July 11, 2018
From Fraud to GDPR: How to safeguard your organization from current threats
At our recent Spring Knowledge Forum, I moderated a great discussion with two fellow cybersecurity experts in a panel titled, “From Fraud to GDPR – Safeguarding Your Organization.” Our conversation gave the audience a pointed look into today’s threat landscape, from increasingly sophisticated ransomware exploits to classic but effective attacks like phishing emails. We also talked through what goes into developing a strong security and compliance posture to defend against these threats.
Here are a few key takeaways from our discussion:
Cybersecurity now: growing threats, bigger spend
The panel kicked off with a discussion about general cybersecurity trends, starting with the startling growth of the ransomware epidemic over the last few years. In 2017, Ransomware attacks increased globally by 350% and are rapidly growing in both sophistication and scale. These attacks were once limited to a single PC, involving ransom demands under $3,000. Today, ransomware attackers are setting their sights on bigger targets such as large hospital systems, extorting payments in the hundreds of thousands of dollars – and endangering lives by encrypting patient records and locking down vital systems involved in medical diagnostics and care.
We’re also seeing a rise in credit card, e-commerce and healthcare fraud that leverages IT to steal proprietary or personal data. To protect against these attacks, companies are increasing their security budgets, and experts now predict that global spending on cybersecurity products and services will exceed $1 trillion from 2017 to 2021.
The FBI perspective: meeting highly motivated criminals with highly trained agents
Duncan Edwards, a Senior Special Agent assigned to the Federal Bureau of Investigation’s Austin office, said that cases handled by the FBI tend to fall into two categories:
- Financially motivated crime: ransomware and credit card breaches as described above.
- Classified crimes: the ones you don’t hear about on the news. These cases involve the theft and sale of intellectual property data such as defense contractor lists.
To meet these threats, the FBI is providing agents with intensive training in cybersecurity and cyber-related crime, including how to use tools such as social media to track criminal activity. Once agents have that training, however, the agency faces a new challenge: keeping talented e from being wooed away to work in the private sector for higher salaries.
Cybercrime is also growing fast, and even with new ranks of agents trained in preventing and investigating these attacks, the FBI does not have the resources to take on every case. Some are also too impractical to pursue, such as cases involving overseas actors, those that are too costly to bring to a close, or those that present a low likelihood of successful prosecution.
The AllClear ID vision: thinking “when,” not “if”
Lisa Larson, Vice President of Client Services for AllClear ID, said her company’s clients sometimes gamble on whether the actual spend for IT controls will outweigh the benefits should a breach occur. Companies also tend to spend less based on what they consider to be the probability of a breach occurring. What this kind of aspirational security doesn’t account for is that Return on Investment (ROI) on IT security spend generally outweighs the cost of a breach, which can be significant. Responding to a breach can cost up to 4% of revenue – and that figure, impressive enough on its own, doesn’t include the costs associated with damage to brand and reputation, or the costs of losing customers who decide they can no longer trust their data to your organization.
When it comes to today’s rampant security breaches, Lisa said, companies need to be prepared not for “if,” but for “when,” and should invest in putting the right IT processes in place. In particular, most organizations lack a means of communicating to clients in a timely manner when a breach does occur – an ability taking on far greater importance given the GDPR notification requirements that just went into effect (see below for more details.) Two additional areas where organizations most need to improve include:
- Providing dedicated cybersecurity resources within IT
- Providing robust internal training across the organization
Lisa said that employees who don’t understand the security landscape are still the most effective vector for attack, because they are the ones most likely to do something like click on a phishing email without recognizing the risk – or the potential consequences.
The panel also noted that financial fraud is another area in which organizations need to batten down the hatches. In these cases, “bad actors” find a way to access corporate data and use it to steal from an organization. For instance, someone could access direct deposit account information for employees and then use it to funnel payments to other accounts, often overseas.
These actors often cover their tracks with masked IP addresses, making it difficult to determine the transactions originated. Hackers also sell corporate and personally identifying information (PII) data on the dark web, where those credentials can then be used by someone else to commit crimes such as tax or credit card fraud.
Hearing about the looming threat of a ransomware attack or data breach was probably enough to get our audience’s attention, but our panel provided another for good measure: GDPR compliance which went into effect on May 25, 2018. The General Data Protection Regulation (GDPR) was designed to protect the privacy and personal data of EU citizens and to give them more control over that data. Yet, while the law was created to regulate EU-based companies, U.S. companies that market products or services online or collect personal data or behavioral information on EU customers may also fall under its purview.
One critical requirement of the law is that companies that have experienced a breach must notify a supervisory authority within 72 hours. This is a very aggressive timeline, as a typical breach notifications usually take 30 to 60 days. This means the breach notification plan needs to be prescriptive with step-by-step procedures and a detailed contact list that can be followed during the time of the emergency.
Bringing it all together
While wrapping up our conversation, the panel offered a few tips to the audience. First and foremost is to resist the urge to put off taking the steps to secure your organization, even if you think you’re not at high risk. Instead, they stressed the importance making sure your company has a plan and team in place to deal with a breach, because that probability is growing with each passing year. One of the simplest and most effective things you can do as a part of a strong plan? Use two-factor authentication whenever possible.
How Bridgepoint can help
If you have concerns about your company’s security exposure, contact us! Bridgepoint can help you develop a proactive strategy to protect data, devices and people, minimize risk and ensure compliance. Our cybersecurity and IT experts can work with you to understand, prioritize and manage a secure control environment to safeguard your organization today and prepare for the challenges of tomorrow. Learn more about our cybersecurity advisory services here.
You May Also Like: