Our Loricca team is based in Tampa, Florida. We happen to be in the middle of a (thankfully) light hurricane season. We like to tell ourselves we are not really at risk. Maybe that’s what people in California tell themselves about earthquakes. I often hear the same sentiment from executives and IT leaders about their cyber security risk.
The Tendency to Downplay Common Risks
As Floridians, we know that any plans made in August and September are somewhat tentative. But those of us who have been through more than a couple of hurricane seasons tend to become jaded. We just don’t get worked up for anything below Category 3. Even when a storm is brewing out there somewhere, we are presented with forecasts while he or she is still days away that show the many possible paths it may take. Looking at all those squiggly lines, it’s easy to convince yourself it won’t come here even while you know that, if it ever really does hit close to home, it won’t be pretty.
Denials and failure to plan could be deadly if an intense storm hits. Although they start out vague and maybe even hard to take seriously, the forecasts get more and more specific as a storm approaches. I’ve seen lackadaisical, old-timer Floridians kick preparations into high gear in the last day or two before a strengthening storm. We all have a threshold – the amount of risk we’re comfortable with (Category 1, 2…) and how far we’re willing to push the run on gas stations and grocery stores – everybody wants to get in and out before the last minute panic.
In IT security, many businesses and even government organizations seem to operate like Floridians trying to play it cool in hurricane season. As foolish as we may be to wait to stock up on batteries, the implications for businesses playing chicken with cyber risk could be even more dangerous.
Sources of Cyber Threats
Hurricanes come in categories. The degree of preparation (and panic) you will see in Florida correlates directly with the expected category of a coming storm. This is a luxury IT security executives do not have. There may be categories of cyber threat and the potential threat to your organization may be less or more depending on the source and type of incident you face. While you will not have the benefit of a forecast or time to prepare, understanding the sources of risks is helpful for recognizing and evaluating the cyber categories.
Nation States Cyber Espionage
We have seen a steady rise in brazen nation-state sponsored attacks in recent years. In 2014, the US Department of Justice filed the first ever cyber espionage case against officials of another country. Throughout 2015, Chinese cyber spying increases has increased over 50 percent according to the FBI. And just this past August, Russia is believed to have launched a sophisticated attack on computers at the Pentagon.
Criminal Cyber Threats
Early this year, Anthem Healthcare suffered a massive external cyber-attack putting eighty million customers’ data at risk. Hackers gained access to names, birthdates, Social Security numbers, addresses, employment information and income data. This is just another in a series of major data breaches kicked off by Target’s loss of payment information during the busy holiday season in 2013. Similar attacks have rocked Neiman Marcus, JPMorgan Chase, Experian, eBay, Home Depot and many more large and small companies.
Internal Security Risks – Malicious or Innocent
Even if your company seems an unlikely target for cyber terrorism or criminal hackers, you could still face a significant security event or data breach from within your own organization. Some experts believe as much as 80% of security incidents from internal threats involve or are directly the result of insider misuse either accidental or malicious.
Your data could be compromised or stolen by disgruntled former or current employees with access and motivation for revenge or simple greed. Home Depot Breach fell victim to greed from within in 2014 when a small group of employees stole the personal information of 20,000 of their coworkers and used some of those details to apply for fraudulent credit accounts.
While these Home Depot employees may represent the worst kind of employee, they may not be the most dangerous risk to your data. The potential damage from well-intentioned or careless employees could ultimately be much more costly for your company. Data breaches resulting from lost or stolen mobile devices can cost companies millions of dollars in lost time, revenue, compliance remediation and even regulatory fines and legal costs. A recent Kaspersky study revealed that a large majority of mobile device users put company data at risk regularly put their company’s critical information at risk.
The study found that employees use company-issued data for shopping, making mobile payments, and even online data. When employees are using their own mobile devices for work such personal online activities are obviously opening the door for potential risks as well. Employees who do not understand or follow clear BYOD and remote access policies may inadvertently provide easy access for hackers or data thieves.
Unlike a hurricane, different categories of cyber threat do not necessarily indicate the potential severity. The Category 1 internal threat from a well-intentioned employee may be just as catastrophic as a high level malicious attack. Your company will not have the warning or luxury of treating cyber risk like “just” a tropical storm.
When a storm is coming and moves closer and closer to land, we are bombarded here with back to back updates and revised prediction models. The 2004 hurricane season was a record setter here in Florida. With four back to back storms, with windows boarded up and schools closed, we all became storm-weary. Over the last year and a half, almost constant news of data breaches affecting major companies and government agencies and impacting nearly every American, it is easy to become breach weary in the same way. Take a few minutes to review this quick list of significant recent breaches. Consider how such an incident could impact your own company.
Know the Real Threats Facing Your Company
The Global State of Info Security Survey (GSISS) estimated there to have been Data Breaches Statistics in 2014 – averaging $2.7M each in fiscal impact. Given the high rate of occurrence, high costs of recovery, and the wide variety of cyber security risks that we see every day, it concerns us to hear that cyber threats are overstated. It may be unlikely that your company will ever be a target of Chinese or Russian cyber espionage – or it may be a real possibility. You may face a slightly greater risk of being targeted by cyber criminals exploiting vulnerabilities in your network or tools to siphon off client data that will fuel identity thieves and compromise their financial health and your company’s reputation. Virtually no company is immune from the internal threats that can bring just as dire consequences as an organized, malicious, external attack.
Executives who would choose to believe their company’s cyber risk is actually low are playing a game we are all too familiar with here in Florida. Your company cannot wait to freak out when it’s actually terrifying.
Before you assume or dismiss any potential risk, be sure you understand the unique incentives posed by your data for hackers, weak spots in your systems and procedures, and the potential costs in lost productivity, reputation, business, and even regulatory and legal costs that could result from a breach. A complete and thorough risk assessment can identify areas of security threat that should be addressed and create a prioritized road map to addressing identified concerns in a systematic, realistic way. If your organization has not undergone a thorough assessment in a year or more, the threat landscape has likely changed significantly.
Routine risk assessments will keep your IT team up to date on the threat landscape and help them identify and address potential weak spots. But keeping the rest of your employees out of the loop on your security efforts could foster even greater potential for a breach or incident in the long run. Regular security trainings are vital for all employees and should be supplemented with reminders, tips, and help to follow the best, most up to date security practices in all their activities online and within your systems. Here in Florida, we are bombarded with reminders, tips and statements from officials imploring residents to be vigilant. Recognizing the risks, it is important for them to keep hurricane preparedness top of mind for residents just as the cyber-preparedness for your employees is critical for your business.
Any Floridian who has lived through a significant hurricane and the pain and expense of rebuilding afterward will tell you to prepare and then you can relax. Of course the forecasters may be overstating the risk, the storm may not hit where you are. But it is cheaper and easier to prepare as best you can than to rebuild in the aftermath.
