[BreachExchange] Security doesn't just happen, cyber experts say

[Audrey McNeil]

http://www.businessinsurance.com/article/20160325/NEWS06/160329886/cyber-security-internet-malware-ponemon-institute-risk-managers

Risk managers worrying about cyber threats have to be aware that not only
can their systems be attacked for their data, but that criminals also may
use their systems to commit cyber crimes against others, according to a
security expert.

“The Internet was designed to be easy, to help us do many things,” Ryan
Spelman, program executive for the Center for Internet Security in East
Greenbush, New York, said at Business Insurance's Risk Management Summit in
New York Tuesday.

“The tools and resources we have are limitless, thanks to the Internet,”
Mr. Spelman continued. “However, the Internet lets criminals do many things
as well: identity theft, raid your bank account, damage your systems, but
more nefariously, use your systems to conduct other crimes. Across the
globe, computers are being utilized without their knowledge to commit
crimes across the ocean.”

Malicious or criminal attacks continue to be the primary cause of data
breaches, with 49% of incidents in the United States involving malicious or
criminal attacks, 19% based on the employee negligence and 32% related to
system glitches, according to a May 2015 study conducted by Traverse City,
Michigan-based consultant Ponemon Institute L.L.C.

“Any organization can be affected by any single one of these attacks,” he
said. “That does not necessarily mean if you spend time to stop one, you're
going to stop all of them. But if you can focus on stopping the malicious
attackers, the steps you take to confront that will help you confront other
issues that may happen.”

Risk managers also have to consider the system vulnerabilities of their
business partners, Mr. Spelman said.

“You may be working with a company that's going to have access to your
sensitive information,” he said. “Are they a target for corporate
espionage? Are they being looked at or investigated by somebody else? These
are key questions to ask.”

Corporate systems may also face cyber threats from “hacktavists” and nation
states, Mr. Spelman said.

“You may not be a target, but your systems can be utilized by a
nation-state actor to attack someone else,” he said.

Several basic steps can be taken to defend against potential cyber threats,
including having information technology staffers check logs to see whether
employees are accessing the company's system at unusual times or from
locations such as China, Mr. Spelman said.

“That's what we call in the industry a clue,” he said. “If you're not
involved with IT, get involved with IT.”

Risk managers should also make a list of all company assets such as laptops
and printers, and ensure systems are configured to require the use of
strong passwords and other protections, Mr. Spelman said.

“Security is much like a healthy body — it does not just happen,” he said.
“You work at it.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160325/7b913512/attachment.html>