Speaking Wednesday at the EuroFinance International Cash & Treasury Management Conference in Miami, Goldfarb stresses that only so many attacks can actually be prevented. Corporate treasurers need to accept that eventually, hackers will slip through their company’s protections. The companies that can recognise and respond to those attacks are the ones that are truly in the best shape.
For about 20 years, security continued along the same path of progression, notes Goldfarb. It has recently undergone an evolution in how it approaches threats. Security experts are now looking beyond attempts – often futile – to keep hackers completely out of the system. Antivirus software is only successful at stopping about 23% of attacks.
“You can’t focus entirely on prevention, because the hackers will find a way in. So when they do, we have to be able to detect that they’ve gotten in rather quickly and then respond,” Goldfarb says.
Understand the Attack
If a hacker is going to breach your organisation, the first thing they will do is gather all the information they can on it. “For example, maybe I’ll set up a rogue wi-fi access point in the hotel, so that when the conference organiser tells you to put your cell phones on wi-fi, I’ll just collect all the information you’re sending each other back-and-forth,” says Goldfarb. “That’s a great way to get it.”
Hackers may also look up profiles on LinkedIn, Twitter and other social media sites to gather data on a company’s employees. The more people have a presence online, the easier it is to get information on them. Goldfarb notes that he has a big presence online, and because of that, he gets hit frequently with phishing emails. It can be difficult, even for a security professional like him, to detect which emails he’s getting are the dangerous ones. “If it’s hard for me, it’s going to be hard for people who aren’t technical,” he warns.
Hackers understand this, and they perform reconnaissance, much like the military does when it compromises and penetrates an enemy.
Fortunately, the more we know about how attacks work, the more clues we can find. Attackers leave evidence on the network as to what they’re up to. “We can use this evidence for detection and response,” Goldfarb says. “If we’ve properly architected our security telemetry systems – systems that gather information for monitoring and auditing purposes about what’s going on across our enterprises – we can use this information to detect that hackers have gotten into the network.”
Another step that businesses can take is doing a better job of segmenting their networks. Those that don’t are putting data at risk. “For example, someone who works in human resources – although he or she may not have an account on a system that processes financial information – likely has a network route,” says Goldfarb. “They have access to that system through the internal network.”
In many incidents, such as the infamous 2013 breach at US retail chain Target, hackers get in through a third party heating and air conditioning contractor. “The contractor had access to the retail stores’ networks,” Goldfarb notes. “What they forgot to do was segment the point-of-sale (PoS) machines from that heating and air conditioning network.”
The attackers figured out that they could compromise the third party contractor, because that is much easier than compromising a multinational corporation (MNC) directly. “They hopped from the heating and air conditioning network right over to the PoS terminals and stole credit card information,” says Goldfarb.
The Costs of Inaction
Cyberthreats can significantly impact a company’s bottom line. The average cost to clean up a breach is about US$3.5m, but that is just the tip of the iceberg.
In the short term, obviously, a breach will have a negative impact on a company’s valuation. Additionally, customer shopping habits may change due to an incident. Even if a retailer’s customers continue to shop at their stores post-breach, they may be inclined to pay with cash instead of credit cards. People who use cash typically spend less, which hurts profits.
As far as long-term consequences, a breach could result in the loss of intellectual property. Several years ago, a major defence contractor was compromised, resulting in the theft of plans of an attack helicopter. “That was millions and millions of dollars of US Department of Defence research and development taken within the span of a few months,” notes Goldfarb. Additionally, there could be serious legal repercussions, as businesses like Target found out the hard way.
He believes that the days of amateur cyberattacks launched by teenagers in their parents’ basements are over. This is serious criminal activity; in some cases nation-state activity. “These guys have tons of money and they evolve their skills continuously,” he says. “Hackers treat hacking like a business function; we ought to treat detection the same way.”
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.
For companies to survive the intense competition, the only way is to make better use of information gathered from the business process.
Accidental data breaches are causing almost as much concern as the steady rise in ransomware attacks, reports insurer Beazley.