Security doesn't just happen, cyber experts sayReprints
Risk managers worrying about cyber threats have to be aware that not only can their systems be attacked for their data, but that criminals also may use their systems to commit cyber crimes against others, according to a security expert.
“The Internet was designed to be easy, to help us do many things,” Ryan Spelman, program executive for the Center for Internet Security in East Greenbush, New York, said at Business Insurance's Risk Management Summit in New York Tuesday.
“The tools and resources we have are limitless, thanks to the Internet,” Mr. Spelman continued. “However, the Internet lets criminals do many things as well: identity theft, raid your bank account, damage your systems, but more nefariously, use your systems to conduct other crimes. Across the globe, computers are being utilized without their knowledge to commit crimes across the ocean.”
Malicious or criminal attacks continue to be the primary cause of data breaches, with 49% of incidents in the United States involving malicious or criminal attacks, 19% based on the employee negligence and 32% related to system glitches, according to a May 2015 study conducted by Traverse City, Michigan-based consultant Ponemon Institute L.L.C.
“Any organization can be affected by any single one of these attacks,” he said. “That does not necessarily mean if you spend time to stop one, you're going to stop all of them. But if you can focus on stopping the malicious attackers, the steps you take to confront that will help you confront other issues that may happen.”
Risk managers also have to consider the system vulnerabilities of their business partners, Mr. Spelman said.
“You may be working with a company that's going to have access to your sensitive information,” he said. “Are they a target for corporate espionage? Are they being looked at or investigated by somebody else? These are key questions to ask.”
Corporate systems may also face cyber threats from “hacktavists” and nation states, Mr. Spelman said.
“You may not be a target, but your systems can be utilized by a nation-state actor to attack someone else,” he said.
Several basic steps can be taken to defend against potential cyber threats, including having information technology staffers check logs to see whether employees are accessing the company's system at unusual times or from locations such as China, Mr. Spelman said.
“That's what we call in the industry a clue,” he said. “If you're not involved with IT, get involved with IT.”
Risk managers should also make a list of all company assets such as laptops and printers, and ensure systems are configured to require the use of strong passwords and other protections, Mr. Spelman said.
“Security is much like a healthy body — it does not just happen,” he said. “You work at it.”