Frantically searching through his belongings, he realizes, he had been compromised. The blood drains from his face as he looks around the room in a state of panic. Silence! His heart skips a beat. They had stolen everything. Like ghosts, the perpetrators had been lurking in the shadows, undetected by the best security team around. “How long had they been there, watching my every move?” he thought as the sweat dripped from his chin. “How could this have happened?” It was too late, and now he had to tell his boss.
Like the victim in our story, an increasing number of executives and managers are faced with the reality of security breaches of their crown jewels.
According to Phil Ferraro, author, speaker and nationally recognized Chief Information Security Officer (CISO), these ghosts or cyber attackers are “targeting companies both large and small across all industries.”
The financial repercussions of a breach can wipe out a company. Some recent highly publicized losses due to cyber-attacks:
• Nortel Networks: forced into bankruptcy, stock fell from $124 to $0.39
• Home Depot: $250m direct costs after malware compromised credit card information.
• Anthem: over 80,000,000 names, birth dates, addresses, etc., exceeding $100m loss.
• eBay: 15% reduction of users, reduced revenue by more than $200m. See the World’s Biggest Data Breaches. A very cool visualization of how breaches occur: CLICK HERE.
In Phil’s forthcoming book, Cyber Security: What Every Executive Needs to Know, he shares his many years of experience on how to prepare and respond to cyber-attacks. He provides simple, yet insightful steps to develop a strategy, assess the threats and risks, protect the business and what to do when the damage has been done.
The first step in preventing cyber breaches requires an enterprise approach, business and IT, working together. Addressing the majority of cyber-attacks does not take an army of consultants or IT specialists unless you wait until after it is too late. Most breaches could be avoided by prioritizing cyber-security, enhancing procedures, educating users, and instilling a vigilant culture. For example, approximately 90% of breaches occur as a result of gaps in user access and controls.
Hackers are patient, diligent and motivated. They gain access in very creative ways, a worm attached to an email from a trusted business partner or access when an employee uses a mobile device on a public network at the coffee shop or airport. Their intent varies from the curious to the malicious and destructive.
Once inside, they hang out for days, weeks and months, slowly building access to systems, applications and data. In the 2014 Verizon Cyber Data survey, the average hacker was inside a company for 229 days before detected, down from 243 in 2012. Most companies are reluctant to provide accurate information on this issue due to repercussions, so the actual number is probably higher.
In 2014, the Las Vegas Sands Casino in Bethlehem, PA was attacked by a cyber terrorist. The motive was political and the intent was malicious. Fortunately for the Sands the attack was thwarted in about 4 days, but the damage was done.
The break-in occurred when the state sponsored terrorists from Iran hacked through a mis-configured web server. Then they used password hacking tools to break passwords for administrative users. Once the users were compromised, they escalated their privileges and commenced their sabotage.
Fortunately no gaming systems were touched. It took about 6 months to completely mitigate, cleanse, repair and protect the systems and networks at a cost of between $40 – $50 million dollars. And it all could have been avoided. Had the company’s leadership invested in a comprehensive cyber security program just a year earlier, the people, processes and technologies would have been in place to have prevented this breach. The key takeaway for you is that you must act immediately. Do not wait.
Procedures around user access and controls could have limited the damage at the Sands and many of the other companies compromised in past years. Performing a review of enterprise user access is a good place to start. Administrative users, the roles that perform a lot of a company’s maintenance and routine tasks are a favorite target of hackers. In the SAP GRC application, reviewing these ids is a good first step in the audit.
Most breaches occur as a result of ‘low difficulty to breach’ in processes and procedures. They can be prevented before they happen by following Best Practices, switching authentication schemes or bolstering security controls. In Phil’s book, he shares what is essential to put together a strategy, execute it, socialize it and what to do if something does happen. He adds his experience and insight as to how common problems, human error and faulty processes, are addressed and avoided.
If you are interested in an analysis of your user access and controls by our GRC and Security Advisory Services, let us know. If you are interested in a free copy of Phil’s book, please let me know. We have a limited number of books available on a first request basis and I would be happy to send a copy to you. Contact Kent Lamb at 972-377-3525 or email me at firstname.lastname@example.org. You can also contact your Titan Sales Director as well.