The growing threat of cyber security and why you can never pay enough attention to it.
Recently, Datafaction and City National Bank held a series of regional cyber security events across the country. As you can image the interest and engagement of these events was high as they should be. In 2016, PwC’s Global State of Information Security Survey found that there were 38% more security incidents detected in 2015 than the year before. The problem is only getting worse. Firms and individuals are under new challenges daily. Unfortunately, the amount of incidents and the sophistication of these incidents have only grown since then.
Cyber security “events” have shifted over time and the traditional approach to cyber security may no longer be good enough. While firms over the past few years have implemented perimeter-oriented controls aimed at securing data and the back offices, bad actors have shifted to softer targets and social engineered based hacking.
The recent Mar-a-Lago incident with the Chinese national arrested with pockets full of cell phones and USB drives is an example where bad actors have shifted away from a hard target like the White House to a softer target such as a resort that is open to the public. The same is happening with firms and families as bad actors shift their focus from corporate entities to homes and personal devices of wealthy executives.
The other big shift is towards social engineering. While a firm’s computer systems may be protected against external attacks, criminals are targeting employees and individuals with spear phishing and whaling attacks to gain access to systems and reveal sensitive information. An executive’s home may be a softer target than their corporate office and as such are more vulnerable to attacks through their home’s Wi-Fi. Individuals using public Wi-Fi are even more at risk. In particular, the elderly are particularly vulnerable to social engineering.
For firms, cyber security is no longer strictly an IT issue. It is also a human resource issue. Employees need training on how to identify possible attacks and what they should and should not do. Firms need to update their procedures and protocols on what to do when one of their clients gets hacked. It’s important that firms have established playbooks for these scenarios before they happen, so they are not scrambling to figure out what to do in times of crisis.
While it is impossible to totally eliminate the threat of cyber security events, firms and individuals can take the necessary steps to make it more difficult and as such, bad actors may move on in the search of softer targets. Prevention is important, but firms should also prepare in the event they or one of their clients gets hacked. Cyber security prevention is not a set it and forget it type issue. Firms need to be constantly updating their technology and people all the while testing both.