The Green Sheet Online Edition
July 27, 2015 • Issue 15:07:02
Outsmarting cyber predators
Just like businesses, cyber threats come in all shapes and sizes, and any business with an email address or a bank account is vulnerable. If a business handles private customer information, electronic payments or large volumes of cash, for example, its security stakes automatically increase.
Cyber-security breaches and information phishing schemes have occurred through a multitude of business channels, including POS systems, websites, online accounts and email. Even outdated business software programs are a prime target for predators seeking to punch through a business' security front to get into the back end where sensitive data lives.
"If you go back two or three years, there were a lot of attacks where criminals would take over online banking sessions to install malware, then they would send a fraudulent wire transaction," stated Charles Bretz, Director of Payment Risk for the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization established by the global financial services sector to analyze and share information about risks and mitigation.
Bretz noted that he has observed criminals concentrating on various services retailers have implemented. "For instance, remote access for software maintenance services is now being attacked," he said. "Criminals are monetarily driven, so when they find a successful entry point they can continue to exploit, they will."
SMBs a prime target
Business owners often believe cyber criminals will focus only on highly lucrative targets, but often it's the small to midsize businesses (SMBs) that are at most risk. SMBs have fewer resources to put toward combating fraud, very little or no security training, rudimentary check-and-balance systems, and recovery from a major data breach is nearly impossible. They are the sitting ducks savvy cyber criminals love to prey upon.
"Threat and vulnerability management is talked about quite a bit, and things like software security patches are now just an everyday expectation," said Marc Punzirudu, Senior Security Consultant with ControlScan Inc. "The biggest vulnerability point in any business is its people, especially when security is loosely managed in-house through a small team."
Punzirudu stated that social engineering can be very difficult for smaller enterprises, and the rapidly changing pace of technology is adding even greater security risk for SMBs. "Business process hasn't kept up with technology, so the risk assessment is no longer the same, but security is still something SMBs do around ops as a second priority," he said.
However, security advancements such as Europay, MasterCard and Visa (EMV), cloud computing, tokenization, and point-to-point encryption represent key steps in the fight against cyber crime and sensitive business data protection. Both Bretz and Punzirudu urge businesses of all sizes to take seriously precautionary security measures such as Payment Card Industry Data Security Standard compliance, software and firewall updates, installation of anti-virus software enterprise-wide, and POS upgrades.
Assistance, tools available
In addition, they suggest implementing ironclad risk mitigation practices. "Businesses need to adopt mitigation processes that are very similar to what a bank would do, such as financial approval systems that require two people, secured white listings of who can be paid, etc.," Bretz said. He added that fighting today's criminals requires "more than social engineering," because they know how to do the reconnaissance. They will track a company's day-to-day patterns or watch for known events where they can swoop in, undetected, to spoof a system.
For example, the FS-ISAC recently published guidelines in response to a rash of email scams through which criminals are taking over chief executive and chief financial officer email accounts, then using the accounts to direct staff to make wire transfers – something employees who routinely make wire transfers wouldn't question if they hadn't been alerted in advance.
Although the prognosis may seem a bit gloomy at times, there is good news. In addition to increased compliance with data and device security standards and more abundant access to effective security tools, SMBs are choosing to use more secure, cloud-hosted software and improve employee training to reinforce best practices for data security.
Also, federally sponsored education initiatives, such as the Federal Trade Commission's Start With Security business education initiative (www.ftc.gov/news-events/press-releases/2015/06/ftc-kicks-start-security-business-education-initiative), are being implemented to help business owners grasp the reality of cyber threats and guide them to take greater accountability for their own data privacy and asset security.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.