“There are no more excuses. We’re all aware of internet-based threats and have a responsibility to protect our corporate data as well as the data of our customers.” That's according to Robert Herjavec, star of "The Shark Tank" and one of the country's most well-known entrepreneurs. He's also the founder and CEO of the Herjavec Group, an internationally recognized cybersecurity firm.
Herjavec's advice is as timely as it is crucial: This may be cybersecurity's most sensational year to date. Last year brought government hacks, state-sponsored ransomware, corporate cover-ups and ransoms paid. But the industry's response is far from apparent, with few concrete solutions to these very real problems. Business owners in 2018 are justified in feeling anxious about their companies' vulnerabilities. Still, many organizational leaders remain ignorant of how exposed they are to digital attacks -- until those attacks take place. Even worse are those who are aware of weaknesses but don't take appropriate action.
"Be knowledgeable of what assets you’ve kept online, know if it’s on the cloud or only on your computer's/company’s network, and get rid of assets that are not utilized," Herjavec says. "Always keep cyber hygiene top of mind -- keep up with password etiquette, delete old accounts, and make sure that when you conduct financial transactions, you use a secure network.”
Related: No One Is Safe From the Data Breach Epidemic
New currencies, new vulnerabilities.
There is a sense that cybersecurity -- especially with the advent of cryptocurrency -- is so complicated that institutions are powerless to protect their customers' data. In reality, the past year's breaches follow some very distinct trends.
“We’re still seeing ransomware and malware exploit unpatched networks," Robert Herjavec says. "Cryptocurrency 'mining bots' are the new thing, and we’re seeing that expressed with web-server compromise, browser hijacking and even web ads that are co-opting your-processor-to-mine (cryptocurrency) coins. We are also seeing a resurgence in banking Trojans. Everyone should be using two-factor authentication wherever possible and using unique and frequently changing passwords everywhere else. We can expect phishing attacks to become more sophisticated as well.”
With these trends in focus, organizational vulnerabilities can be broken down to a few key challenges. First, leaders must identify recurring and common points of failure. Certain aspects of the data pipeline are crucial to operations and across organizations, and the same weak points exist in each. The silver lining: A common trend in security breaches across industries means many people also are developing solutions to help companies in their field operate very securely.
Cyber hygiene is key.
Email is core to nearly every organization's internal and external functions. Both types, however, pose a security threat. Due to its volume and key role, email has become the weapon of choice for hackers. Symantec’s Internet Security Threat Report 2017 reported that one in every 131 emails contains malware -- and that's only one kind of attack associated with email use. Spoofs are even more common. These fraudulent messages fool employees into believing the hacker is a colleague who needs access to proprietary or sensitive information. In a high-profile spoof last year, a hacker tricked the White House's cyberscurity officer into disclosing his own private email address.
Business owners can help raise awareness of these scams and encourage healthy skepticism by proactively training their employees on cybersecurity etiquette. “You have to educate your employees about security risks and employ some basic technologies to try to prevent ransomware and phishing attacks," Herjavec says. "Don’t open a suspicious email when the subject or sender doesn’t make sense in terms of your role. Hover over URLs before you click on them to ensure the destination is what is truly presented. Never download attachments without validating the source or its content. It’s important businesses also control the use of cloud storage providers and limit data exfiltration within their corporate environments."
Related: The Biggest Threats in Your Inbox
Every IT leader should be thinking authentication solutions. For example, organizations can implement DMARC authentication to verify all incoming emails are, in fact, from the purported sender. Additionally, companies can purchase email-security applications from vendors that specialize in authentication for enterprises. Businesses also can hedge their expsoure by incorporating other forms of communication. Internal-messaging services often are more secure than email and allow for quick verification of any suspicious content -- without requiring users to reply to a fraudulent message.
Information storage: a necessary risk.
Information storage is both a necessity and a huge weakness. Most organizations need to house massive amounts of data to comply with privacy regulations, enable daily tasks and facilitate business analyses. Computing has moved largely into the cloud. Keeping data stored in one place, with only one point of failure, no longer is commonplace.
However, fraudsters evolve just as quickly as the technology changes. In 2016, Uber leaked data from 57 million of its users and drivers when hackers discovered that Uber developers had published their usernames and private-access keys on Github. This allowed access to Uber's Amazon Web Services-based datastores. Uber reportedly paid the hackers a ransom of $100,000 to keep the leak under wraps.
Herjavec strongly suggests that businesses limit access to cloud storage outside the corporate network and ensure their employees understand the basics of "cyber hygiene." This includes how to create complex passwords and rotate them. "Also, it’s important to have a schedule for inventory analysis across the corp network -- knowing what devices are connected, who is using a personal device versus corporate device, etc.," Herjavec says. "Understanding what the endpoints are at play will ensure that you understand the scope of the risk and what you have control over.”
