,

Cyber Security

,

Recently I attended the Cyber Security Summit in Boston. The key takeaways were:
•    Companies are being bombarded by both Nation States and For-Profit Attackers.
•    Fighting the attackers is a full-time almost losing battle especially if the simple email Fishing technique continues to work where an employee falls for the fake email inquiries. While email inquiries are often masked with legitimate described email addresses one only needs to click on the email address to see that they are fake addresses.
•    Another common method is to find backdoors to larger companies via their small and often not-well protected vendors. This has happened to both Home Depot and Target in the past
•    Complicating cybersecurity measures are increased mobile device usage, personal devices used for company business, and working from homes. 
•    Don’t pay Ransomware if at all possible. 

Employees also remain a threat - those who bite on the fishing emails and those who meticulously plan attacks. Two examples where they were caught:
1) attempted to harness the power of a company’s data center in order to mine Bitcoin
2) gained control via the network to use a video conference microphone in the board of director’s conference room to record sessions linked to a merger-acquisition transaction

Often you will hear the best defense is offense. Unfortunately, when it comes to hacking it becomes a crime as in cyber-crime which leads to using our public safety and intelligence agencies such as the FBI. Thus companies will continue to play defense in what looks to be a very complicated landscape of bombarding offensive cyber-threats.

Some good news. One stat cited was a cyber-hacker often lies in waiting in the company’s network looking for the right time to pounce. Almost a year was the historical average but more recently it has fallen to about 90 days implying IT departments are improving their security.

If you are a small business do you care? Yes! CPA accounting firm paid out $10,000 in ransomware when they lost control of their customer’s personal data. The lesson being if you are small find ways to keep the personal data off your network such as using outside vendors with more sophisticated platforms or encrypting documents that have sensitive data.