Cyber awareness: Is your information secure?
When Russia invaded Ukraine in February (the largest land invasion since World War II), businesses took notice. Brands and organizations of all sizes have taken a clear and immediate position against the invasion including Starbucks, IKEA, and Samsung. These companies understand that this stand is not only important for human rights, but also for business security. The Russian invasion was not just on land, but in the Metaverse. In the past few months alone, hackers have attacked energy grids, infiltrating networks and breaching business security systems. This threat, combined with a remote workforce is the reason why businesses are learning the crucial importance of online security and becoming NIST compliant. Randy and Andrew are two professionals that protect business information for a living. Sitting down in a secure location, we discussed online security in today’s day and age.
What is information security and why is it so essential for businesses today?
Information security means applying the right policies,procedures and training—plus the logical and physical security—for the information you want to protect. In general, the more security you implement,the more expensive it becomes. So you need to consider what you're protecting and what regulations are involved. And you'll need to meet the minimum requirements for those regulations to strike a balance between how much security your organization can reasonably afford with how much risk it can tolerate.
What are your main concerns revolving around cyber security given the recent invasion in Ukraine?
There is cause for concern with the situation in Ukraine. We have not yet seen a major attack on our infrastructure [within the United States] that many were initially worried about, but that is no reason to lower our shields. Businesses should take a good look at the CISA Shields Up initiative: https://www.cisa.gov/shields-up and take advantage of the completely free cybersecurity services that they offer.
What are the biggest cybersecurity threats right now?
Anything remotely accessible is at risk. And much of our vital infrastructure is in some way connected to a network. The fallout from the recent weather-related damage to the Texas power grid gives us an idea of how bad infrastructure failure can get—and how quickly. Incidents like the Colonial Pipeline hack that caused gas panic-buying should be concerning. Ransomware put on the systems that control our public utilities could potentially cost a lot of money and, even worse, a lot of time.
Socially engineered attacks are a big cause of concern, especially with COVID-19 dispersing the workforce. Employees are no longer within the secure corporate perimeter. Instead, they're working from everywhere using VPN, cloud services and SaaS. If someone gets tricked into providing their credentials through email or social media, that could be a big problem for a company. Hackers can use those credentials to access corporate systems and steal data, request wire transfers, or deploy ransomware or other phishing scams.
What are compliance obligations?
Compliance obligations are the legal regulations an organization must comply with to avoid fines and reduce legal or financial liability. They're dictated by the industry or location your organization operates in—and in our case, the industries or locations our clients operate in—as well as what types of data are handled. And organization might need to comply with numerous regulations. Handle credit card transactions? PCI compliance. Personal medical information? HIPAA compliance. Personal data for California residents? CCPA compliance. Personal information for New York residents? NY Shield Act. For us at Dixon Schwabl, the marketing communications industry doesn't have specific regulations, but some of the data we handle does. We take this very seriously and have chosen to comply with the NIST CSF framework and NY Shield. We're also working toward other compliances to make sure we're covered for the data we intend to handle.
What is the minimum level of cybersecurity a company should have?
Again, this will be determined by industry, location and data regulations. An organization needs to consider which data types it's protecting and meet regulation requirements. You’ll also need to determine how much risk your organization can tolerate from a legal, financial and reputational standpoint. This will help weigh how much security you can afford to implement given. We've chosen the NIST CSF framework as our base and are layering other regulatory compliance requirements on top of it.
What are the consequences of not having adequate cyber security measures in place?
Even a small breach of a company’s systems can easily cost tens of thousands of dollars and balloon to millions depending on the amount and type of data stolen, the systems compromised, the number of customers affected and the regulation(s) involved. Reputation is another important factor. If you handle data on behalf of clients, you're trusted to protect it. A breach of a client’s data will damage their reputation and yours—and can lead to other clients withdrawing their business from your organization.
Which industries are most at risk for cyber-attacks and why?
