David Barton, a Managing Director at UHY Advisors, recently hosted UHY’s monthly Cause & Affect radio show on Atlanta Business Radio, along with my colleague Dave King, where we discussed how businesses can better manage cybersecurity.
Our guests were Glenise Moore, Director of IT Security, Compliance and Privacy for Ventiv Technology, a risk management and assurance software development company; and Tony UcedaVelez, CISO for Internap, an Internet infrastructure provider that offers cloud hosting, colocation and data center services.
One of the show’s key discussion points centered on a holistic approach to risk and cybersecurity solutions. At UHY, we approach cybersecurity from the standpoint of people, process and technology.
The critical weakness we see in the industry right now is the failure to train people at all levels of the organization about how to be a more effective “human firewall” and to recognize potentially dangerous emails and attachments. Many of the largest breaches we've seen in the last two years or so have come about not because of technology failures, but because of people failures.
Through phishing emails and malicious websites, employees can easily compromise their company access credentials (i.e. ID and password), thereby allowing an attacker to gain access into a company's network. Once in, that attacker can then use more sophisticated techniques to gain access to more secure areas, even potentially taking over administrative rights. A lot of big names and a lot of big breaches have occurred because of the failure of people to recognize phishing emails.
The consequences of poorly trained employees can be disastrous, and costly. And it’s not just phishing emails. There have been numerous highly publicized fraud cases resulting in tens of millions of dollars being taken as a result of emails that look like they are coming from the CEO or CFO asking to “please send a wire transfer” to such and such a company. Because the email looks to be from an executive and generally has a message that includes a sense of urgency, the victim will send the wire transfer and later discover that it wasn't the CEO who asked them initiate the transfer. Rather, it was a hacker on the other side of the world.
These kinds of security and control failures have happened not because of technology failures or anything to do with the perimeter-based security. Rather, they are human failures that could have been prevented with better processes, better controls, and better training.
So how do you know if an email seemingly coming from your CEO is legitimate or not? How can you vet that call to action in the email, before taking action?
Dave King shared how critical training and awareness is. It’s essential that you train your users and the executives in your company about the types of risks and risk scenarios that are out there.
Glenise Moore added that it’s always important to verify the source of a request or call to action before taking action. Don't be afraid to pick up the phone and ask if the request is legitimate. Even if it comes from the CEO. Her company, Ventiv, manages health care data, a prime target for hackers because of the ease with which this data can be sold on the internet black market.
Tony UcedaVelez explained that the number one thing to look for when trying to determine if a given email is legitimate is context. When he provides security training, he tells folks if the context of the request is out of place, it's an immediate warning and a red flag indicating the need for extra caution. The second thing to do is to simply look at the domain name to ensure the email came from within the company and didn’t come from an unknown sender pretending to be a company executive.
King pointed out that many cybersecurity breaches really just boil down to a simple formula. One person + one click = security breach.
He added that phishing campaigns extend well beyond email. This same technique is used on all major social media platforms, including LinkedIn, Twitter, and Facebook.
Stay tuned to learn more about putting the right controls in place to better manage IT risk, and listen to all our episodes here.