With technology pervading our lives – via addiction to smartphones, the “Internet of Things” or simply our clear reliance on computers – who knew that the most precise description of today’s cyber-security situation would come from a cartoon character?
I’m referring to Pogo. His most famous saying sums up the current state of efforts by business and society to manage cyber threats and deal with the risks of computer hacking:
“We have met the enemy, and he is us.”
(For those unfamiliar with Pogo, he was required reading on U.S. newspaper comics pages from 1953 until 1975, when the strip was discontinued following the death of his creator, Walt Kelly).
For all of the efforts by information technology (IT) professionals to defend against hackers, and new cyber insurance coverages that seem to be introduced each week, the greatest threat to computer systems – and, by extension, corporate assets – continues to be human error.
That was underscored last month in the release of Verizon’s annual Data Breach Investigations Report. The report analyzed more than 2,260 confirmed data breaches and more than 100,000 reported security incidents – the highest since Verizon began issuing the report in 2008.
“Miscellaneous errors” took the No. 1 spot for security incidents, a category that included such preventable errors as improper disposal of company information, misconfiguration of information technology (IT) systems, and lost and stolen assets such as laptops and smartphones.
“In fact,” the company noted in a news release announcing the findings, “26 percent of these errors involve people mistakenly sending sensitive information to the wrong person.”
Remember “phishing”? It still works.
In announcing the report, Verizon highlighted an area that “has picked up dramatically over the prior year” – phishing. Phishing is a scam in which a hacker sends an email that looks as if it’s from a legitimate organization, often a financial institution, with a link to a fake web site that replicates a real one. A phishing email may simply ask the recipient to click on a link, thus releasing a virus or malware into a company’s network.
I am far from an IT expert, but for many years corporate information security people have emphasized to company computer users: don’t click on that link. Don’t assume such an email is from a legitimate source. And never provide personal or financial information to the phisher.
In spite of all these warnings, Verizon reported: “Alarmingly, [in 2015] 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.”
Verizon also noted that phishing offers a quick and efficient method for hackers to enter a company’s IT systems. In addition, it may take some time before a company can detect an attack and by then the damage has been done and the hacker is off to another target.
The solution would then seem obvious: train employees not to do stupid stuff. Simple, right? Well, not exactly.
A survey conducted in April and issued last month by the Ponemon Institute indicated that although more than half of respondents say their organization has had a data breach caused by a malicious or negligent employee, less than half make data protection and privacy training mandatory.
Moreover, top execs are setting little or no example to employees. According to the survey, even when training is mandatory, 29 percent of respondents say their CEO or C-suite executives are not required to take the course.
The weak links
Perhaps that’s acceptable, and such training, and IT security overall, need not be the concern of top management but instead can be managed by corporate IT staff.
However, cyber-security attorney Emily Duke points out that regulators who bring enforcement actions against companies universally say that it is not acceptable. Instead, regulators require companies to undertake enterprise-wide cyber-security awareness training and planning.
Duke also says that corporate governance associations have issued official guidance saying that cyber-security must have the attention of the Board of Directors.
At a meeting last month of Minnesota corporate IT security and compliance personnel, Duke identified costs a firm can expect in the first year following a breach, which need to be covered by cyber insurance policies:
- Forensics and legal costs to assess the size and scope of a breach,
- Defense costs for post-breach claims,
- Third party financial losses,
- The costs of a public relations team to mitigate reputational risks associated with the breach,
- Costs associated with notifying customers and credit monitoring,
- Business interruption costs,
- Regulatory fines,
- Remediation costs for damaged systems,
- Theft of assets, money or financial instruments, and
- Cyber extortion costs, when paying a hacker ransom is the wise course of action.
Duke echoes the findings of the Verizon study in her firm’s materials, which note, “Humans are the weak links in network security.”
Perhaps the best recent example of how human oversight led to an attack by hackers was the recent breach of the LinkedIn, Pinterest and Twitter accounts of Facebook founder Mark Zuckerberg. The small opening that enabled the hackers to crack Zuckerberg’s accounts was his use of the same password for multiple websites.
A collective named OurMine boasted that it had broken into the accounts, and notified Mr. Zuckerberg of the breach using his own Twitter account.
“We are just testing your security,” the tweet read.