In a past life, Kevvie Fowler was a cyber-researcher (what some might call a white-hat hacker). “Hackers do not help: they try to exploit the vulnerabilities,” says Fowler. “Researchers try to improve cyber-security: they identify vulnerability and help try to fix it.” Today, he is an information security and data analytics professional who has written six books on cyber-security and teaches database forensics to law enforcement agencies across North America. Fowler recently joined KPMG as Partner, Advisory Services, helping protect clients from cyber-attacks. We talked to him about how to protect your company from today’s cyber-security threats. –Dawn Calleja
Where is the threat coming from?
According to KPMG’s Data Loss Barometer 2012, which looks at trends in 92 countries over the past five years, incidents of data loss have gone up by 40 per cent since 2011 (with the technology, financial services, retail and media sectors being the worst hit).
The threats have changed drastically. “The goal of hackers used to be personal financial information that could later be sold,” says Fowler. “The new trend is espionage and the stealing of intellectual property and patents. Selling those yield a larger return than just selling credit card numbers.” As for who’s behind these new threats, Fowler points the finger at organized crime, nation-states and so-called hacktivists (think Anonymous, the virtual circle of socially motivated hackers that was in the news for its Occupy and Wikileaks support).
How worried should I be?
“A lot of people think that because they run a smaller business, they’re not at risk,” says Fowler. Not so: According to recent research from the U.S. Department of Homeland Security, 40 per cent of all cyber attacks target businesses with fewer than 500 employees. “Most larger organizations have heightened security controls,” says Fowler, so hackers shift their focus to smaller businesses, many of which don’t understand the need for cyber-security and lack even the bare minimum security controls such as policies around passwords, user accounts and acceptable usage of mobile devices that expose them to a large degree of risk,” says Fowler. “It’s a huge market for cyber-criminals.”
And since larger organizations are locked down so tight, hackers are turning to third parties – like law offices, insurers and other service providers – as a way to gain access to sensitive information belonging to those larger companies. “A lot of smaller businesses are being targeted to attack a juicier target,” says Fowler. “And based on what we’re seeing they have lower levels of security than their clients. It is the path of least resistance.”
What are the risks?
“One of the larger sources of compromise and disclosure of information is malware, viruses designed to get into networks to monitor and steal information,” says Fowler. That means that any computer or device connected to the Internet is open to malware attacks. “Anyone who starts to navigate the Internet is exposed to hundreds of threats a day,” says Fowler.
Your company’s Wi-Fi network can also be a target for hackers, especially if the wireless access you offer to customers isn’t segregated from your company’s corporate e-mail and files. “If you want people to spend time in your shop, you have to offer WiFi access,” says Fowler. “So how do you do that in a secure manner?”
How do we protect ourselves?
Fowler has a word of caution for business owners: it’s almost impossible to prevent a concerted attack from sophisticated cyber-criminals. “Know that no matter how big the wall is, someone’s going to slip through,” says Fowler. “It’s a cat-and-mouse game. The hackers come up with new techniques to circumvent the latest technology.” So part of your company’s focus should be on identifying and isolating the threats and figuring out how to mitigate the scope and impact of a breach.
That said, there are several simple ways to protect your company from attack. “A lot of these are easy fixes,” says Fowler – but can save you hundreds of thousands of dollars in the long run. Here are six:
- Lock down your Wi-Fi network. “Segregate your information,” says Fowler. “Have one Wi-Fi network for your corporate mail and files, and one that grants guests access to the Internet. And don’t plug it into your corporate network.”
- Put one person in charge of security. “A lot of small organizations might have two or three people quasi-responsible for it,” he says. “You need to have one person enforcing security internally and staying up to date on new threats.”
- Install anti-virus products and firewalls, and keep them up-to-date.
- Create clear security policies around how people should use mobile devices and Wi-Fi, and around password protection.
- Develop a response process to minimize the scope and impact of a breach, both at employee level and at the management level, making sure they support it internally.
To help get started, check out the federal government’s “Cyber Safe Guide for Small and Medium Businesses,” at cybersafe.gc.ca. This introduction to the fundamentals of cyber-security lays out the threats around malware, phishing, social media, mobile devices, wireless networks and more, and explains how to begin locking down your company’s confidential data.