Low-tech threats make high-tech cybersecurity everyone's business
FARGO—It just might be a low-tech fake email, not a high-tech hacking scheme, that makes it hard for businesses and organizations to safeguard information in modern times.
Firewalls and cutting-edge technology designed to keep networks safe and secure can be undone simply by asking employees to click a link. An email requesting employee W-2s that looks like it's coming from the CEO can turn a well-meaning worker into the unwitting source of a data leak.
That's why Kris Evans travels the country to speak about cybersecurity and why it's everyone's business, whether it's a janitor or a CEO. He gave a keynote last month at a cybersecurity conference on the North Dakota State University campus.
"We're seeing that hackers' best friends are friendly employees," said Evans, a certified identity theft risk management consultant and national marketing director for Harvard Risk Management Corp.
NDSU makes cybersecurity everyone's business, not just tech professionals like Marc Wallman.
"One of the biggest things is awareness because a lot of this has to do with people's behaviors, and they are getting tricked into stuff," said Wallman, NDSU's Vice President for Information Technology.
Safe and sound
NDSU launched an anti-phishing campaign about a year ago to educate staff about the risks of fraudulent emails. The university also relies on its regular business processes to act as a safety net to ensure one employee can't send out a check based on a scam, for example.
Gate City Bank puts employees through quarterly cybersecurity training to learn about the latest threats. It's an important goal, according to Information Security Officer Andy Stein, because that's how the bank can safeguard private data and maintain the trust of customers.
Keeping up with the latest methods means Gate City Bank and other financial institutions often warn each other of new attacks as they come up.
"We might be competitors on the sales side, but when it comes to security, we're a lot more forthcoming with sharing information," he said.
Sanford Health relies on its own systems and plans to keep patient information protected, according to IT Security Director Troy Ament, IT Security Director.
The health care network has launched several initiatives in recent years, including boosting the size of its security team, enacting stronger security controls and expanded encryption, requiring staff to go through multifactor authentication to access information out of the office and routinely educating staff.
"In health care, we know patients trust us with their most confidential information, and our No. 1 priority is keeping patient information safe and protected," Ament said in a written statement.
Evans said it's important for organizations to remember that they're protecting a lot more than "blips and blurbs" because these numbers and records represent people at the end of the day.
It also adds up to a potentially expensive mistake, according to Evans. The Ponemon Institute says a data breach costs an average of $201 per compromised record, a figure that can add up in a hurry when tens of millions of records can be stolen in a single hack.
That's not even mentioning fines or lawsuits in the wake of an attack, he said. The average cost of a data breach rose 15 percent last year to $3.5 million, and Evans said newer low-tech tactics make it clear it won't be going away anytime soon.
"I don't have to be a cybersecurity expert if I can trick the cybersecurity expert into hacking into his system for me," he said.
Brian Crommett, too, sees it as an issue for everyone.
The sales and service manager for 702 Communications said the internet service provider's hands are tied because it has a responsibility to maintain the safety of its network while also giving subscribers privacy. Even though subscriber email accounts or devices can be compromised by a user's own actions or responses to phishing attacks, 702 doesn't monitor their individual internet behavior to keep them from making a mistake.
"Personal responsibility is huge in this space, and because of the anonymity that we need to grant, sometimes that's a challenge," he said.
That's why Crommett said it's important to be more skeptical and realize that an innocent-looking email could be all it takes for a data breach to happen.
"Never make the assumption that an organization can maintain your security by itself because nine times out of 10, the end user is the weak point," he said.