Why doesn't data security get the respect it deserves?

Data breach “horror” stories have become a new staple in today’s business environment.  The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases.

Wells Fargo accidentally leaked thousands of sensitive documents, but not in the sophisticated way it’s often in the media. The bank wasn't hacked, and its computers weren't encrypted by Ransomware. 

A lawyer representing Wells Fargo in a lawsuit has to now explain how she inadvertently turned over confidential information about thousands of bank clients.  She just inadvertently sent 1.4 gigabytes of files to a former financial adviser who subpoenaed the company as part of a lawsuit against one of its current employees.  The data set includes at least 50,000 customers' names, Social Security numbers and sensitive financial info according to The New York Timeswhich confirmed the contents of the documents, the affected clients are some of Wells Fargo's wealthiest, with investment portfolios worth tens of billions of dollars.

Will the NJ based law firm have potential liability exposure to it’s lawyers? 

Only time will tell. 

Judges in New York and New Jersey have issued orders barring further release of the documents, requiring the plaintiff to delete any document copies, and requiring the plaintiff to give the digital file to the court for safekeeping.

For nearly two decades, I have been assisting businesses of all sizes dealing with ESI (Electronically Stored Information) being misappropriated, lost, stolen, or spoliated.  Over 50% of the cases deal with theft of trade secrets, restricted covenant and non-compete's, spoliation and within the past decade data breaches.   

Seventy-four percent of organizations felt vulnerable to insider threats, while almost half of surveyed security professionals said that insider risks had increased in the past year, resulting in greater rates of stolen data and security breaches. (Source : A recent industry study by Delta Risk).

The business sector continues to have the highest percentage of total breaches reported — 54.7 percent at the six-month mark.

NOTE: I SAID REPORTED! 

MUCH OF THE MEDIA AND WHAT IS KNOWN IS ONLY A SMALL PERCENTAGE OF CASES REPORTED.

Although data security and breach response are constantly in the headlines, studies demonstrate that organizations remain unprepared to effectively respond to a data breach.

Is your organization ready? 

Business leaders need to take a different approach and peel the bandages off from the past and identify what and where their "crown jewels" are.  Information security has, by necessity, changed a lot from a strategic perspective.   Back in the day, tall walls and clever architecture were all we needed to keep criminals out… Castles emerged in Europe in the Medieval period during the 10th century, built to provide protection from enemies. Later, castles became status-symbol residences for monarchs and royalty (the crown jewels).   The weakest part of the castle’s defenses was the entrance. To secure access to the castle, drawbridges, ditches and moats provided physical barriers to entry. 

It's no longer good enough to ensure end-to-end protection within the walls of your enterprise.

In the case of Wells Fargo and their outside law firm, this should prove as a wake up call for third parties, any one of whom could cause real financial and reputational damage if compromised.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?

Throwing Money at Cyber Security is NOT the Answer. 

Before spending a penny, or a dollar, more on any technology, one must ask:

Have we got the basics right?

It’s often the basic hygiene, the basic controls that are overlooked in the search for the panacea that does not exist. Most security breaches can be prevented by having layered cyber security controls throughout the enterprise, however most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking organization...no matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  

For years, I’ve been saying “People are the weakest link”.  In converse, they are also the best front line of defense to prevent or determine a possible cyber incident.

Unfortunately, Cyber ignorance or "cyber fatigue" has set in. 

As stated earlier, most organizations are building defenses around the castle, however don’t have good controls around the data in their business which is the most vulnerable.  

Please feel free to contact me for a fixed fee "Ethical Hacking" assessment or if I can be of any assistance to you.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”. 
LinkedIn | Twitter | Email | Speaking Events

Is Cyber Fatigue putting everyone in danger?

I am sure that most people today are simply tired with the consistent news about hacking the election, a financial services firm who has been compromised, or worse your PII (Personally Identifiable Information) and PHI (Protected Health information) is being sold on the Dark Web. 

