SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
No magic bullets for defeating cyber threats
Wed, 19th Oct 2016
FYI, this story is more than a year old

Cyber theft is hitting both mid-size companies and enterprises hard.

In the United States, the FBI has reported more than 12,000 victims of executive-level fraud globally with a loss of more than $2 billion during the past two years.

According to enterprise security specialists Centrify, organisations need more than just user awareness programmes to cut the risk of social engineering and cyber fraud

One US tech company, Ubiquiti Networks, was recently swindled out of US$47 million while another Atlanta-based company was scammed out of US$1.8 million.

Intellectual property theft is another form of cybercrime, with a 2015 Reuters report stating that hackers steal US$160 billion worth of intellectual property each year. For example, Australian metal detector manufacturer Codan had its metal detector designs stolen in 2011 after an employee laptop was hacked through a vulnerable hotel Wi-Fi connection in China.

Lachlan McKenzie, Centrify country manager for Australia and New Zealand, says there are ways executives could combat cybercrime in an organisation and reduce IT security budgets.

“Cyber risk is present at every level in every company from the break room to the boardroom,” he says.

“In retail, data breaches occur in companies of every size; from a one-store grocer to national organisations. Cyber awareness of social engineering attack modes is a management priority, and all employees have responsibility in preventing phishing and spear-phishing attacks from launching malware,” he explains.

“Employee training and cyber awareness are essential in reducing risk and the cost of data breaches, in addition to a defence approach with appropriate cybersecurity tools and software,” says McKenzie.

“Yet, awareness training is only part of the answer,” he notes.

McKenzie says a company-wide security policy as well as good internal controls, including the division of duties, are required.

“The policy and internal controls address access controls and payments processes, restrict access to accounts by individual role, work in the approvals process and keep password hygiene,” he explains.

McKenzie says senior executives could substantially improve their organisation's security posture by implementing protections based on the following seven steps:

1. Consolidate identities

“With 60% of data breaches caused by weak, stolen or default passwords, it makes sense to consolidate identities, to develop a holistic view of all users and strengthen and enforce password policy or eliminate passwords where possible,” says McKenzie.

2. Audit third party risk

McKenzie says third party IT outsourcing contractors, business partners and associates are a preferred route for hackers to access the corporate network.

“However, only recently has third-party risk been assessed, managed and monitored,” he says.

“Audits to evaluate the security and privacy practices of third parties are essential to improve security posture.

3. MFA Everywhere

“Multi-factor authentication everywhere, including third parties and the VPN that adapts to user behaviour, is widely acknowledged as one of the most effective measures in preventing threat actors from gaining access to the network and target systems,” McKenzie says.

4. Single Sign-On

“Single sign-on to enterprise and cloud apps, combined with automated cloud application provisioning and self-service password resets, cuts helpdesk time and cost and improves user efficiency.”

5. Least Privilege Access

McKenzie says role-based access, least-privilege and just-in-time privilege approval approaches protect high value accounts, while reducing the likelihood of data loss from malicious insiders.

6. Log privileged user access

“Logging and monitoring of all privileged user commands makes compliance reporting a trivial matter and enables forensic investigation to conduct root cause analysis,” says McKenzie.

“Compliance audit reports should only take minutes to prepare, not weeks.

7. Protect inside the network

According to McKenzie, network segmentation, isolation of highly sensitive data and encryption of data at rest and in motion provide the best protection from malicious insiders and persistent hackers who get inside the firewall.  McKenzie says while there were no magic bullets for defeating cyberthreats, the right strategy, strong security policy and active engagement of all employees could drastically reduce the risk of cyberattack.

“By following these steps, organisations can reduce cyber risk, improve corporate compliance and gain cost efficiencies,” he says.