By the time the average data breach is detected by an organization, hackers have already been in the system for 256 days on average and have gleaned enough information to determine the company’s financial breaking point and how much it can stand to lose without going under.
In business, time is money. So when a cyberhacker hits, who does the company call? Does it have protocols in place?
These were some of the questions addressed during an Oct. 12 panel discussion at Providence Business News’ 11th annual Cybersecurity & Tech Summit at the Crowne Plaza Providence-Warwick, where attendees were told to think hard about their cyber defenses, or lack thereof.
The panel was moderated by Normand Duquette, senior vice president of Starkweather & Shepley Insurance Brokerage Inc.
Linn F. Freedman, attorney and chair of data privacy and cybersecurity at Robinson & Cole LLP, said many of her clients’ first reaction when thinking about cyber defense is a vow to never negotiate with criminals. But 99% of victims end up paying ransoms, which now exceed $1 million on average, she said.
It’s not a question of whether your company will be targeted, according to the panelists.
“They are looking through our data profiles online and making dossiers on us,” Freedman said. And they’re preying on human emotions.
Freedman said every organization should have an incident response team. And once in place, test it and work to improve it. There is a vast difference between cybersecurity and cyber resiliency, the latter being the ability to bounce back after security fails.
“You don’t want to be learning when you are in the middle of a chaotic ransomware attack,” Freedman said.
While ransomware – used by hackers to extort businesses and other organizations by locking them out of their own data – remains a problem, email phishing attacks more than doubled in 2023, according to the latest Verizon Data Breach Investigations Report.
Douglas Tondreau, an associate professor of computer science at Johnson & Wales University, said companies need to engage employees in simple tasks that can cut down the chance of a breach.
“Read the email 10 times,” he said. “Especially if it pertains to financial transactions.”
Robby Gulri, an engineering solutions expert with the Cox Communications Inc. subsidary RapidScale Inc., said one way to plug vulnerabilities is by improving communication between the technologists and the executives in your organization.
“There is a language gap,” he said. “It’s on us as technology professionals to communicate in a way that makes sense, that is business-outcome-oriented, not just providing a list of 36,000 vulnerabilities.”
Freedman has seen the evolution of hacking groups move from lone wolf renegades to sophisticated teams that are part organized crime, part illicit commercial enterprise, oftentimes backed by rogue nation states and employing a corporate model that can border on the absurd.
Many have top-down management and delegated authority. Freedman told one anecdote where a ransomware executive was communicating with a hacker who at one point told him he needed authority from an upper manager before accepting a ransom demand.
While businesses might invest heavily in technological defenses, what often trips them up is falling for what is known as “social engineering” operations, which make up more than 50% of cybersecurity incidents.
Rick Norberg, CEO of information technology firm Vertikal6 Inc., said educating employees about evolving threats, from the human resources manager to the C-suite, is paramount.
“It’s about having a comprehensive plan,” he said. “And it has to be something you are constantly evolving towards.”
Tondreau said one tactic he uses to keep clients on their toes is to “educate them without them knowing,” sending a fake email to see if they’ll click.
And if they fail the test?
“I won’t embarrass them,” he said. “I’ll just have [an instructional] video for them to watch before they can access their email again.”
One reason phishing emails are so successful is that the receivers are sometimes ashamed they were so quick to open an email without first scrutinizing its appearance.
Business leaders need to foster a unified workplace culture where everybody plays a part, not relying solely on information technology departments.
“Everybody needs to understand they are responsible for the well-being of the company,” Freedman said.
And technological innovation will create more ways for criminals to find a way in, a fact made clear by the endless applications available through artificial intelligence.
Norberg related the story when one of his developers plugged a clip of his voice from a local AM radio interview posted on YouTube into an AI software. That software was able to fake Norberg’s voice.
“In 40 seconds, I was asking some of my staff for gift cards from Walmart,” he said of the fake. “There is a multilayer posture you have to take in education as a holistic approach.”