Story image

No magic bullets for defeating cyber threats

19 Oct 2016

Cyber theft is hitting both mid-size companies and enterprises hard.

In the United States, the FBI has reported more than 12,000 victims of executive-level fraud globally with a loss of more than $2 billion during the past two years.

According to enterprise security specialists Centrify, organisations need more than just user awareness programmes to cut the risk of social engineering and cyber fraud

One US tech company, Ubiquiti Networks, was recently swindled out of US$47 million while another Atlanta-based company was scammed out of US$1.8 million.

Intellectual property theft is another form of cybercrime, with a 2015 Reuters report stating that hackers steal US$160 billion worth of intellectual property each year. For example, Australian metal detector manufacturer Codan had its metal detector designs stolen in 2011 after an employee laptop was hacked through a vulnerable hotel Wi-Fi connection in China.

Lachlan McKenzie, Centrify country manager for Australia and New Zealand, says there are ways executives could combat cybercrime in an organisation and reduce IT security budgets.

“Cyber risk is present at every level in every company from the break room to the boardroom,” he says.

“In retail, data breaches occur in companies of every size; from a one-store grocer to national organisations. Cyber awareness of social engineering attack modes is a management priority, and all employees have responsibility in preventing phishing and spear-phishing attacks from launching malware,” he explains.

“Employee training and cyber awareness are essential in reducing risk and the cost of data breaches, in addition to a defence approach with appropriate cybersecurity tools and software,” says McKenzie.

“Yet, awareness training is only part of the answer,” he notes.

McKenzie says a company-wide security policy as well as good internal controls, including the division of duties, are required.

“The policy and internal controls address access controls and payments processes, restrict access to accounts by individual role, work in the approvals process and keep password hygiene,” he explains.

McKenzie says senior executives could substantially improve their organisation’s security posture by implementing protections based on the following seven steps:

1. Consolidate identities

“With 60% of data breaches caused by weak, stolen or default passwords, it makes sense to consolidate identities, to develop a holistic view of all users and strengthen and enforce password policy or eliminate passwords where possible,” says McKenzie. 

2. Audit third party risk

McKenzie says third party IT outsourcing contractors, business partners and associates are a preferred route for hackers to access the corporate network.

“However, only recently has third-party risk been assessed, managed and monitored,” he says.

“Audits to evaluate the security and privacy practices of third parties are essential to improve security posture.”

3. MFA Everywhere

“Multi-factor authentication everywhere, including third parties and the VPN that adapts to user behaviour, is widely acknowledged as one of the most effective measures in preventing threat actors from gaining access to the network and target systems,” McKenzie says.

4. Single Sign-On

“Single sign-on to enterprise and cloud apps, combined with automated cloud application provisioning and self-service password resets, cuts helpdesk time and cost and improves user efficiency.” 

5. Least Privilege Access

McKenzie says role-based access, least-privilege and just-in-time privilege approval approaches protect high value accounts, while reducing the likelihood of data loss from malicious insiders.

6. Log privileged user access

“Logging and monitoring of all privileged user commands makes compliance reporting a trivial matter and enables forensic investigation to conduct root cause analysis,” says McKenzie.

“Compliance audit reports should only take minutes to prepare, not weeks.”

7. Protect inside the network

According to McKenzie, network segmentation, isolation of highly sensitive data and encryption of data at rest and in motion provide the best protection from malicious insiders and persistent hackers who get inside the firewall. 

McKenzie says while there were no magic bullets for defeating cyberthreats, the right strategy, strong security policy and active engagement of all employees could drastically reduce the risk of cyberattack.

“By following these steps, organisations can reduce cyber risk, improve corporate compliance and gain cost efficiencies,” he says.

Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”