Protect data in motion.
Not all data moves within an organization. Static and transmitted information require different protocols.
“Encrypt data at rest," says Siobhan McNamara, a published researcher and data scientist in the American and European cybersecurity sectors. "Data that is stored and is stationary can be stored and encrypted without breaking the bank. Data storage platforms will offer security measures for data at rest. Be sure to incorporate this into your data plan.”
Data that flows is more complex and costly to lock down. "Therefore, data that moves between hosts and storage systems and is replicated on various platforms requires a separate security approach. This will depend on the data needs of an organization in question," says McNara, who is part of the engineering team at Agari. She and her colleagues are designing systems to protect email from malicious messages and phishing attacks.
"Storage solutions may encrypt data at the network level, in networking equipment, at the application level, in the database or at the data-set or operating-system level," McNara says. "Talk to the experts managing your storage solution and explain your data environment. They will create the best security solution depending on how your data moves."
Establish safeguards and oversight.
Oftentimes, it is simply poor data-management that poses the greatest risk. Organizational error can lead to enormous breaches and be every bit as costly as intentional cybercrime.
Saks Fifth Avenue accidentally leaked sensitive data of tens of thousands of customers via a link on its website.
Equifax, the credit bureau that centrally stores personal data, recently was targeted in a hack that leaked the Social Security numbers, birthdays and credit card numbers of more than 145 million Americans. As the story unfolded, it came to light that Equifax executives were aware their infrastructure left the door open to cyber attacks. Yet for months before the breach, they failed to implement an available patch for their version of Apache Struts software.
In June 2017, a marketing company working for the Republican National Committee leaked the sensitive data of 60 percent of the U.S. voting population. Deep Root Analytics accidentally stored the information on a publicly available Amazon Web Services cloud server. This included approximately 200 million American citizens’ home addresses, birthdates and phone numbers -- as well as political views and analyses. Political groups use these analyses to predict where individual voters fall on controversial issues such as gun ownership, stem-cell research and reproductive rights.
- Earlier this year, the Swedish Transport Agency (STA) released sensitive information on the country's military units and witness-relocation program. The STA had contracted IBM to manage its databases and networks. However, the STA mistakenly uploaded IBM's entire database to cloud servers and then emailed the data to marketers in clear text format.
Clearly, each of the above examples represents a data-governance issue. Occasional mistakes are bound to happen, but the sheer scale of these breaches points to pure data negligence. Predictably, these companies and agencies had to deal with public fallout over the lack of respect for data-handling.
Focus on what you do best. Hire an expert for the rest.
Data security is a highly specialized field and one that's pertinent to every organization.
“I always advocate for doing what you do best and trusting experts to support you in your areas where you are not as strong," Herjavec says. "In most cases, you’re running a business -- not ensuring security. So you’ll need to balance some investment in technology with some basic principles in policy to get started. You don’t need to outsource your entire infrastructure right off the bat, but I recommend getting feedback from an expert and evaluating outsourced IT solutions to alleviate the pressure and risk. Your job as a business owner is ensuring that security is top of mind, that you make your team aware of the risks and that you’re controlling the cyber hygiene policies within your scope of responsibility.”
Give your organization’s data the respect it requires. Trained specialists create the architecture for data pipelines and generate succinct data-governance procedures. This places accountability in one central place and keeps details from falling through the cracks. An effective data-storage strategy will promote security awareness. It also encourage employees and users to consider best practices from technological and process perspectives.
The first step is deciding whether your business will best be served by hiring in-house staff or contracting with a independent consulting firm. In either case, look for experts with a proven track record.
THE FOLLOWING QUOTE (an entire paragraph) NEEDS ATTRIBUTION FROM THE AUTHOR: DOUBLE-CHECK THIS IS HERJAVIC and not McNAMARA.
“We’ve grown from three people doing $400,00 in sales a year to roughly 300 people doing $200 million in sales a year. We have done so well because of our wide expertise in multiple technologies, our team approach to cyber services (including consulting, identity and managed security services) and our ability to find flexible, customizable solutions to meet our customer’s needs in the enterprise space. It’s been a wild ride over the last 15 years, but we’re now operating across the U.S., U.K. and Canada. We love what we do and we’re laser-focused on cybersecurity. This niche is incredibly challenging as the technologies evolve so quickly and threats are always emerging -- but when you love what you do and you love the industry, you’re able to attract an incredible team of people. I’m very lucky.”
While there's no way to become 100 percent secure, organizations can take clear action to drastically decrease their vulnerability. Each requires some upfront investment, but it's much cheaper to abate the risk than it is to clean up after a breach.
Employing experts and developing a structure around data governance is the first step. Investing in storage platforms with dynamic security options and requiring email authentication will patch all the weak points.
In the end, the tools for solid security are within reach. And the time to build awareness is now.