Employees pose biggest cyber threat to employers
NH Business Review cybersecurity forum explores how businesses can thwart and respond to cyberattacks
It’s not a question of when your company will be hit with a cyberattack – in fact, the system may have already been breached.
On average, 200 days pass before a company is aware of a breach, said Don Ulsch, senior managing director at PricewaterhouseCoopers LLP at TechTalk NH, NH Business Review’s cybersecurity forum, held on Tuesday, Nov. 17. “I’ll tell you what the reality is,” said Ulsch, standing in the Crowne Plaza Hotel in Nashua. “[With] most of my clients, it’s 4,5,6,7 years before they realize it. The further you go without identifying that point of breach, the greater the amount of data."
For small to medium businesses in New Hampshire, Chinese and Russian hackers is not the concern but instead employees.
“The majority of data breaches happen by virtue of accident, mistake or misfortune instead of a malicious attack,” said Cameron Shilling, director of the Litigation Department and chair of Privacy and Data Security at McLane Middleton, in a panel discussion. “The employee is still probably the greatest cause of breach.”
Ninety-five percent of threats are due to human error, said Mark Benton, product manager at Systems Engineering. Much of breaches are phishing attacks, from employees clicking on a link in an email, said Benton, or ransomware that locks down a file or system, said Larry Cushing, vice president of sales engineering at DSCI.
The panel suggested businesses address the low-hanging fruit. That includes changing passwords, making stronger passwords, updating typical anti-virus and anti-malware software, and especially encrypting devices used for work.
“As part of the agreement of employment should be the right to wipe that device,” said Benton. “There’s new technologies out that maybe make wiping a little more friendly,” like MDM, mobile device management, or MMDM, medical mobile device management.
Mismanagement of passwords and devices are more of a threat than using cloud software, said Cushing. “If your cloud provider has appropriate security in place, they’re likely not going to be attacked,” he said. But sending passwords around via email is very bad, said Peter La Monica, department chair and associate professor of Computer Science, Manchester Community College.
And accessing public wireless networks also leaves employees’ devices vulnerable. Benton recommended employees working remotely access the Internet through a VPN (virtual private network) versus a wireless hot spot.
Educating employees and enacting policies will help a firm add an extra level of security. But attackers on the outside will wait and watch employees’ access levels to make calculated moves on what type of information can be obtained, said Ulsch.
Schilling recommended cyber liability insurance, which covers the cost of sending out notifications to customers and other PR and legal response necessary after a cyber breach, as well as extortion.
“Most policies cover cyber extortion, and this is a great, great piece of insurance to get because most extortion scams are not asking for a hundred thousand dollars to unlock your computer system, they want two thousand dollars,” said Schilling. “And liability coverage will pick it up because it’s a no-brainer … it’s going to cost ten times that once you have a lawyer on the phone.”
Those in regulated sectors, like health care, will have to ensure their policy also covers the costs of audits and fines and penalties.
“It fairly inexpensive and for the most part it’s a la carte, which means you can get what you want and only take what you want,” said Schilling.
Handling PR correctly after a breach is important, to ensure you treat your customers like you care about them. “I tell my clients: Imagine your information was breached. What would you want to know about it?” said Schilling.
“Every breach is a public relations issue. You need to bring on the right public relations firm. You need to understand what your message is going to be. Your message starts in the drafting of the notification. You have a press release ready so that when you get the call, you can be proactive and not reactive and figure out who your problem players are and get to them first.”
The good news is that most companies don’t face lawsuits from their breaches, like the retailer Target has experienced, said Schilling. But cyber liability insurance will often cover the costs of legal defense for such a situation.
Sponsors included Bronze Sponsor DSCI; and General Sponsors IT Secure and TeamLogic IT.