Every day we’re bombarded with information about the continuing attacks on our data and personal information, attacks that result in thefts costing businesses millions of dollars. We also are deluged with security solutions that primarily involve some very good technological fixes. While most of us agree wholeheartedly with the necessity for a business to get locked down on the IT side—firewalls, encryption, penetration-testing and the like—one can’t help but notice that almost none of the proposed solutions address the non-IT cyber-exposures that are just as real, and just as dangerous, to the health of a business.
The non-IT exposures are the high cholesterol of a business. Left undetected and addressed, they will kill.
Sound drastic? Then let’s get under the hood and take a look at just two of the non-IT exposures that can fatally threaten a business: unrestricted social media usage by employees and the rise of bring-your-own-device.
If you permit employees to use social media, without any restrictions, while they are at work using company equipment, you may be in for a very unpleasant surprise. According to a recent New York Times report, malware that drains your bank account is flourishing on Facebook. Zeus, a particularly vicious malware that can reside on your computer after a bad guy has used a Trojan horse to get access, will stay dormant until an employee logs into a bank site. It will then steal the company’s passwords and drain the company’s bank account. Giving your employees unfettered access to Facebook using your equipment can set the stage for this and other realistic and dangerous scenarios. Cyber-risk assessments that are IT-centric will rarely pick up those kinds of exposures.
A company joining in the significant and evolving trend of permitting employees to bring (and use) their own devices for business, will, if it does not properly control its employees’ usage of these devices, create its own set of cyber-exposures. Permitting employees to access the corporate network using a wide range of personal devices has great productive efficiencies. This usage, however, without the proper policies, procedures and controls, is also a significant security threat to the very existence of a business. With cybercriminals becoming more adept at designing malware that turns employees’ devices—smartphones, tablets, PCs—into six-lane highways for entry into companies and their accounts, companies that do not control BYOD usage put themselves in grave danger. Again, there are not many IT assessments that thoroughly address the necessary controls for BYOD usage by company employees.
Social media consequences and BYOD-enabled hacking
These are but two of the non-IT issues that, if not effectively addressed, open up businesses to serious and potentially fatal consequences that can threaten small- and mid-sized businesses with their very survival. In a recent report circulated by IBM, a U.S. House Small Business Subcommittee on Health and Technology found that 60 percent of small- to medium-sized businesses that suffer a data breach close their doors within six months of a successful attack, and that 20 percent of all cyberattacks hit businesses with 250 or fewer employees. In the face of these sobering numbers, more than three-quarters of those businesses consider their companies safe from hacking.
What gives small- and mid-sized businesses this unfounded sense of security? Simply that they are not looking holistically at their entire business operation. While they may have attended to their IT security, more likely than not they have neglected the non-IT cyber-exposures that can pose significant challenges. They may be physically fit on the outside but have not discovered their high cholesterol. Sooner rather than later, if not addressed, it will catch up with them with predictable consequences.
What is ironic and frustrating is that addressing and attending to these kinds of non-IT exposures is not rocket science. While it does require hard work and attention to detail by knowledgeable attorneys and IT professionals, cost-effective and timely solutions are available.
In addressing the social media exposures, a good non-IT assessment, whether or not combined with an IT assessment, should, at a minimum, ask if your company:
• Has a social media policy or a set of guidelines applicable to management, employees, consultants and contractors.
• Has a social media agreement that employees, vendors and contractors review and sign annually as a condition of continued employment and as part of their employment contract.
• Formally addresses the risks of social media participation with your employees, vendors and contractors through formal training programs.
• Uses social media sites when hiring.
Some of these questions suggest answers, some issues pose greater risks than others, but all require participation from the top down. Without full senior management backing and participation, any social media policies you may create will be without teeth and therefore pretty useless.
Addressing BYOD issues is both an IT and a non-IT concern for any thorough cyber-risk management checkup. The risks are quickly becoming well-known, but the solutions demand senior management attention to ensure the proper mix of policies, procedures and IT solutions, are in place. A good non-IT exposure assessment and remediation process should address, among many other exposures, the following along with suggested solutions.
• When users install un-vetted apps, and the device contains business data, or simply has access credentials, software installed by the user could enable unauthorized access. Publishing a list of approved apps and restricting users from using any others on devices that have business data is the beginning of a solution.
• Users who click first and worry about the consequences later can open the company to a cornucopia of cyber-risks through phishing scams on malicious websites. Mobile device management platforms list approved websites and can assist with installing anti-phishing filters.
• Lost, misplaced or stolen devices can obviously expose a company to serious security risks. Companies should ensure that every mobile device used by an employee that contains business data has a working remote wipe solution.
• Users sharing devices, especially tablets, is becoming more of an issue, even with family and friends. Absent robust biometric security built into the devices, there is no perfect solution. Credential control—expiring them after a certain time and not authorizing entry based on identifiers like addresses alone—can help, but there is no real substitute for care and common sense.
These few examples of non-IT risks are but the tip of the iceberg. Consider the risks inherent in cloud-computing contracting (actual location of date, privacy concerns, encryption keys, data retrieval, litigation holds on data and the like), intellectual property protection and compliance issues (HIPAA/HITECH, for example) and you may be convinced that IT assessments and remediation programs will not, alone, get the job done.
To put it in terms any CFO will understand, if you do not attend to your non-IT exposures, you may be wasting your considerable investment in your technology upgrades. Bottom line—get a full check-up. Don’t let your hidden high cholesterol do you in.
Ned Dunham is a member of Kleinbard Bell & Brecker’s litigation department. He concentrates his practice in the areas of cyber-risk management, insurance coverage and commercial litigation. He can be reached at email@example.com or at 267-443-4109.