It likely comes down to whichever industries have the largest target on them. Security problems almost always get patched after an exploit is being actively used by hackers, not before. That means whoever is attacked with a new strategy first is usually the most vulnerable. To help prevent people from using new exploits maliciously, large tech companies will often have “bug bounties” that incentivize people to report exploits instead of selling them on the dark web to the highest bidder. That said, every industry should be well-prepared for cyber-attacks no matter how small. Hackers will often prioritize the number of targets they can reach instead of the "quality" of those targets. For hackers, many attempts to breach a single target is often less valuable and productive than one attempt against many targets.
How does a business know if it's under cyber-attack? What are the early warning signs?
Hackers in general try not to call attention to themselves. But there can be signs depending on the type of attack. For instance, your antivirus software might go crazy or you might notice file name changes during a ransomware attack. You could see phishing emails coming from a legitimate company email account. Your workstation might act funny or do strange things if someone is actively remote controlling it. Or if you have log monitoring, the software could alert you to unusual system behavior. Hackers have many avenues of attack and system behavior will vary.
Businesses store data on-site or in the cloud. What are the pros and cons of each storage option in terms of cyber security?
This is an excellent question that all companies should take into consideration. Typically, a company that stores crucial data on-site will also have an off-site or cloud-based backup. That often means that even on-site data can be subject to the same or similar security flaws as fully cloud-based solutions. The advantage of cloud storage is that generally datacenters would have greater cyber security resources than an office server closet, but that's offset by the greater likelihood that an individual’s cloud account could be hacked and their data downloaded.
Cloud services tend to have a bigger target painted on their backs, with many companies storing their information in one system. That same structure also allows those companies to share the cost of an increased security level through a cloud service provider. On the other hand, a small company storing data “on prem” could have a smaller data footprint and a smaller target on their back. But the small company might not have the security resources the cloud service provider can afford. So it’s a tradeoff. I think most companies take a “don’t put all your eggs in one basket” approach. If you have the data spread across different systems, it's less likely hackers can compromise all of it.
Is there a greater risk of cybersecurity threats in a marketing firm because they house multiple sets of business information for their clients?
Marketing firms aren't necessarily any more at risk than other industries that deal with sensitive data, but we certainly do have a lot of responsibility on our shoulders. When a company is researching marketing firms, their cybersecurity and data-handling policies should absolutely be accounted for in the final decision, and so should their cyber insurance policy.
How has COVID changed the landscape for cybersecurity?
Way back when we had everyone in the office, nobody had to make a call to ask a coworker “Hey, did you send me this email?” or “Does this look right to you?” Phishing scams have been on the rise, and it's important to check with your IT department if you have any suspicion at all about an email or attachment in your inbox. Remote work for most companies was occasional, but for many it has become the everyday. No longer are your IT professionals just concerned about the office network and robust enterprise firewalls. Now they're concerned about the network at each employee’s home, the coffee shop they might work at, the hotel they stay at and the cell phone hotspot they're working with on the go.
Looking ahead to the next five years, what do you see as being most concerning in cyber security?
Internet of Things (IOT) smart devices come to mind immediately. This includes smart speakers, smart power outlets, smart lights, smart garage door openers and anything else that connects to your home internet. Big names in tech like Google and Amazon typically stop updating devices and patching security flaws just a few years after release, but what about the off-brand smart outlets you got for $10 on Amazon? Those products can be riddled with security flaws, don’t often receive updates, and can serve as an entry point for attackers to breach your home network and compromise other devices. Computers and phones receive security updates quite frequently and hackers still find exploits in their software. These devices already pose a risk, but the older they get and the more of them in circulation, the more incentive there will be to find and exploit flaws. These devices should probably be replaced at least as often as you replace your wireless router: Every 2-4 years. That’s a lot of e-waste!
With cyber threats coming in at all angles, it's essential to listen to security professionals now more than ever. Security is one of those subjects that makes almost everyone tense. The word alone is emotional. Whether it's financial, personal or physical security, the peace of mind that comes with feeling secure is a result of information. If you know your information is secure, you're secure. It might be stating the obvious, but in the Information Age, information truly is everything.
Randy is DS+CO's director of IT.