The facts are scary. It takes an average of one year for an organization to restore its reputation after a data breach, according to a recent Ponemon Institute study of 850 executives. Victim organizations lost anywhere from $184 million to more than $330 million in the value of their brands. At best, their brands’ value lost 12 per cent of their value, or up to a quarter of the brand’s value in some cases.
A talk by Orrie Dinstein at the SCCE Compliance and Ethics Institute in September provided more alarming facts about information security. As Chief Privacy Leader and Senior Counsel for IP at GE Capital Finance, a division of the General Electric Company, Dinstein has global responsibility for data protection-related matters of customers and employees and works closely with the IT and information security teams. He’s in a good position to advise on the dangers of hackers and their increasingly sophisticated methods for stealing data.
Today’s cyber criminals are a stealthy bunch and the threats they pose are significant enough to scare even the most cyber-savvy CEO into taking a hard look at his or her company’s information security policies, explained Dinstein. But it’s not only threats from the outside – such as hacking, phishing and social engineering – that companies need to consider. Danger lurks inside the company walls and the scariest part is that it’s often just one employee’s lack of sophistication or education that can put a company’s network at risk.
One of the biggest threats, he said, is mobility. Employees who connect through wireless devices to unsecured networks, or from unsecured locations, throw open the door to data thieves.
FREE Investigation Report Template
Prepare thorough, consistent investigation reports with our free report template.Download Template
Dinstein scans the available networks at hotels he stays at to see what’s available. “About half the time I pick up the hotel network and another network that looks really similar. It has a similar name; it can be confusing. Sometimes you don’t know which one is the hotel network. One might be the bad guy who is running a bogus network down the hall or down the street,” he said.
He advises to ask for the name of the hotel network when checking into a hotel and ensure you are connecting to the correct, secure, one. Many employees aren’t sophisticated enough to do that, he says. “They’ll sit in an airport and look for a signal; they’ll pick up a signal and join.” He described just one of many tools that hackers can use to scan an area to see anyone who is on an open network. From there it’s easy to steal their credentials.
Employees are the weak point in any network security policy, said Dinstein. “They are the last line of defense, but the first line of attack. Every company that has ever been hacked has been hacked through an employee,” he said. Whether it’s a phishing attack, malware, scareware, social engineering or cracking a password, there’s always a human angle.
Therefore, training and awareness campaigns should be first priority when looking at ways to keep a company network secure.
At the most basic level, passwords must be secure. A weak password can leave a network open to an outside hacker. But so many employees don’t use strong passwords. In fact, the persistent popularity of weak passwords despite the known security risks is demonstrated in study after study, but the problem persists.
It’s understandable. Strong passwords are hard to enter and even harder to remember. It’s not surprising that people gravitate back to the most common passwords, such as 123456 and password1.
Employees also need to be trained to recognize what could be phishing, social engineering, scareware and spoofing. Awareness is the best defense and a good cyber security awareness program can help to keep your data safe from all the spooky characters out there who may be trying trick their way into your network.