LOVELAND — Cybersecurity threats to businesses and individuals are pervasive and require constant attention to avoid major losses.
That was the message delivered by Josh Saunders, senior director of enterprise risk management at Otter Products LLC, who spoke at the annual Flood & Peterson Symposium Friday at the Embassy Suites by Hilton Loveland Hotel Conference Center & Spa. Flood & Peterson Insurance Inc. is an insurance brokerage in Northern Colorado.
Saunders said, for example, that the new robotic vacuum cleaners that people have bought to clean their homes are highly intelligent. “They GPS map your house. They determine the value of your house and the improvements you’ve made, and then they send this information over the Internet and sell the information” to companies that might offer mortgages or home products.
While threats to personal privacy and security were included in his presentation, threats to the ability of companies to do business occupied most of his time.
He said cyber criminals target three major areas of a company:
- Confidential information — secrets of the company or its customers.
- Integrity of a company — the company’s reputation, for example, and whether it is a reliable partner in the marketplace.
- Availability — If employees don’t have their information available, can the company operate?
When Sony Pictures was hacked with ransomware and locked out of its information, the company “went to Office Depot and bought pens, paper and whiteboards” in order to operate and continued to to use those methods for weeks, he said.
Attacks happen in the most simple way, he said, usually by confusing an employee who then shares access to the company network. Ongoing and repetitive training programs are essential to stopping intruders from breaching this point of access, he said.
If a hacker gains access to an employee’s information, the hacker harvests it and the information of anyone connected with that employee.
He said he recently saw in an airport a free cell-phone charging station that used cables with built-in malware. While a phone was charged, data was harvested and sent out over the Internet.
Fax machines, which sit in most offices but are rarely used anymore, are still attached to a company’s network and are a way for hackers to get in.
Printers, especially older wireless printers, can give outside access to a network, too, he said.
Cyber criminals target people who “have the keys to the kingdom,” he said, which would include accounting personnel and executives. Placing executive names and email addresses on company websites gives hackers a target list.
Saunders also cited the recent city of Atlanta ransomware attack. In that case, the hacker had bought the Double Pulsar malware — a weapons-grade malware developed by the National Security Agency and stolen from the agency — and deployed it in the city system using email. It then left the malware to sit idle. The city discovered the malware but didn’t take it seriously until the hacker launched it, in the process shutting down access to information, disabling traffic lights and more.
Saunders recommended a five-point plan of attack to prevent damage to operations.
- Recognize that employees are the weakest link and shore up that point of access with training. Strong password policies that are enforced are important, he said.
- Constantly monitor systems in order to detect as early as possible when an intrusion has occurred.
- Have a plan that includes segmentation of data as well as backups.
- Evaluate the company’s appetite for risk. Prevention and remediation can be expensive, so what level of protection does a company want?
- Then execute the plan — test the plan to determine if precautions put in place will work if they are needed. He quoted boxer Mike Tyson as saying, “Everybody has a plan until they get punched in the face.”
Cyber insurance is part of the plan for Otter and for many companies. Determining the risk and the cost of recovering from a breach are important when determining how much insurance to buy, he said.
Saunders said attacks on companies occur multiple times a day — at least 200 times a day at Otter. “And no one gets caught. These things keep going constantly,” he said.
Personal practices he recommended — for individuals and companies — included:
- Using password vaults, which are secure digital repositories for passwords. While the vault company can be targeted, generally their precautions are superior to those that an individual might use in creating and storing passwords.
- Never, he said with emphasis, let computer browsers store passwords. “That’s boiling water,” he said. Always say “no” when asked because browsers have the weakest security out there, he said. If passwords are already saved in that fashion, open the browser and shut off all options. Reloading the browser anew may be necessary, he said.
- Use multi-level authentication when accessing data on websites. Typically, multi-level authentication involves a password and entering a code that the website will send to a predetermined cell phone as a text.
- Smartphones are the gateway to nearly all systems. Make sure location services are turned off. Keep in mind that depending on options selected, the phone can be listening to what’s going on around, he said. The same is true of personal digital assistants such as Amazon Alexa.