On March 5, Deloitte invited members of the local business community in Vancouver, Canada to attend a Risk Series breakfast session on cybersecurity and how to mitigate cyber threats. The presenters, Albert Yap, Cyber Risk Partner, and Tarlok Birdi, Cyber Risk Senior Manager, provided compelling statistics about cybercrime and many valuable insights on what businesses and organizations can do to manage their risk.
One of the interesting things that stood out during the presentation was that 92% of cybercrime incidents can be described by nine basic patterns, and that 72% of incidents can be described by just three of these nine -- namely, cyber-espionage, point-of-sale intrusions, and web application attacks. These include some of the high-profile data breaches from 2014, such as Target and Home Depot.
Below are the top 10 takeaways from the session:
- Educate the user community
- Your organization’s staff are the first line of defence against cyber threats and attacks.
- Train staff to recognize and defend against social engineering and intelligence gathering used by hackers to infiltrate corporate computer networks.
- Don’t use unsecure email for sharing sensitive information
- Hackers can easily intercept and read the contents of unsecure email messages.
- Sharing sensitive information, such as passwords, using unsecure email is very high-risk.
- Understand situation awareness and couple it with threat intelligence
- Take stock of the digital assets within your organization that need to protect.
- Be aware of potential threats and how to defend against them.
- Limit privileged access and monitor where it’s required
- Privileged access, like the name implies, should be limited only to those who absolutely require it for their work functions.
- Keep track of who has been granted privileged access and ensure that it is being used appropriately.
- Third parties are your allies but could be a liability
- Pay attention to how third-party relationships are managed. For example, Home Depot and Target suffered data breaches due to weak links with contractors (provide sources).
- When outsourcing cybersecurity operations, make sure that response levels and protocols are clearly outlined with clear timelines for response and action.
- Proactively monitor for suspicious activity
- Perform system security audits on a regular basis to ensure that no suspicious activity is taking place. Without regular checks, it may take a long time before a data breach is detected.
- It is important to continually monitor because attack patterns often look more like normal behaviour in order to avoid detection. Threats can be adaptive and go dormant, which can make them harder to detect until an attack is launched.
- Traditional defences are insufficient
- Relying solely on firewalls and anti-virus software can be very dangerous. Hackers can exploit weaknesses in commonly-used security software or circumvent them completely by other means, like social engineering.
- Avoid the temptation of relying on complying with security industry standards as a panacea. Target complied with PCI DSS standards and was still compromised.
- Identity verification is a highly effective tool that can be used to prevent and detect suspicious activity.
- Be prepared
- Most organizations have a business continuity plan in the case of natural disasters. What about a serious data breach? Don’t overlook the importance of planning for how to respond to a cybersecurity crisis.
- It’s not a matter of if, but when
- Nobody is immune to cybercrime. Cyber attacks are inevitable. Eventually, hackers may succeed in breaking into your network.
- Most importantly, learn from the past
- Learn from past mistakes, not only yours but also the mistakes of others.
- Closing potential security loopholes will give hackers fewer opportunities for success.
During the presentation, Albert shared a video from Deloitte UK that demonstrates how organized and effective cybercriminal organizations have become.
Hackers are getting bolder in their efforts and getting away with bigger bounties. Businesses and organizations need to build up their cybersecurity defenses – through stronger partnerships with law enforcement and sharing intelligence and best practices within their communities. Cybercrime can be prevented, but only if you’re ready for it.
What is your organization doing to prevent cybercrime?