The United States Computer Emergency Readiness Team (US-CERT) defines phishing as a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. Phishing attacks often use email as a vehicle, sending email messages to users that appear to be from an institution or company that the individual conducts business with, such as a banking or financial institution, or a web service through which the individual has an account.
The goal of a phishing attempt is to trick the recipient into taking the attacker’s desired action, such as providing login credentials or other sensitive information. For instance, a phishing email appearing to come from a bank may warn the recipient that their account information has been compromised, directing the individual to a website where their username and/or password can be reset. This website is also fraudulent, designed to look legitimate, but exists solely to collect login information from phishing victims.
These fraudulent websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing email to open the website.
Phishing attempts most often take the form of an email that seemingly comes from a company the recipient knows or does business with. The most recognized type of phishing attack is similar to the bank example described above, where the email asks the recipient to enter his account credentials on a website.
USA.gov lists some widespread phishing scams reported from agencies and corporations, revealing that phishing emails can take many forms, such as:
Phishing attacks and spear phishing have much in common, including the shared goal of manipulating victims into exposing sensitive information. Spear phishing attacks differ from typical phishing attacks in that they are more targeted and personalized in order to increase chances of fooling recipients. Attackers will gather publicly available information on targets prior to launching a spear phishing attack and will use those personal details to impersonate targets’ friends, relatives, coworkers or other trusted contacts. Information that attackers can leverage for spear phishing includes victims’ employment information, organizations that they belong to, hobbies, and other personal details. Much of this information can be gleaned from targets’ profiles and/or activity on social media sites. In many cases, spear phishing attacks are used as a first step in an APT attack targeting a specific organization.
Phishing is most often initiated through email communications, but there are ways to distinguish suspicious emails from legitimate messages. Training employees on how to recognize these malicious emails is a must for enterprises who wish to prevent sensitive data loss. Often, these data leaks occur because employees were not armed with the knowledge they need to help protect critical company data. The following may be indicators that an email is a phishing attempt rather than an authentic communication from the company it appears to be.
When in doubt, call. If the content of an email is concerning, call the company in question to find out if the email was sent legitimately. If not, the company is now aware and can take action to warn other customers and users of potential phishing attempts appearing to come from their company.
Learn about the Chief Risk Officer role in Data Protection 101, our series on the fundamentals of information security.
The Chief Risk Officer is a C-suite executive who is tasked with the identification, analysis, and mitigation of events that could threaten a company. These risks could be internal or external in nature.
The CRO helps ensure that their organization is compliant with regulations set forth by the government, including the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 and the Sarbanes-Oxley Act. The CRO also reviews different factors that could adversely impact the company’s investors or the performance of its business units.
Another name for the CRO is the Chief Risk Management Officer.
A Chief Risk Officer is tasked with looking out for a variety of risks that can be categorized into three groups: technical, regulatory, and competitive. A CRO must also monitor procedures that might give rise to risk exposure. For instance, if a company collects data from their customers, suppliers, or other third parties, they will need to make sure that all that data is safe and kept confidential. If there is a security lapse, the CRO would need to address the issue to ensure that it does not happen again.
There are also physical risks involved. For instance, if a company sends employees to somewhat dangerous areas, then the CRO will need to create procedures and policies that will address these added threats. In a warehouse facility, the CRO will be tasked with ensuring that the staff is kept out of harm’s way.
Because a company’s operating environment is always changing, the CRO must always have a plan of action to proactively and reactively manage these risks. Sometimes, that can even mean modifying established policies and procedures on the fly in order to address vulnerabilities and risks.
A CRO leads efforts to reduce business risks that can put an organization’s profitability and productivity at risk. They also spearhead efforts related to enterprise risk management.
A Chief Risk Officer is responsible for implementing policies and procedures to minimize or manage operational risks. They are also tasked with coming up with mitigating processes to help minimize or avoid losses that may arise when the systems, procedures, or policies in place are found to be inadequate – or if they fail entirely.
A CRO must manage compliance with regulatory requirements on a federal, state, and local level. They are also concerned with other security-related issues, including IT security, internal auditing, financial auditing, insurance, fraud prevention, global business climate changes, and similar corporate internal investigations. They may also become involved with disaster recovery and business continuity planning.
As one would guess, the responsibilities of a Chief Risk Officer largely depend on an organization’s size as well as its industry. The CRO is responsible for all risk management strategies and operations, as well as supervising the organization’s risk mitigation and identification procedures.
In recent years, IT has become a big part of every business and naturally, the CRO needs to address the risks associated with data breaches and hackers. As such, the CRO is also concerned with risk assurance and data protection and has a hand in stamping out system vulnerabilities and other threats.
Aside from these, the responsibilities of a CRO include:
Most companies decide between having a Chief Risk Officer or having a committee that oversees risks. There are advantages to each.
Having a Chief Risk Officer communicates that the company is serious about risk management. Having an executive level professional working as a CRO illustrates to the rest of the employees how important risk management is.