A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by scientists from NIST (The National Institute for Standards and Technology).  In short, they found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.”  In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.

The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms. 

Cybercrime activities like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. 

If the US Government, Fortune 500 companies, High Tech firms, Financial Institutions, Health Care Organizations and Universities with all of their resources were unable to stop the attacks... 

What possible chance can a small/medium business have?

The answer is: more than you would think.  

Digital4nx Group, Ltd. recognizes that the greatest vulnerability in most organizations comes from their own people.  

We have been providing fixed fee "ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses.  The goal of an ethical hack security exercise is not to reveal deficiencies in the performance of your IT team, but rather to support them. We often find that IT teams are pressured to make things easy-to-use and functional, maintain software updates and patches, and keep the users up and running.  

Our ethical hacking assessment aids the IT team, giving them a road-map for making their networks much more secure, identify the sensitive information which the organization maintains, and improve the best reasonable security measures for that organization.

Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security. 

Even small businesses can interrupt this chain of events at several points, making it much more difficult for a cyber criminals to gain a foothold.  

We commonly find that we gain some of the initial access to a companies systems by tricking users into providing their passwords.  Once we have those passwords, we can leverage them to gain additional access to other systems.  

The below techniques are simple and inexpensive:

  • Make sure everyone in your company understands phishing schemes and how to recognize them.  A phishing scam is an attempt to trick someone into providing username and password information to a hacker.  Spearphishing is a phishing attack customized to a particular individual.
  • Do not allow people to have administrative privileges on their computers.  This prevents them (or viruses acting under their credentials) from installing hacking tools on a computer.
  • Change passwords regularly and use different passwords for different accounts.  In other words, the password to your work computer should be different from the one you use on, say, your Yahoo account.  Password manager software (such as LastPass, KeePass, Dashlane,...) makes it easy to track and change passwords.
  • Ensure your computers install security updates from Microsoft, Apple, and Adobe automatically.
  • Install antivirus software on your computers
  • Install a firewall if you don’t have one, and review your firewall to tighten it up as much as possible.  A firewall is a device that stands between your network and the rest of the world, blocking unauthorized access.
  • Configure spam filters to be as restrictive as possible and use Sender Policy Framework (SPF) records to reduce the likelihood of phishing messages.
  • Confirm backups run regularly and periodically test those backups.

 

Questions?  Concerns?  Want some help conducting a cyber security risk assessment?  Give us a call, we’re happy to help.

PS- For those who are not cyber fatigued and interested in reading about the Department of Homeland Security report detailing Russian civilian and military efforts to hack organizations, companies, and educational institutions in the United States, you can read it here.

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program.  The regulations impose significant, yet minimum cybersecurity requirements, and mandate board of director involvement and accountability. 

The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law. 

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here.

The requirements for cybersecurity program must serve six core functions:

  1. identify internal and external cyber risks;

  2. use defensive infrastructure;

  3. detect cybersecurity events;

  4. respond to and mitigate identified or detected cybersecurity events;

  5. recover from cybersecurity events and restore normal operations; and,

  6. meet regulatory reporting obligations.

In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.

For several years, Digital4nx Group has been providing "Ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.  

For many organization and especially organizations which are regulated by DFS, Digital4nx Group will providing a solution called Cyber Vigilance™.   This annual service is a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.  

For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.

ANNOUNCEMENT: A refreshing look in the new year

We are pleased to announce the release of our new website.  This new feel was the result of much hard work, dedication, and feedback from clients, prospects, partners, and trusted professionals.  

Our goal is to provide our prospects, clients, and partners valuable information about our services and staying current on the rapidly changing landscape in the legal and technical world. 

Another year and another round of whole new changes will come up but what you need not have to change is the formula of hard work for getting good results. We always work hard and keep perseverance to achieve desired success.

Let's raise a toast to yesterday’s achievements and tomorrow’s brighter future. 

I wish your tomorrow is more prosperous, happy and successful than yesterday and today.

Have a safe, healthy, and successful 2015.  

Real Time Analytics