Netting the Phish – Keep your business safe from cyber criminals

Hacking got its start in the late 1950’s when people realized they could infiltrate telephone systems and communicate with people all over the world. The forefathers of hackers, one of whom used a whistle from a box of Captain Crunch cereal to break into telephone switches, were given the name of “phone phreaks”. They networked together over the illegal use of phone lines and eventually at conferences. As Steve Wozniak characterizes it, these hackers were interested in how phone systems worked and even went so far as to impersonate telephone company workers to understand how the system worked. It wasn’t until the 1990’s with the advent of the internet and the popularity of the PC that hacking increasing moved beyond hacking for fun and exploration into the fringes of criminal activity.

As more of the world has migrated from the tangible to digital, crime has followed suit. Ages old methods of trickery and privacy violation have evolved into methods that are difficult for those not versed in computer science to understand. As criminals have succeeded in compromising data entrusted to government agencies, corporations and small businesses, the urgency with which stakeholders must address these violations has increased. Companies’ reputations, intangible assets and livelihoods are on the line.

The risk of transacting business online can be mitigated by sound IT practices and consistent employee training. A portion of the risk can also be transferred to insurance companies by purchasing one or more types of insurance products. First, however, a company must subscribe to network security best practices and have a disaster recovery plan in place. Insurance underwriters will evaluate companies based on how IT departments secure user access, perform system updates and regulate network firewalls. It is imperative that data criminals seek to monetize, such as personally identifiable information (PII), intellectual property, credit card numbers, health records and tax returns are encrypted in transit and at rest in computer systems. In addition, processes by which money is transferred must be secured by encryption and ideally, multi factor authentication (MFA).

Since the weakest link in a company’s network security is usually its employees, it is critical that they receive regular training in how to avert falling victim to phishing scams and social engineering ploys. If an employee is duped into providing system access to an intruder or is responsible for transferring money, however unwittingly, to an unauthorized account, the likelihood of insurance paying out is reduced. Ensure your employees have the training to spot potential threats early on and are using protocols that minimize the risk of unauthorized transactions.

There are several resources I recommend to businesses and individuals that foster awareness of cyber security and are accessible to all levels of network users. Wombat Security offers interactive teaching games that also assesses employees’ knowledge of network security concepts and allows companies to identify where extra training is needed. For basic computer security advice, I recommend reading Brian Krebs’ blog, “Krebs on Security” and in particular, his article entitled “Krebs’s 3 Basic Rules for Online Safety.” Krebs’ work as an investigative journalist who has sought and met with notorious cyber criminals is also good material for understanding the changing threats in cyberspace. Finally, ensure that a stakeholder in your company is following an organization such as the ISAO Standards Organization that provides a platform for IT security experts to collaborate and disseminate best practices to combat cyber threats.