Meanwhile, creating a risk committee means that a number of executives from different departments will be working to reduce and manage risk. It provides an opportunity for executives from sales, finance, HR, operations, and other departments to work together. Some organizations might opt to have a mix of both, with a Chief Risk Officer heading up the efforts of the committee.
The CRO is responsible for identifying and assessing risks, and then developing modules and treatments to combat or minimize these risks. A successful risk manager has the analytical skills, quantification skills, and requisite expertise to do all these.
A Chief Risk Officer must also have outstanding people skills in order to properly educate employees and key personnel about risk while also facilitating dialogue and communication among different departments or groups of people.
Paul Zavolta, a former Director of Enterprise Risk Management at Alpha Natural Resources and a former Financial Risk Analyst at Eastman Chemical Company, says that you need to learn finance and accounting skills, and focus on event tree analysis.
Chief Risk Officers often have a postgraduate degree, preferably in business administration. Most CROs also have at least two decades of experience in economics, actuarial science, law, or accountancy.
Furthermore, risk mitigation has gone online, with Internet risks becoming more and more prevalent in digitized organizations. This is the reason why CROs should also have adequate knowledge of the organization’s technology, networks, and systems.
Chief Risk Officers are becoming increasingly commonplace among modern enterprises as the risk landscape grows ever-more complex. Having a single, highly qualified risk management professional to oversee efforts to reduce and mitigate risks is invaluable to a company’s overall security posture.
Monitoring is a critical component of cloud security and management. Typically relying on automated solutions, cloud security monitoring supervises virtual and physical servers to continuously assess and measure data, application, or infrastructure behaviors for potential security threats. This assures that the cloud infrastructure and platform function optimally while minimizing the risk of costly data breaches.
Cloud monitoring provides an easier way to identify patterns and pinpoint potential security vulnerabilities in cloud infrastructure. As there’s a general perception of a loss of control when valuable data is stored in the cloud, effective cloud monitoring can put companies more at ease with making use of the cloud for transferring and storing data.
When customer data is stored in the cloud, cloud monitoring can prevent loss of business and frustrations for customers by ensuring that their personal data is safe. The use of web services can increase security risks, yet cloud computing offers many benefits for businesses, from accessibility to a better customer experience. Cloud monitoring is one initiative that enables companies to find the balance between the ability to mitigate risks and taking advantage of the benefits of the cloud – and it should do so without hindering business processes.
As Ed Moyle notes in this article for SearchCloudSecurity, “the same forces that make cloud possible can have a negative impact on monitoring controls and erode an organization’s ability to take action in response to events.” Virtualization poses challenges for monitoring in the cloud, and traditional configurations involving log management, log correlation, and event management (SIEM) tools aren’t routinely configured to adapt to dynamic environments where virtual machines may come and go in response to sharp increases or decreases in demand.
Visibility can also be a concern when it comes to cloud monitoring. Many companies rely on third-party cloud services providers and may not have access to every layer in the cloud computing stack, and therefore can’t gain full visibility to monitor for potential security flaws and vulnerabilities. Finally, shifts in scope are another common challenge when dealing with cloud environments, as assets and applications may move between systems which may not necessarily have the same level of security monitoring.
There are several approaches to cloud security monitoring. Cloud monitoring can be done in the cloud platform itself, on premises using an enterprise’s existing security management tools, or via a third party service provider. Some of the key capabilities of cloud security monitoring software include:
One of the most effective ways to mitigate cloud security risks is to gain strict controls over data at all endpoints. Solutions that scan, analyze, and take action on data before it leaves the enterprise network provide a good first line of defense against data loss via the cloud and can avoiding the introduction of vulnerabilities, such as a sensitive file being uploaded to an unprotected cloud repository.
Likewise, effective cloud monitoring solutions can scan, evaluate, and classify data before it’s downloaded to the enterprise network, avoiding the introduction of malware and other malicious elements that can create vulnerabilities and leave the enterprise open to data breaches. Coupled with the scanning and auditing of data already stored in the cloud, real-time monitoring at the point of exit and entry is highly effective for enterprises that require comprehensive security while still utilizing the benefits of the cloud.
Enterprises are embracing big data like never before, using powerful analytics to drive decision-making, identify opportunities, and boost performance. But with the massive increase in data usage and consumption comes a whole set of big data security concerns. Ultimately, big data adoption comes down to one question for many enterprises: how can you leverage big data’s potential while effectively mitigating big data security risks?
Concerns surrounding the storage, management, transmission, mining, and analyzing of data are an even bigger issue when regulations come into play. A key example is the HIPAA privacy guidelines for healthcare providers, contractors, and other business associates who may come into contact with, use, or even be responsible for storing sensitive healthcare data.
One of the biggest challenges facing enterprises is the sense of loss of control over data that comes with utilizing cloud storage providers and third-party data management and analytics solutions. The impact of this is significant, as many regulations hold enterprises accountable for the security of data that may not be in their direct control.
