Information security is key in internal control at small and midsized organizations now and in future years, according to recent research from Thomson Reuters.
In fact, “IT security concerns permeate internal control at even the smallest corporations,” according to a new Thomson Reuters report How Small and Mid-Size Entities Can Protect Themselves from a Cybersecurity Breach.
“Modern organizations rely on their information systems to conduct nearly all their business; any weakness in information security places the entire organization in peril,” according to the report. “Organizations suffering a security breach not only encounter internal disruption, but may also be subject to government penalties, industry fines, consumer lawsuits, and, most of all, reputation damage.” (Target, for instance, had to pay $18.5 million to settle lawsuits brought in 47 states and the District of Columbia involving a databreach in late 2013.
But it’s not just about the bucks to be paid out. The study contends that “the key concern for an organization is an IT failure, no matter how small, compromises the entire system and enables a hacker to access the application software and source data.”
Indeed, “many systems and organizations still get infected by users clicking on an attachment to an email, or by users sharing passwords,” the study contends. “A recent study by Willis Towers Watson found that nearly 90 percent of all cybersecurity breaches were caused by some type of human error or behavior.
Companies of every size constantly struggle to defend themselves against hackers around the world intent on stealing identities, payment card information, and intellectual property, and manipulating the firm’s systems to generate fraudulent payments. These malefactors can also penetrate the firm’s IT environment to set up fake vendors in the payment system, email invoices (from employees’ email accounts as attachments) and then email invoice approvals — using account coding from yet other employee email accounts.”
What’s more, the crooks may duplicate the firm’s processes in order to trick the firm into transferring large cash payments directly to the criminals. “In this evolving, sophisticated hacking environment, every system exposed to the internet or other external interfaces must be protected against digital intrusion,” according to the report. “Proper security must include user education and the application of preventive, detective, and reactive controls.”
So who are these hackers?
The Thomson Reuters report describes them this way:
• “Black hats” seek to steal information or otherwise compromise entities’ information security. They get data through the illegal compromise of neglected, poorly designed, or under-protected systems. They’re often in the news, spreading malware or stealing financial information, personal information and login credentials.
• “White hats” want to protect entities’ information security. They often are tech security experts, and work to find security weaknesses.
• “Gray hats” do hacking that may violate the law but they aren’t malicious.
• “Hacktivists” are social activists, such as Anonymous, who hack websites to advance a social, political, or religious angle.
Hackers have proven to be adept at bypassing company systems. They are able to gain access to company systems; often, that’s done through email.
Hacking isn’t particularly tough to thwart. As the report states, “People are their own worst enemies and many use similar passwords, according to Fortune.com.” As of late 2017, the top two passwords of all time were “password” and “123456.”
Here’s how it works, the report state: “Hackers will then identify the number of failed login user attempts that lock the account and the time period for attempts-to-lockout. They will set their program to stop at one try less than the lockout, wait the allotted time then try again. A single computer will simultaneously attempt this on many accounts and many computers at the same time.
For example, many firms use the first letter of employees’ first names and the first seven to ten characters of their last names followed by the firm’s domain name. Picture thousands of computers simultaneously attempting to log in to thousands of user accounts using usernames either easily found or deduced, for example, by searching a social media site like LinkedIn , which provides the names of real individuals and their associated companies. Such attacks are known as advanced persistent threats (APTs).
So what’s the lesson for small firms?
They “must understand that APTs are playing the long game,” the report states. “The goal is usually not merely to hack a company’s system once and steal a list of credit card numbers or intellectual property, but to achieve that same objective systematically and, conceivably, forever.”
Every firm should document the information they have, where it is kept and how it’s protected. This information includes:
• Email addresses
• Names of employees and their personal information such as phone numbers and addresses.
• Any personally identifiable information, which includes customer lists and customer purchase history
• Personal health information, which is also subject to state and federal laws
• Credit card, bank account and other payment information
• Intellectual property of all types related to the firm’s business
• Financial, sales, and any other business information subject to SEC disclosure rules
• Any other data that is unique to the firm, the disclosure of which could impair the firm’s competitive advantage or grant any other firm or country unique knowledge not otherwise obtainable
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.