I just attended a seminar on CyberSecurity given by David P. Weber, JD, CFE. Mr. Weber was the former Assistant Inspector General for Investigations at the U.S. Securities and Exchange Commission, and now is a Professor and Academic Director for the Fraud Management Programs at the University of Maryland Robert H Smith School of Business.
His watch words was a modification of Ben Franklin; which is apropos since this is the July issue; that there are now three certainties of life: Death, Taxes and being a victim of CyberTheft.
You can spend the money now and both prepare for, protect yourself against, and mitigate the outcome or wait until the inevitable happens and suffer far greater consequences.
With the recent 47 state consent decree between the States and Target a new “norm” or benchmark has been created on what companies need to do to show they prepared.
Failure to show that you lived up to this “norm” will have grave consequences, from insurance companies outright refusing claims to affirmative defense by plaintiff’s when they bring suit in a court of law. And you know you will be sued!
You will be hacked!
As I said earlier, according to Mr. Weber, you will be hacked. Whether they break through your firewall, through the firewall of a SaaS based vendor or it is an inside job, you’ll be hacked.
An example was one of our clients. We were acting as the interim controller. Our consultant was there less than a week and got an email requesting money be wired to a vendor. The email was allegedly sent by the CEO.
Our consultant, who was sitting in the same area as the CEO; and who had no ability to write or authorize any money transaction, just asked the CEO. The reply was “they got to you that fast!” Interesting they used Office 365. Catastrophe averted…. This time!
Who is going to hack you?
Odds have it, it will be from the inside. It may be with malice and aforethought or just someone who got sloppy. It may be that you didn’t spend the time and money to train your staff on what not to do in the IT realm.
Examples is using unkown USB drives or openning just any e-mail attachment. Anti-Virus software won’t know about the latest greatest virus, so assuming it does is not a safe assumption.
Do you have a plan?
Do you have a plan on protecting your infrastructure? Is your plan benchmarked to similar types of organizations? Did you test your plan? Do you test it on a regular basis? Is every employee trained on CyberSecurity so they don’t become a victim, personally or for the business?
Do you backup offsite? Is the backup at least hourly? When you patch all your computers and servers daily? How do you handle legacy systems and computers? The recent WannaCry malware was extremely successful in Europe and Asia mainly because those countries have a culture of either not adhering to IP laws, so they have bootleg copies of software or of applying patches. Here in the US there were very few instances of WannaCry, because we do update our software.
If you have Windows 95 machines, stop using them!!!!
In the final analysis
The list of what you should, could, and actually do is based on a full analysis of both your information technology structure, your budget and the level of risk aversion you believe in. Remember YOU WILL BE HACKED!