Jacob Stoller is principal of Toronto-based consultancy StollerStrategies. Send comments to editor@on-sitemag.com.
In late October, just in time for Halloween, a Finnish security company, F-Secure, released a study involving the CEOs of 200 of the world’s largest corporations. Results show that 30 per cent have had their log-in credentials exposed, and 81 per cent have had some personal information, such as birthdates, home addresses, and phone numbers, leaked. Only 18 per cent had no information compromised.
These numbers reflect an alarming trend. According to an FBI advisory issued last May, Business Email Compromise (BEC) increased by more than 2,000 per cent between January 2015 and December 2016, resulting in billions of dollars being stolen from businesses.
Hacking, where attackers gain unauthorized access to IT systems, has become the dominant cause of data breaches, significantly outpacing accidental leaks, inside jobs, and lost devices. Theft is the primary motive.
“More data and reliance on data means more incentive to steal it,” says Michael O’Neil, principal analyst of InsightaaS, “Data-related crime pays really well.”
Hackers no longer need a lot of technical expertise, thanks to a robust third-party market in what’s known as the deep web. Here, one can acquire names, passwords, credit card information, “back doors” for breaching firewalls and software applications, and even tools for launching DDOS (Distributed Denial of Service) attacks capable of bringing down a major website. Information of high value is often auctioned off to the highest bidder.
Understanding your weaknesses
The growing frequency of hacking incidents means no company can afford to ignore the risks. Contractors are particularly vulnerable to a widely used method called social engineering. Here, hackers gain access to systems incrementally, that is, by gathering the necessary pieces of information from different sources. Details gathered from overhearing a conversation in a coffee shop, for example, might give a hacker enough information to impersonate an employee and ask for a password.
Contractors are particularly vulnerable because they have a high turnover in their workforce and deal with many suppliers/partners, resulting in many potential information sources for hackers.
Contractors, however, tend to be naive about security risks, notes Charles Cooper, founder and CEO of Huntsville, Ont.-based Muskoka Hydrovac and a former IT executive. For example, receptionists often volunteer details about employees that could lead to an identity theft.
“This is something I notice a lot,” says Cooper. “When I call my suppliers, people often give me far more information than I need. But when I explain the dangers of this to the company owners, their eyes glaze over.”
Another vulnerability is that contractor’s IT networks have many potential access points, including handheld devices, equipment monitoring systems, site surveillance systems, and building management systems. In the widely publicized hack on Target in 2014, for example, a hacker gained network access through an HVAC control system.
Meeting the challenge
One of the least understood aspects of IT security, O’Neil notes, is that the ideal technology solution would be cost-prohibitive for any company, so there will always be risks. As well, security measures often require procedures that employees might find too restrictive. In both cases, senior management needs to decide which risks the company is willing to accept.
“Governance is not the province of the IT department,” says O’Neil. “Governance comes from the board of directors.”
While security needs to vary from company to company, the following practices are suggested as a bare minimum:
Create a company policy of not telling outsiders more than they need to know for business purposes. Staying “tight lipped” is already a habit in industries such as banking – it needs to become one in construction.
Mandate all employees change their passwords once a month. “A lot of people aren’t used to this, but it’s really a no-brainer,” says Cooper.
Keep all software up to date. Many updates are released in order to plug potential security leaks.
Develop a set of security requirements for cloud providers. While large providers like Amazon and Microsoft are well protected, smaller ones, such as the provider of a hosted specialty app, may not be. Intrusion detection and defense against DDOS attacks are two areas to cover.
The key is to always remember that preventing leaks is essentially a people problem. Contractors are pretty good at preventing their trucks from being stolen – at least as much vigilance should be applied to data. And remember – if your systems are compromised, this may affect not only your company, but your customers and suppliers.
