February 20, 2015

Better Cyber Safe Than Sorry

Better Cyber Safe Than Sorry

Remember when we used to conduct business by fax and telephone? And make bank deposits by filling out a paper slip and handing it to a teller at the counter? Those days are pretty much ancient history, of course, and for all of the progress we’ve made since Al Gore invented the Internet (smile), that progress comes at a cost, as the saying goes. The cost of the convenience, speed and efficiency that our digital lifestyle gives us is the real or potential exposure we all subject ourselves to by transacting so much of our business and personal lives online.

Just consider that large-scale data breaches have practically become a way of life. A couple of years ago, the average person probably had no idea what a data breach was or why it was potentially significant to them. Now, it’s not even shocking any more when we hear that major companies like JP Morgan Chase and Anthem Blue Cross Blue Shield have become victims, and that sensitive customer data has been compromised. In both of those cases, the personal data of about 80 million customers were exposed.

On Monday this week, a Russian cybersecurity firm called Kaspersky Lab confirmed a malware attack that involved more than 100 banks in 30 countries and is estimated to have cost clients somewhere between $300 million and $900 million. And I’m sure that’s just the tip of the iceberg.

Here in the U.S., President Obama recently announced that he is creating a new federal agency to combat the problem, called the Cyber Threat Intelligence Integration Center. Whether or not a government-funded program can be effective in implementing a solution, it certainly underscores that businesses and individuals can’t go it alone. A coordinated national effort is needed.

If organizations with the sophistication and budget of JP Morgan and Anthem are vulnerable to attack, just imagine how easy it is to compromise the systems of smaller and less well-funded companies. Marcum doesn’t have to imagine it. We know firsthand, because our National Technology Assurance Services practice is one of the fastest growing groups at our firm. I asked Heather Bearfield, the Principal who leads this practice, for her thoughts on data breaches and the implications for businesses and individuals. If what she says gives you pause, it should. Heather’s message hits home with me: the onus is ours. Better to be safe than sorry.

There are three types of companies: those that have been breached, those that are unaware they have been breached, and those that eventually will be breached. This is an unfortunate reality. The imperative to implement security controls and to assess and reassess them is now standard operating procedure. Companies are finding that the investment in prevention pales in comparison to the potential costs that can be associated with remediating a breach. Those costs can include extensive legal fees as well as fees and penalties at the state and regulatory levels.

Even the best designed system is only as secure as its compliance protocol. You would be surprised by the violations we routinely observe when we do a compliance test for a client, ranging from post-it notes with passwords casually pasted to computer monitors, to screens left active when employees leave their work stations, to personal business conducted on company laptops. The merging of social media with business networking creates a whole other set of opportunities for corruption.

In the wake of Anthem, Inc.’s recent breach, there are many questions and concerns left unanswered. The damage done has yet to be assessed completely, and the implications of the breach are waiting to be realized. Similar to the JP Morgan breach, credit card information was not compromised; however many critical pieces of customer data were, including email addresses, social security numbers, income information, and other confidential data.

First and foremost, it is important to recognize that these types of information are critical to social engineering attacks. Emails can be masked to appear as though they originate from a familiar source, instructing end users to click a seemingly innocent link to register for credit monitoring or something similar. The link releases malicious code into the user’s environment. This is a common type of attack, oftentimes occurring around major news events when people are information-hungry and more receptive to clicking through. It’s low hanging fruit for phishers because most of us don’t take the time to validate links. It’s easier to just click.

Think about what lives in our inboxes. Bank notifications, for instance. In the case of Anthem, victims were able to be targeted by income level. Since the attackers had access to customer email addresses, they could infiltrate inboxes and locate messages from banks containing links to personal accounts. All they needed was a password. Do they just activate the “Forgot Password” option to trigger a verification email to the same address that they can then intercept? Or do they ask for answers to security questions? How many of us take the time to make sure our answers to security questions are challenging and not readily accessible? What was your college mascot? Well, I’m sure your college is listed in your LinkedIn profile, so that answer is not so difficult to find. What is your mother’s maiden name? Are you connected to her on Facebook? If so, there is answer number 2. Have you conducted a mobile banking transaction recently? Did you shop online? Did you complete a website form? We take for granted the easy access we unwittingly grant to those with nefarious intent, and this is where the vulnerabilities lie. Right on the surface.

When we are notified about a breach, what do we do? Moan and complain for a while and monitor our account statements until we receive a replacement card in the mail. Few of us truly change our online behavior – except in the case of identity theft, which can have a devastating impact on our lives that can be difficult or even impossible to eradicate. The only major behavior in which I have truly seen a shift is in the online use of debit cards, which has decreased. More people are becoming aware that unlike credit cards, there is no federal fraud protection over debit card transactions.

Data breaches are becoming commonplace, but that doesn’t mean we should shrug them off because the costs associated with them are tremendous and ever increasing. Unless and until we have a unified national data breach notification standard, make it a priority not to put yourself at risk. Take the extra few seconds to verify links before clicking by typing the URL into the browser yourself. Chances are you’ll recognize immediately whether you’ve landed in a safe zone.

– Heather Bearfield