parties and the VPN, that adapts to user behavior is widely acknowledged as one of the most effective measures in preventing threat actors from gaining access to the network and navigating to target systems.
- Single-sign-on to enterprise and cloud apps, combined with automated cloud application provisioning and self-service password resets, cuts helpdesk time and cost and improves user efficiency.
- Role-based-access, least-privilege and just-in-time privilege approval approaches protect high value accounts, while reducing the likelihood of data loss from malicious insiders.
- Logging and monitoring of all privileged user commands makes compliance reporting a trivial matter and enables forensic investigation to conduct root cause analysis. Compliance audit reports should only take minutes to prepare, not weeks.
- Network segmentation, isolation of highly sensitive data and encryption of data at rest and in motion provide the best protection from malicious insiders and persistent hackers once inside the firewall.
Data breaches and financial losses from cyberattacks may get a lot worse before individuals and corporations implement better protections.
There are no magic bullets, but with the right strategy, strong security policy and active engagement of all employees, the risk of cyberattack can be drastically reduced. Reducing cyber risk, improving compliance and gaining cost efficiencies in mid-market and SMB’ is achievable.
Learn more with the latest Centrify whitepaper: A Platform Approach to Securing Enterprise Identities.