University and private printers across the country were commandeered recently to print out anti-Semitic flyers—without the owners knowing how they were printed or where the files originated. A white supremacist computer hacker claimed responsibility for the coordinated cyberattack that included thousands of targets across the country.
While this example may seem inconsequential compared with other highly publicized cyber breaches, it actually points to several larger trends taking place today around increased connectivity and complexity amid a move towards greater collaboration, communication, and controls.
As the example illustrates, products today have a new level of connectivity related to the advent of the 'Internet of Things.' In other words, more and more physical objects—from devices to vehicles, buildings, among other items—are embedded with electronics, software, sensors, and network connectivity. The proliferation of connected products, and the level of integration of different functions within each product, brings with it a new level of security concerns. A company like Panasonic has processes to address security in its products; other emerging companies may not.
The attack also points to the complexity of networked environments and extended value chains. Private printers may have been 'unofficially' on the university network, providing additional access points. In any company, how many employees or third parties have network access? How many are not following corporate protocols and are unofficially transferring information to devices, not changing passwords or not securing laptops? A recent Verizon study found that of the 15.1% of breaches due to physical theft and loss of laptops, USB Drives or other information theft, 39% is from the victims' own work areas, and 34% is from employees' personal vehicles. The highly publicized Target breach was the result of a hacker gaining access to customer credit card data by using log-in credentials stolen from a heating, ventilation and air conditioning (HVAC) vendor. How many third parties have access to corporate networks? What levels of security do they have in place?
Companies are aware of the risks however many are unsure as to where to start. Some are turning to guidance from standards such as ISO 27001, focused on information security. There is also momentum around the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST).
Ultimately, companies need to address the “people, processes, and technology” that should be in place for a robust defense against cyber threats. Traditionally the security of networks has been under control of the information technology (IT) department in companies. However, leading practices dictate an approach that involves more stakeholders and a broader perspective.
Cyber breaches are more commonplace today, and as such, companies are more comfortable sharing information about attacks and methods. This is happening across geographies, industries and companies. Within companies, there is a move towards cross-functional teams working on cyber security. Addressing the complexity of these issues requires participation not only from the Information Technology (IT), legal and compliance teams, but also communications and human resources and any others who would be involved if a breach occurs. Another trend is emerging around value chains. As part of due diligence and ongoing collaboration with business partners (particularly those with access to sensitive information), companies are requiring that there are policies and procedures in place to protect assets. Many companies are also including information protection in ongoing assessments and monitoring.
Although the role of communication isn't first that comes to mind in regard to cybersecurity, it is vital. First, to ensure that employees and third parties understand their roles in keeping systems and data secure; and second to have a strategy developed for use in the event of a breach. Communication should also cross silos within organizations. Legal and human resources need to work closely to ensure that employees are signing contracts that obligates them to adhere to policies and procedures to protect sensitive information. Training also is critical – with employees, and also third parties including contractors, vendors and others in the value chain. It is not enough to just warn employees and others about the need to be aware of the risks, they also need access to resources when faced with a questionable situation. For example, an internal website with information about known phishing scams, top tips and also contact details for questions should be available. Everyone across an enterprise needs to understand the simple ways that bad actors are gaining access to systems.
Finally, companies need to address controls. In years past, there was a focus on “guarding the perimeter.” Given that insiders are most likely to be responsible for data breaches – through mistaken or malicious activities – it is critical that there are business processes and controls in place. This includes identifying sensitive information, separating it and providing access on a need-to-know basis. Monitoring is also fundamental. According to the Verizon report, in 93% of breach cases, it took attackers minutes or less to compromise systems, and weeks for discovery of the attack. Controls can also address more mundane yet vulnerable access points, such as software security patches, another common way into networks.
When it comes to cybersecurity, one of the greatest challenges is not knowing where or how the next attack will occur. Increasing collaboration, communication, and controls in a systematic way across a value chain won't guarantee against an attack but will go a long way toward a more secure environment.