Today, cybercrime is one of the greatest threats facing our country, and mitigating the risks of cybercrime in corporate information management is essential. Companies need to enforce strategic cyber intelligence across all levels to reduce the risks of a potential cyber threat. Marc Scarborough, Rice University’s information security officer, and Carlyn Chatfield, Rice’s manager for IT technical communication, will conduct a one-day workshop, Strategies for Reducing Cyber Risk in Corporate Information Management, where you will learn about current trends and emerging cyber threats targeting organizations big and small. Scarborough answered a few questions about cybercrime and how companies can protect themselves below.
What are the most common cybersecurity attacks a company might encounter?
Passwords account for many attacks against organizations. Attackers often use tactics such as phishing and other social engineering to obtain a set of network credentials, hoping to use those to gain access to accounts with more access, such as IT administrators or VIPs. Even in organizations that have a sound password strategy, attackers know that accounts for contractors or other third-party consultants and partners are often ignored or have exceptions for password changes and complexity requirements.
Employees with access to sensitive information also pose a risk, often in a non-malicious way. Many data leaks are accidents from people that simply make mistakes. Others are disgruntled employees or employees that still have access after being let go or who take sensitive information with them when they leave.
What can companies do to prevent cybersecurity attacks?
Internet-facing sites and services must be protected. Beginning with a secure build process, systems should undergo a basic vulnerability assessment before going live. Assessments should continue on some frequency and after any significant change. Proper change management is also a must; ensuring changes to the system are vetted and approved. In addition, critical systems should go through penetration testing at least annually.
Contractors and those in other third-party organizations should follow at least the same level of information security as the employees of the company. Cloud services should be investigated before any contracts are signed to ensure compliance and proper adherence to best practices in information security.
Good, sound policies should be developed and advertised throughout the organization with ongoing training provided to make sure the information security goals of the company are clear and well-understood. Awareness should focus on developing good habits for employees to follow both at work and at home.
What cybersecurity trends do you foresee in the future?
Obviously we see more services being offered in the cloud. Several existing services that many companies depend on now only have cloud-based offerings. Cloud services can be a compelling option for many companies, especially small to medium sized businesses. All cloud companies are not the same, however, and companies should be careful to select a provider that provides an appropriate level of security for the kind of data they store and service they provide. Companies should also ask important questions before signing a contract. For example – what happens to the data if the company goes out of business or if a contract isn't renewed? Which party is responsible if there is a breach? What security precautions are taken at the facility that houses the data?
We also see more than just the proliferation of mobile, smart devices. We also see more people blending their personal and professional lives. Sites like Facebook and LinkedIn provide rich opportunities for attackers to learn about companies and the employees that work there. Attackers know that many people use the same password for everything, and know if they compromise their LinkedIn password they probably have their corporate password. Services like Dropbox are also making their way to corporate desktops and personal devices. They allow for easy access to data but can bleed it unintentionally through sharing or unprotected devices. These services can also allow access to corporate resources after someone leaves if the client is still installed on the company system.
Join us on Friday, May 2, 2014 for this one-day workshop where you will leave with a toolkit for initiating and implementing an information security plan and employee awareness campaign that is customizable for your company.