Why companies need a more forward-looking approach to cybersecurity
By Neil Amato | October 23 2013
Not so long ago, computer hackers focused mainly on organisations that had the most to offer. They followed the money, trying to breach big companies and access cash, sensitive data or intellectual property.
These days, hackers are just as likely to probe the systems of small to mid-size entities, says Daimon Geopfert, McGladrey’s national leader in security and privacy consulting.
“You can be a run-of-the-mill organisation, and you probably have something that somebody in the world wants,” Geopfert said.
Hackers might try to steal customer or employee information. They might look to steal credit-card numbers. And instead of spending hours on end trying to break into the system of one business at a time, hackers have automated their processes well enough to bypass the security of multiple companies at once.
Geopfert, who spoke at the American Institute of CPAs Global Manufacturing Conference this month in Orlando, Florida, broke down companies’ cybersecurity controls into three categories:
Preventive. The most common, these are the controls that try to deny a hacker entrance to a company’s website or internal systems.
Detective. These controls can alert companies that they have been breached.
Corrective. This category encompasses the controls that act on a detected threat, get rid of it and get the company’s systems working normally again.
The area that companies focus on the most is preventive, and Geopfert said that, for years, this was good enough. “When trying to protect internal assets, a lot of organisations have a legacy mind-set when it comes to protection and attack,” he said in an interview prior to his presentation. “So they’re standing on controls that are very strong, circa 2005. The problem is we’re in 2013. A lot of the ways companies are getting breached, and what the attackers actually do once they get in that environment, is drastically different than what a lot of people are preparing for.”
His role at McGladrey includes showing clients how easy it is to be breached and why it’s important to devote time and energy to what happens after the hacking.
“They have to reduce their reliance on preventive controls,” Geopfert said. “They need to upgrade their thinking and get it in line with the modern threats, the modern attacks.
“A lot of the preventive controls can be bypassed. You need to focus on the detective and the corrective to be able to get [hackers] back out of the environment once they get in.”
Companies should focus more on monitoring their systems, he says, citing a 2010 report by telecom giant Verizon that said 86% of hacking victims had evidence of a breach in log files but failed to notice the breach.
Geopfert offers several tips for companies to improve their cybersecurity:
Don’t panic. Just because an outsider with criminal motive has gained entry to a computer system doesn’t mean that outsider knows where to find the company’s gold. Having a solid system of detection can kick out cyber-attackers. Geopfert said the time between a hacker’s entering a company’s environment and the company discovering the hacker’s presence is often seven to ten months.
Plan to fail, but plan to fail gracefully. Geopfert said organisations need to admit that hackers will be able to access their systems. “When (controls) fail, be able to tell that they failed and be able to correct the issue,” he said.
Train your employees. Geopfert said many companies fail to communicate to the workforce the importance of having up-to-date versions of web browsers and software such as Adobe and Java. “If you haven’t updated your browsers, just looking at the wrong webpage can have your system taken over,” he said.