By Steve Lee, Managing Partner of Steve Lee & Associates
www.stevelee.com
October is National Cyber Security Awareness Month and a recently issued IBM X-Force 2009 Mid-Year Trend and Risk Report describes the current Internet climate as "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape." However, despite these findings, the Internet will remain a vital channel for most businesses. So, how can you help create a safer and more secure online environment for your business and its customers?
With the expertise of Stan Stahl, CEO of Citadel Information Security (www.citadel-information.com), Steve Lee & Associates has worked with businesses to help mitigate, investigate and prosecute cyber crime.
Selected trends in online theft: These days, online banking hacks are the cornerstone of cyber theft committed against small and medium-sized businesses. Cybercriminals target business’ bank accounts and have focused their efforts on pilfering money from company demand-deposit accounts. McAfee, a leading security-software company estimates that in 2008, companies around the world lost more than $1 trillion to cybercrime.
Email phishing scams have become highly targeted as well. The attacks are delivered against users by name and can appear deceptively familiar and credible because they may include portions of the user’s password.
Trojans are delivered to unsuspecting small, middle-sized and large organizations through email purportedly from social or business networking sites and even from the IRS. One click and the hackers can access company bank accounts and use money mules to quickly siphon significant amounts of money out of the company’s account.
It’s important to remember that theses cyber crooks, also known as ‘black hats’, have the technological upper hand. Malware development has accelerated far beyond anti-virus and patch development. By the time ameliorative patches are available to detect or pre-empt the malware, hackers have deployed Trojans, viruses, worms, rootkits and spyware that may be several generations beyond the latest, published fix. (NOTE: for more information on malware development, see Brian Krebs’ The Washington Post column “Security Fix” at http://voices.washingtonpost.com/securityfix/)
Think your business’ bank account is protected by “second-factor authentication?” Well, think again. While second-factor authentication is touted by banks as a truly secure solution, it is not. Unfortunately, the awful truth is that no widely utilized online banking solution can guarantee 100% security. Multi-factor authentication is only slightly more robust than single-factor (i.e., user name and password) authentication. Even so, there are ways to help keep your money as safe as possible. Consider the following steps:
To maintain a safer computer infrastructure, your company’s management must consistently address cyber theft by implementing and continuously improving controls and processes:
1. Use a dedicated PC for online banking that is not used for any other transactions. If this sounds like a nuisance, just consider the inconvenience of losing hundreds of thousands or millions of dollars and then having to bring suit against your bank in an effort to recover your money. Remember, the bank will maintain that they are utilizing reasonable security practices. And by currently standards: they may be right. The onus will be on your business to prove your case.
2. Make a plan for breach disclosure. Most states, in addition to the District of Columbia , have laws governing "breach disclosure." You may be required to notify consumers if you have reason to believe that there has been a compromise of private consumer information. Insurance industry reports suggest that "breach notification costs" exceed $200 for every person that has to be notified.
3. Explore obtaining breach notification insurance as well as cyber insurance.
4. Establish usage rules like administrative privileges, subnet access, download permissions and acceptable applications. Invest in monitoring systems and enforce the rules.
Once a company protocol is mandated, these procedures must be communicated to employees. Employees need regular, albeit brief, training to help them recognize the red flags of cyber crime. In addition, regular upkeep and modernization of your security infrastructure is critical to preventing cyber theft:
1. Stay current with patches. That means Flash, Adobe, Java and other programs on your company’s computers in addition to Windows patches.
2. Invest in intrusion detection and intrusion prevention solutions. Don’t be penny wise and dollar foolish; a managed service may be your best bet. Yes, they cost more than off-the shelf anti-virus programs. You can be certain that you will never get more value out of software or a service than what you paid! Think about that the next time you decide to use freeware (also known as “unsupportedware”.)
3. Review your banking transactions frequently.
4. All social networking sites must be isolated from the corporate computing environment. They are for your employee’s and your home machine or a dedicated machine at your office that is off your corporate network.
Be mindful of Stan Stahl’s cyber security dictum: “Trust no one.”
Thursday, October 22, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment