In April 2015, the Federal Communications Commission announced that it had fined AT&T $25 million for failing to protect its customers’ personal information. The names and social security numbers of hundreds of thousands of wireless users were stolen from AT&T call centers. This information was then sold to unauthorized third parties and used for nefarious purposes.
AT&T is certainly not alone. The number and severity of data breaches has increased considerably over the past several years. Although there is significantly more media attention on cybercrime in the last two years than there has been in the previous 20, what we see in the news now is a ripple compared with the cybercrime tsunami bearing down on organizations of all sizes and all industries.
As cybersecurity has become more mainstream, our overall understanding of the impact that cybercrime has on businesses is gaining more fidelity:
- Cost per compromised record is $158. (Fortune, June 2016)
- Successful attacks jumped 176% year over year. (Bloomberg, July 2015)
- The average time an intruder goes undetected within an organization’s network is 205 days. (The Economist, November 2015)
- Cybercrime surpassed traditional crime in the U.K in 2015, accounting for 53% of all crimes. (Forbes, August 2016)
However, not all businesses report data breaches for a variety of reasons (bad press, brand protection, avoidance of law enforcement scrutiny, etc.), so estimates vary widely as to cybercrime’s adverse effect on businesses. Additionally, many small and medium-sized businesses whose systems have been compromised go out of business soon after suffering a data breach, unwilling and unable to follow data breach laws as they struggle to keep their business solvent while it is in its final death throes. As a result, the real numbers are not entirely reliable.
What the experts do agree on is that cybercrime is in its infancy and the reward/risk ratio is heavily skewed toward the reward side, especially when taking into account jurisdiction considerations. Hackers in Russia and China, for instance, have little to fear if they compromise millions of U.S. records (customer, patient, bank accounts, etc.).
The Real Impact of a Data Breach
Unfortunately for AT&T, as well as other organizations that have been victimized by cybercrime, the costs of a data breach can be enormous, even though there is great difficulty quantifying cybercrime costs. While there is some alchemy involved in coming up with hard numbers, there are a handful of business-impacting areas that are generally accepted as intersection points for cybercrime, which are in the accompanying chart.
1. Know your network
The first step in securing an organization against a cyber threat is knowing what needs to be secured.
- Know what hardware you have.
- Know what software you have.
- Know what data you have.
2. Continually look for weaknesses and compromises—and take action
While perimeter security is a worthwhile endeavor, prevention eventually fails. Therefore, organizations must also include a rapid detection and response component to their cybersecurity program if they wish to prevent a small compromise of an employee laptop from escalating into a full-blown data breach and public relations nightmare.
- Scan for external and internal vulnerabilities.
- Monitor all internet traffic as well as traffic to/from critical assets.
- Aggregate, correlate and monitor logs from strategic assets (DNS, servers, firewalls, etc.) since most intrusions leave breadcrumbs.
- Take action when vulnerabilities and anomalies surface, which means having an incident response plan.
- Proactively look for compromises as opposed to assuming your network is secure.
3. Patch and securely configure everything with an IP address
Default configurations and unpatched IT assets not only enable the initial compromise, but once an intruder has gained a foothold within an enterprise, a lack of good configuration and patching hygiene allows an attacker easy access to the rest of an organization’s internal assets.
- Aggressively patch and update all operating systems (Windows, Mac, Linux, etc.), third-party applications (Java, Flash, Adobe Reader, etc.) and network devices (switches, routers, firewalls, Wi-Fi, etc.)
- Implement standard and secure configurations across the enterprise, sometimes known as a “Gold Image.”
- Use robust configuration management and change control processes to identify unauthorized modifications to IT assets.
4. Limit administrator privileges.
Much of the malware used to compromise systems requires a user with administrative privileges. Otherwise, the malware will not install if it is clicked on inadvertently.
- Do not allow end users to have administrator access to their workstations.
- Do not allow system administrators to log into email or surf the web with administrator accounts.
- Do not allow software to run with administrator privileges.
- Force software vendors to explain why their applications require administrator privileges.
5. Implement a robust cybersecurity awareness training program
The majority of compromises that are successful occur due to an employee clicking on a link or attachment in an email, or visiting a malicious site. While it’s unrealistic to expect employee training to result in perfect compliance, a modest security awareness training program can bring down an organization’s click rate (the number of employees who are prone to click on malicious content) from 30% to 3%.
- Require all employees to take annual security awareness training.
- Baseline your employees’ predisposition to click on malicious emails, which is the primary vector that ransomware and other malicious code enters an organization.
- Simulate phishing attacks against your employees on an ongoing basis.
- Track training metrics, such as who completed the training and who didn’t, and see if this correlates to actual click rates during simulated phishing attacks.
- Throughout the year, require employees to take short, on-demand refresher courses as the cyber landscape changes and as clicking metrics dictate.
The above recommendations go a long way towards helping organizations strengthen their security posture. While they don’t address all cyber threats, they can help put an enterprise on the path to a strong cybersecurity program. What is important for all organizations to understand is that cybersecurity is not a one size fits all, “set it and forget it” proposition. Instead, it is an important business process that must continually evolve as your company grows and as the cyber threat adapts. Also, SOCAP members can provide a united front by requiring commonly used contact center and CRM products to follow cybersecurity best practices.