It wasn’t that long ago that company security meant locking the door at the end of the day. But like nearly every other facet of business, the internet has changed that. Today, threats can come from next door or the other side of the world at any time. Business North Carolina recently assembled a panel of cybersecurity and internet privacy experts to discuss tactics that businesses can use to keep their data private and customers safe.
The discussion was moderated by Brooks Raiford, president and CEO of Raleigh-based North Carolina Technology Association. It was sponsored by EY, which has three North Carolina offices, and Brooks Pierce, whose Raleigh office hosted the meeting. The transcript was edited for brevity and clarity.
What should you know about your data?
BHOWMICK: You need to know the sensitivity of your data. There’s information that won’t hurt you when made public. Then there’s data, such as company secrets, that must stay private. Make those determinations ahead of time so you spend your resources on protecting the most sensitive data. Data security is a daunting task because there is so much to do. It’s more manageable when you focus on what needs the most protection.
GOMEZ: Security is a real issue. Many small businesses don’t recognize that until it’s too late. They may never realize a data breach happened to them. It’s an awareness issue.
THOMPSON: You need a data classification guideline that educates your workers on how to handle each data type. We’re implementing a privacy threshold analysis. When you’re deploying or creating a system, identify what data types are within that system and the requirement for needing it.
KIPPHUT: Most customers and end users are more aware of security and privacy concerns than ever before. They are more comfortable challenging information requests and asking how information is stored and protected. Organizations need to be proactive, ensuring they’re doing the right thing and can respond to customers.
HARTZELL: We’ve had a couple of clients who have had a data breach. It was only afterwards that they inventoried the data that they collect. They realized that they didn’t need some of it, such as phone numbers. Deciding what data is needed on the front end can minimize how much you need to protect.
MASUCCI: If there is a breach and a third-party company is coming in to help, it needs to know where you keep data. We ask for a network map. More than half the time, there is no network map. We’ve become experts at making them.
How do you train employees to safely handle data?
THOMPSON: Some organizations are well versed on cybersecurity, and others are not. You have to be extremely cautious. We made cyberawareness training mandatory this year. We’ve contracted with a vendor that holds training sessions every other month. They’re 10-minute bites on different aspects such as protecting data and password storage. Mobile devices are the primary means of communication. Many people ask about the ability for parties unknown to them to call. In the old days, if somebody faxed you, it used your paper. So you hated the advertisements that piled up every morning. Those pitches are still made, but now they come from unknown numbers. It’s one thing to be trained by your employer, but as an individual, how do you make your mobile device secure? It goes back to education. You may limit your social-media presence, for example, but your family members’ posts may include means to pivot into your accounts. It’s sad that internet engagement comes with such paranoia. The state struggles with legacy systems on its network. It’s probably the same in the federal government and private sector. We have vendors that can’t keep up with software patches, so we devise compensating controls to protect their legacy systems. They have to transition at some point, so we can update to that next version or operating system and be safer.
STERNSTEIN: Yahoo recently discovered a breach, when information, such as user names, phone numbers and birthdates, was lost. It affected about 500 million users. Limit the information that you share. You can’t lose information that you don’t share.
GOMEZ: My son recently left for college. Soon after, we received an email from the bank where we have a joint account stating that he added his credit card to his Apple account. He updated his operating system, and it simply asked for his credit card information. So he entered it without thinking twice. I’m sure it adds convenience to his life, such as when he uses Apple services such as iTunes, but we don’t know the side effects of that action. It’s about awareness. You have to educate people and companies of the risks. Then it’s up to them and what they want to do with it.
KIPPHUT: When a big breach happens, such as with Yahoo, it becomes apparent how many people use the same account information for multiple websites. Those affected will be told, for example, to change their password on other websites. But it can be difficult for the average person to remember all the websites that they used the same passwords or, more importantly, the same answers to security questions such as birthplace or your pet’s name. And often, knowing those answers means you don’t need a password. Those answers were leaked, too. Social media makes targeted attacks, particularly on executives, simple. It’s not only emails or texts on your mobile device. That’s not fully appreciated.
