Justin Zeefe is a co-founder and Chief Strategy Officer for the Nisos Group. Zeefe spoke with The Cipher Brief about the evolving cyber-threat and how smaller businesses can best protect themselves. His main advice? Make cybersecurity a priority and be proactive about protecting your assets.
The Cipher Brief: It seems like cyber-incidents are becoming both more common and more damaging. Is that the case, and if so, what do you believe to be driving this trend?
Justin Zeefe: It is less of a trend than it is a linear and predictable evolution. If you understand that profit-driven actors perpetrate the vast majority of cyber incidents, their increased investment and efforts are a clear and natural result – a desire to maintain and increase their return on investment in the face of ever sophisticated defensive measures. Simply put, as the low-hanging fruit (personal financial records and the like) get pulled up into the tree, the threat actors not only build a taller ladder but also work to understand how to profit off the tree itself.
To continue the analogy, an improved defensive posture has also made it more difficult for the threat actors to not only steal the fruit but also to sell it at market. This has had two primary consequences. First, it forced criminals to collaborate and encouraged the formation of a highly-professional online cottage industry to facilitate these acts. In parallel, they’ve become affiliated with sophisticated and well-established organized criminal elements, which previously trafficked trucks full of cigarettes but who’ve discovered the risk is lower and the ROI is higher when dealing in digital theft.
Secondly, an improved defense posture has encouraged the threat actors to seek other means of profit besides stealing and selling the fruit. Ransomware (generally the act of holding access to a company’s data or services hostage in exchange for payment) is a rapidly growing and very profitable tactic within this model (165 percent increase in 2015). So long as the solution market focuses on addressing the symptoms (crimes) and not the causes (people), the advancement in defensive solutions will actively drive the development of more sophisticated, and damaging, incidents.
TCB: Many small and medium sized businesses feel like they are too small for hackers to notice, but many experts have said that that is rarely the case. How can smaller businesses better gauge their risk in the cyber arena?
NG: Most malicious criminal actors focus on targets of opportunity, not targets of interest. That your door is unlocked is more important than what your house looks like or what is inside. They pilfer the data, aggregate it with hundreds or thousands of similar databases, and then resell to brokers/resellers. For instance, you think nothing of using your work email address to certify eligibility through your gym’s corporate program, much like your gym thinks nobody would be interested in their unsecured password files.
Or the criminals simply lock your systems and force you to pay for the key. These actors, like us all, have a fixed number of hours in a day, overhead, deadlines, and the rest. If they have a list of 500 companies on their target list, and they could steal from 20 other companies in the time it would take to pick your lock, they will (generally) pass you by.
Other attack vectors don’t require network intrusion; phishing campaigns are a cheap and highly effective method for socially engineering a pay day for the attacker. If they send out 200 emails with the aim of facilitating a fraudulent wire transfer (under the guise of a legitimate approval to employees able to process them), only one need be successful for the effort to be worthwhile; that you’re a small company is of little consequence to them. If you need proof, look no further than the FBI’s report, which found that $1.2B was stolen from business through this very technique from October 2013 to December 2014 – a 270 percent increase from the prior year.
Eliminating the argument of “why would anyone want to attack a small business like mine,” the issue becomes how to gauge the risk. This requires an organization to understand its key risk factors and crown jewels. What data do they hold which if lost or made public, would be most damaging? Is it a business which thrives on reputation above all else (Ashley Madison), or is it a massive retail company which can survive a punch to the gut (Target)? How is data shared with third-parties or vendors? Does the company process information which is valuable enough on its own that it would attract dedicated interest from an attacker? These factors change the risk profile and thus the steps an organization should undertake.
The solution, for now anyways, is not to outrun the bear but rather to outrun the other hikers.
TCB: What are common mistakes that small businesses make in their approach to cybersecurity? How can these mistakes best be avoided?
NG: Among the several common mistakes, one stands out: willful ignorance of the issue. Although developing quickly, the regulatory and legal landscape are still nascent; leaving many companies to believe that they aren’t at risk, or they choose to kick the can down the road, not understanding their vulnerability. Or they focus on compliance, which, while a nice benchmark, does nothing to substantively protect an organization’s financial or reputational bottom line.
Further, cybersecurity should be elevated to management’s purview alongside all other substantive forms of enterprise risk, not compartmented under IT or security.
TCB: It seems like most cybersecurity solutions are geared towards large companies, leaving small and medium sized enterprises vulnerable to cyber-criminals and hackers. What options are there for smaller businesses that want to protect themselves, but have more limited resources?
NG: Luckily for most companies, the steps most likely to prevent an incident are also the most cost-efficient, and many of them can be implemented internally. Among the most important steps are:
- Prioritize cybersecurity. Address it in the boardroom.
- Strengthen password requirements. Many breaches occur due to compromised credentials; usually because an employee used his same corporate email address and password on a less-secure website whose password tables were compromised. Set a policy that the passwords used on the corporate domain may not be used elsewhere.
- Patch management. Ensure your network is constantly up-to-date to protect against known exploits, which are among the first things a malicious actor will attempt.
- Institute an application whitelist and manage remote network access. Control which programs have access to the corporate network and ensure two-factor authentication for all remote-based activity.
- Stress test the enterprise. Rather than waiting for adversaries to break into your network, you should conduct stress tests to first secure the “crown jewels”, and all important information. Automating your cybersecurity processes is wholly insufficient to protect your information.
- Audit third-party relationships. Many companies store and share sensitive data with third parties; your data is only as secure as those parties’ networks. Ensure that you understand your partners’ security procedures, and the value of the data you choose to share. When possible, share less.
