Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks
Most cyber attacks fall into one of three main threat types:
- attacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers;
- attacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; and
- attacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure.
In 2015, here are seven resolutions to help protect your company against cyber threats:
1. Tighten Your Vendor Network
If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely.
2. Detonate Malware
“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site.
3. Guard Your “Crown Jewels”
What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations.
4. Develop a Cyber Attack Response Plan – Now
Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan.
5. Conduct “Penetration” Tests
Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities.
6. Embrace the Government
When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice.
7. Kick the Tires in M&A
Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence.
In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure.
During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant.
What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats.
Peter J. Beshar is Executive Vice President and & General Counsel of Marsh & McLennan.