BHOWMICK: You’ll never be completely protected from breaches. Having a unique password for each website is not reasonable. There are password managers, but a better solution is identifying data’s importance. My bank account, for example, is more important than my fantasy football team. So I’m sure to use different passwords for those websites. I have a web tool that finds a person’s social-media accounts, property records and other information just by entering his or her name and email. It’s way too easy to use. You can’t tell your employees not to use Facebook unless you’re actively blocking it. They’ll use it. They’re going to click links in emails. You have to assume that bad behavior will happen and install enough mitigation to minimize its effects. Security is always going to fall to the individual. When I do risk assessments for other companies, I ask them where their data is stored, how it’s encrypted and who can access it. The internet wasn’t designed to be safe. It’s an open system that everyone uses. Now we’re using it for secure communications and transactions. There are benefits from these things, so we don’t want to stop using them. We’re doing the best with what we have.
HARTZELL: I deal with issues in a particular way because I remember life before digital platforms. Our kids only know life with them. My mother is very willing to click on a link in an email. Each group needs different cybersecurity education. My teenagers need help understanding that the web isn’t completely safe even though it feels comfortable. Safety needs to override convenience sometimes.
Do laws need to catch up with technology?
HARTZELL: Innovation outpaces the law. It’s complicated when new technology causes public concern, such as with camera-equipped drones. They are in the public consciousness, and we hear about creepy situations when they compromise privacy. Constituents share these concerns with elected officials, who respond with local- or state-level bills, sometimes without fully understanding the issue or current legal mechanisms that can deal with them. The worst tack is targeting specific technology with legislation. You can skirt the law by simply altering the technology. Cameras were added to cellphones about 15 years ago. People didn’t know what to do with them at first. Today, cellphones are advertised based on their camera’s quality. We adapted to that technology, which has the potential to be invasive. It’ll probably be similar with drones. That doesn’t mean it’s OK for knuckleheads to use them, such as in the popular example of spying on a teenage girl while she is sunbathing in her backyard. There are laws, such as peeping Tom statutes, that take care of that. Cybercriminals are easy to pursue because their actions clearly violate current laws. But they can be hard to prosecute if they are from a country without an extradition treaty. That’s why these people are operating from particular locations around the globe.
MASUCCI: We’re handling many wire-fraud cases. Money is accidentally being transferred to criminals in countries without extradition treaties. We’ve seen real-estate lawyers and accounting firms, who complete wire transfers regularly, being duped by emails that appear to be from clients. Some are obvious frauds when you examine the spelling and grammar. You would think the recipients would recognize that, but they receive them so often that it doesn’t register. Getting law enforcement involved is difficult. The hackers are hitting smaller or midsize businesses, which often lack security controls. Consumers want the latest and greatest technology, and manufacturers want to sell it to them. It’s demand versus security. Consumers prefer less-complicated products, and that can shortchange security.
BHOWMICK: The Internet of Things — connecting everyday items to the web for data exchange — is a growing problem. Networks have been taken down through these devices, which include thermostats and refrigerators. Their internet connections need to be secure, but they’re not most of the time. Watch third-party vendors who have access to your network. They are being used for access in breaches more often. We see malware, credential theft via phishing and emails that appear to be sharing a document and ask the recipient to click a link and log in. These have been around for a decade. It’s scary that they still work, which happens more than most would like to admit. Executives ask us about attacks such as advanced persistent threats. Those are sponsored by nation states. It’s the 10-year-old tricks that do the most damage. It’s easier for a business to pay ransoms than deal with law enforcement to get their data back. Often they aren’t asked for much money, maybe $500 or so. The perpetrators know who you are, how much they can request and how likely you are to pay.
KIPPHUT: We have done an annual security survey for about 20 years. Recently we started asking, “Where are the biggest threats coming from?” The No. 1 answer by a long shot last year was criminal syndicates. The internet makes it easy to commit fraud. In the past, if you wanted to steal money you robbed a bank. That’s more risky than using the internet to rob one from the comfort of your home with a slim chance of being caught, especially if you are on the other side of the world.
