The Los Angeles Times recently reported on an accounting firm that was hacked. The job took cyber criminals three minutes to gain access to sensitive data from outside the organization’s network.
“That was a shock,” one of the partners told the newspaper. “I thought we were safe.”
If that same partner had the foresight to ask Adam Goslin if his business was safe, the founder of High Bit Security would have known the answer. No. While reviewing High Bit Security’s clients from all of 2012, Goslin found that 100 percent of companies that had never performed proactive testing found that they had serious vulnerabilities in their systems.
Goslin shared that story, and many others, while hosting the latest Online Tech “Tuesdays at 2” free educational webinar series.
His presentation, Why Is it So Hard to Secure a Company, showed the aforementioned accounting firm is far from alone in its naiveté.
Congressman Chris Collins (R-NY), chairman of the Small Business Committee’s Subcommittee on Healthcare and Technology, claims nearly eight in 10 small business operators believe they’re safe from cyber attacks.
Another Congressman, Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, has a message for business owners who believe that way: “If your IT guy tells you that your company is just fine and you don’t need to worry about security, fire him.”
Goslin says he wouldn’t go to Rogers’ extreme, but did note that “the biggest threat to a company is bad assumptions.”
He compared IT security to healthcare. In the medical field, a general practitioner refers patients to a specialist for heart surgery. In the IT world, network administrators and IT support companies are generalists. “Security is a specialty,” Goslin said.
What follows is an outline of Goslin’s presentation. For complete details, a full video replay and the presentation slides are available here.
Goslin covered some current trends in the world of cyber crime, noting that hackers have been shying away from large, well-protected organizations to focus on smaller, more vulnerable organizations. The result is an increase in small-scale breaches.
He also notes “a massive increase” in stolen PHI (medical), PII (identity) and PCI (credit card) data from organized hackers in Eastern Europe and touched on state-sponsored infrastructure attacks.
Other hot topics in the security world include lost/stolen devices, mobile threats, critical infrastructure attacks and data breach notification and fines raising.
Threats – External/Internal
As part of his organization, Goslin covered the areas where organizations are susceptible to security threats. The list is long and includes both external (network firewalls, external-facing servers and ports, websites and hosted solutions, connected vendors, wireless systems, bring-your-own-device policies, etc.) and internal (hardware configuration, software configuration, software patching, passwords, virus, etc.) components.
“As you look down this list of potential threats, literally all of these elements are something that could be playing out as a security threat on any device in an organization,” Goslin said. “There are a lot of areas for risk.”
Breach Risk: Worth Protecting?
Part of the process of determining steps to properly protect a company’s data is determining if it warrants protection. Goslin said most companies are surprised by how many sensitive records they have on-hand.
Data that needs protecting includes information related to all past and present employees and customers, which can include sensitive PCI (credit card), PII (personal) and PHI (health) records.
Also worth considering, Goslin notes, is intellectual capital (cost for development, years invested, uniqueness) and patent information (on file/in progress, security of storage, first-to-file implications).
Breach Cost Measurement
Goslin cites a Ponemon breach cost study released in June that investigated data breaches at 54 companies across 14 industry sectors. The record counts in the breaches ranged from 5,000 to 99,000 and the overall breach cost averaged $188 per record.
Causes of the breaches varied from malicious or criminal attacks (41%) to human error (33%) to system glitches (26%).
Within the average cost per record breach, industries varied greatly. Financial organizations paid $254 per record. For healthcare organizations, that cost was $305 per record.
Factors Ponemon showed reduced the breach impact were third-party security consulting and a strong and proactive security stance. Implementation those elements resulted in an $89 per record savings if breached.
Along with regulatory fines and legal fees, the cost of a security breach can include professional security testing, consulting fees, communication (media and individual notification), employee training, investigation/forensic costs, security awareness programs, vendor management, workforce changes and a hit to an organization’s reputation.
Security Testing Case Studies
Goslin covered a pair of High Bit Security testing case studies during his presentation.
In one, a medical facility that had support via an electronic medical records (EMR) provider hired the company to perform penetration testing. During the test, High Bit Security was able to take over every server, workstation and firewall at the medical organization and access was gained to sensitive medical data including prescriptions, full contact information for patients, social security numbers, doctor signatures and their narcotics ID number.
In another test, a rebate processor needed breach resolution assistance from High Bit Security. Externally, they found many network and application security holes, allowing access to database. Internally, they found numerous flaws that allowed them to take control over most of the company’s systems.
“We stopped counting when the potential loss went over one quarter of a million dollars,” Goslin said.
Supporting a Secure Stance
“Penetration testing, bar none, is the best way to identify the question ‘Am I secure?’” Goslin said. “But certainly there are a number of tools and security solutions that all need to play into the security of an organization.”
They include: Information security policies, acceptable use policies, software/infrastructure deployment methodology, patch management, monitoring the environment, access control (granting and removal), risk management, incident response planning and security awareness training.