Take Steps to Safeguard Your Cyber Security 4/07/14 03/06/14 11:43:32 PM
Printer Friendly Version
Nebraska Attorney General Jon Bruning, addressing a seminar at Holmes Murphy & Associates, said cyber crime has become a major concern because of the growing importance information technology now plays in daily life. – Photo courtesy of Holmes Murphy & Associates
Take Steps to Safeguard Your Cyber Security
By Dennis Friend
The Daily Record
The facts about cyber crime can be unnerving.
The average cost of a data breach is $200 for each compromised record.
Many company resources are needed to comply with legal requirements of a data breach.
Maybe worst of all, customers lose trust in the organization that fell victim to the breach, resulting in irreparable reputational damage.
That’s the assessment of Holmes Murphy & Associates, and that’s why the insurance brokerage firm held a February 27 seminar on “Cyber Crime: Protecting Your Organization Against Data Breaches.”
Cyber crime can be described as any criminal act involving a computer and a network, and “cyber crime affects virtually every business, regardless of the industry or the size,” according to Cameron Burt, Holmes Murphy vice president. “Since it’s an emerging risk, we want to build a common understanding of the risk.”
Nebraska Attorney General Jon Bruning told the gathering – which included Holmes Murphy associates as well as people from manufacturing, banking, publishing companies, real estate and health care professionals – that cyber crime is an evolving threat, and has become a major concern because of the growing importance information technology now plays in daily life.
“We had 25 data breaches last year which affected nearly 40 percent of the population” or about 730,000 Nebraskans, Bruning said.
Cyber crimes and data breaches can involve the theft of financial information. A report by the security company Symantec has identified credit cards and bank accounts as primary targets. (Other forms of cyber crime like cyber bullying may not be financially motivated.)
Bruning said Nebraska enacted a law in 2006 to protect data and in 2008 distributed a “best practices” list for protecting personal information.
To secure data effectively, Bruning said, “know where you keep information, make sure it’s protected and know how you dispose of it.”
While early cyber crime efforts may have been motivated by individuals looking for fame or notoriety, today’s cyber criminals are generally looking for money and operate like a mafia. For example, the destructive Storm botnet is attributed to the group known as “the Russian Business Network.”
Under Nebraska law, Bruning said, “You have to notify affected Nebraska residents” if your business data has been breached. Statutes vary from state to state, he added, but, “We want to reach out to affected consumers” when it comes to identity theft. Nebraska law also affects “biometric data like fingerprints,” Bruning said.
There are steps business owners can take.
“It’s important to educate yourself. Get prepared up front with a security plan,” Bruning said.
These steps include: Controlling access with a strong password; Making it clear that no one is to click on an unknown link; Encrypting sensitive information; keeping information on line only as long as needed; and shredding old documents.
“If your network is compromised, disconnect your computer,” Bruning warned. “Investigate data losses and notify consumers if data has been breached.”
Large or small, the size of the business doesn’t matter – all data breaches must be reported.
“We’re not trying to play ‘gotcha.’ We want to help,” Bruning said. While the state Attorney General’s office can prosecute, “we haven’t had to so far,” and consumers can contact the office for help on preventing cyber crime.
This kind of crime can go undetected and unreported, so it is difficult to measure the exact magnitude of the problem. According to the Internet Crime Complaint Center, the median loss of a victim was $575 for the year 2009, with some victims losing thousands of dollars in a single attack, for a total loss of almost $6 million just for the reported complaints.
“You want to protect consumer data, but hackers can get through,” Bruning warned.
The data breach that struck Target was used a number of times by both Bruning and other speakers at the meeting as a warning that anyone can be a victim in cyberspace. The hacker virus got into the Target system through a compromised system being used by a heating and air-conditioning company.
“Every business has a horror story,” Burt said, “and in cyberspace, the best defense is not a good offense – it’s a good defense, the best defense you can muster.
“You want to avoid, reduce or transfer loss,” Burt said.
Recommendations by seminar speakers included keeping the operating system and web browser up-to-date, and using a firewall and an antivirus. However, Chris Hoke of Continuum Security Solutions said a data breach remains possible despite precautions.
Symantec and McAfee exist to help provide protection against cyber criminals, but “Symantec and McAfee have limits. Know what you have and know how to protect the systems on your network,” Hoke said. He also recommended “effective data-loss prevention tools. Compliance is only a minimal acceptable goal. Compliance is not security.”
Education and training are the first step. Any employees with network access should be trained before the first keystroke, security policies should be well defined, and employees should understand the common hacking tactics like phishing and social engineering.
Prevention means making certain all software in the network is constantly updated. Business-class antivirus software should be installed on office workstations and servers to protect the network from malware and all critical data should be backed up.
“Some risk can be tolerated if data theft can be stopped,” Hoke said, adding that, despite effective controls and policies, good firewalls and active testing, “prevention usually fails.”
If the system is breached and information like Social Security numbers or customer account numbers are lost, Bruning said, “You must notify the state Attorney General’s office.
The legal obligation of notifying affected customers when their data’s been breached is both “expensive and embarrassing, but you have to do it,” Bruning said.