THOMPSON: The FBI says that ransomware cost its victims more than $200 million in the first quarter this year. The law is catching up. More ransomware folks are being prosecuted. We had issues with malicious links in emails 15 years ago, and the solution was to disable links in every email. When I would mention that solution in the private sector, there
was concern about the extra work to copy and paste a link into a browser. But those small steps force users to give links a second look, potentially protecting them from peril.
What industries are most susceptible to data breaches?
GOMEZ: Health care systems, manufacturers, government and financial institutions are the most common targets, but no one is safe. Everybody thinks big companies are the most vulnerable, but they aren’t. Small businesses don’t have the infrastructure to secure their environment like larger ones. So many get hit.
STERNSTEIN: Breaches cost each industry differently. [Traverse City, Mich.-based] research firm Ponemon Institute found that each stolen record cost health care providers $359 in 2014. Every organization has something that’s valuable to someone else.
What are some ways to prevent a data breach?
STERNSTEIN: Reward employees who catch problems and when there’s a near miss. Security isn’t an information-technology issue; it’s an organizational issue. Security and legal can’t operate in silos. Everybody needs to work together. An inexpensive and effective solution is tagging the subject line of every third- party email with “external company.” So even if it says it’s from the CEO, that tag will invite a closer look by the recipient.
BHOWMICK: We see email attacks that use Microsoft Word documents with malicious macros, grouped commands that accomplish a task automatically. They aren’t being sent to IT people. They mostly go to human-resources, administrative and marketing staff. We put a header on emails that have document attachments that reads, “This is a document file. It may contain macros.” You can’t miss the warning. It’s big, bold and right there. You have to scroll past it to see the content. It isn’t feasible to ban email attachments. I do vendor assessments. I ask them if they have an incident response plan and if they have undergone an audit of service-organization controls. It examines policy and security and gives you an idea of how the company is run. That helps you make an informed decision about which vendor you want to deal with.
KIPPHUT: Run email tests and scenarios internally to assess your organization’s culture and awareness. The first time you run one, it will be shocking how many people click the link and enter a password before they realize something isn’t right. The next one, maybe six months later, will trick fewer people into clicking the link. It’s not only the security team’s responsibility. One bank that I work with moved part of its security-operations center into the lobby. Putting up screens that show real-time network attacks reminds employees of the importance of cybersecurity every time they come through the door. Cybersecurity is not a tangible thing, and that’s a big challenge. It’s easy for us to say it’s an organization-wide issue, but it’s hard for individuals to understand why it’s important to them. In the last few years, the gap has closed a bit. The dialogue is getting better at the board and corporate level, but there is a ways to go.
GOMEZ: The data-security community needs to break its reactive cycle. When you’re building a digital proposition, invite security. They want to be part of that dialogue, not to say no but here’s how to make it happen safely. Explaining that security is a business function, not only an IT function, to clients can be difficult. We can lock a firewall, but it also is everything else that has to do with the business, the training, the awareness.
THOMPSON: Security professionals have a hard job articulating what’s at risk. It’s hard to quantify a reputation loss. Every organization’s crisis-management plan needs to include a cyberattack response. Then you will know the key players, such as who’s responsible for communications, investigation and incident recovery.
MASUCCI: Companies should discuss cybersecurity and include outside general counsel, internal counsel, human resources and IT. We usually are called by an IT security company after a breach to handle evidence. We don’t often find communication or a chain of evidence custody. It’s not the internal IT team’s fault. They were told by upper management what to do, and they obliged. But we need all the facts and so do general and outside counsels. When we get called in by outside counsel, we’ll send them a list of 100 questions, and most are technical. Then they have to go to that company’s IT department. That can take a while, so the breach information can be delayed.
HARTZELL: When lawyers and a 50-state user notification are needed to respond to a breach, it’s important to have all the facts. Often there’s not that much organization regarding fact collection, chain of evidence custody and delineation of who’s responsible for navigating the investigation. Getting all the facts can be like pulling teeth because often the people that the executives are relying on to know this information don’t have all of it together.