Add in trends like Bring-Your-Own Device (BYOD) and the rise in the use of third-party applications, and big data security issues quickly move to the forefront of top enterprise concerns. A December 2013 article from CSO Online states that many of the big data capabilities that exist today emerged unintentionally, eventually finding their place in the enterprise environment.
“Because security is not inherent, enterprises and vendors have to retrofit these systems with security,” notes CSO Online. But retrofitting big data security solutions on a system-by-system basis is not only not cost-effective, it makes the enterprise security process as a whole inefficient and unnecessarily complicated.
Big data relies heavily on the cloud, but it’s not the cloud alone that creates big data security risks. Applications, particularly third-party applications of unknown pedigree, can easily introduce risks into enterprise networks when their security measures aren’t up to the same standards as established enterprise protocols and data governance policies.
Devices introduce yet another layer of big data security concerns, with workers embracing mobility and taking advantage of the cloud to work anywhere, at any time. With BYOD, a multitude of devices may be used to connect to the enterprise network and handle data at any time, so effective big data security for business must address endpoint security with this in mind.
Additionally there’s the issue of users. Particularly in regulated industries, securing privileged user access must be a top priority for enterprises. Certain users must be permitted access to highly sensitive data in certain business processes, but avoiding potential misuse of data can be tricky. Securing privileged user access requires well-defined security policies and controls that permit access to data and systems required by specific employee roles while preventing privileged user access to sensitive data where access isn’t necessary – a practice commonly referred to as the “principle of least privilege.”
These are just a few of the many facets of big data security that come into play in the modern enterprise climate.
Big data security requires a multi-faceted approach. When it comes to enterprises handling vast amounts of data, both proprietary and obtained via third-party sources, big data security risks become a real concern. A comprehensive, multi-faceted approach to big data security encompasses:
Many enterprises have slowly – sometimes rapidly – accumulated a series of point solutions, each addressing a single component of the full big data security picture. While this approach can address standalone security concerns, the best approach to big data security integrates these capabilities into a unified system capable of sharing and correlating security alerts, threat intelligence, and other activity in real time – an approach not unlike the concept of big data itself.
Phishing is a social engineering attack, which means that a bad actor is playing on your sympathies, or trying to convince you that they’re someone else in order to obtain sensitive data, like your Personally Identifiable Information (PII), financial information, or credentials. If you’ve ever been emailed by a prince in Nigeria who needs to get rid of some money, you’ve experienced a phishing attack. Most such attacks – especially those that target businesses – are much more sophisticated and are less easy to spot. Some campaigns target an individual using publicly available information, such as information posted to social media, and look legitimate. Phishing can be conducted via email, text, or messaging. You can avoid getting conned by training your staff to spot the telltale signs of a scam, such as the need to input certain information right now. You should also encourage them to check with the purported sender of a potential message through another means of communication before responding.
Malware is any malicious software that is intentionally designed to harm your devices, network, or system. Malware comes in several flavors: from the traditional computer viruses and self-replicating worms to ransomware, which we will get to in the next section. It is often delivered to a computer or network through a phishing email that was clicked on but sometimes is downloaded from a malicious website by mistake. You can avoid malware by monitoring user traffic online, user email behavior, and by using antivirus solutions.
Ransomware has been responsible for some of the biggest data breaches in recent history. The Colonial Pipeline attack earlier this spring is the most recent example. Ransomware is a sort of malware that locks a user out of their systems and data. To obtain the encryption key, they must pay a ransom. If they don’t, consequences are threatened. This can range from posting proprietary information on a public website to simply not getting their data back. That doesn’t mean that the criminals always keep their word when the ransom is paid – they are criminals after all. Avoid ransomware attacks by not clicking on suspicious links, scanning emails for malware, and by keeping a backup of all data. If you are targeted but have your data and systems backed up, you will be able to keep doing business, despite the attack.
First, the bad news: Denial of Service attacks are one of the most common attack vectors; according to Dark Reading, DDoS attacks in the first quarter of 2021 are up by 31% compared to the same period in 2020. Now the good news: DDoS attacks are easy to prevent. DDoS attacks are designed to overwhelm a system by bombarding it with requests. However, you can mitigate a DDoS attack by monitoring network traffic and filtering incoming traffic.
We’ve all heard horror stories about users with 1234 as their passwords, or users who reuse passwords across sites. The numbers back these scary stories up a Google Harris poll found that 65% of users reuse their favorite credentials across multiple — or every — site they use. If those users work for you, that’s not good news for you. It means you’re one credential leak or phishing attempt away from a data breach. What’s the risk of an exposed credential? Well, that depends on the credential: privileged access credentials, which give administrative access to devices and systems, are a much higher risk than your basic user access credentials. Also, the credentials that allow servers, devices, and security tools to integrate with each other would be devastating in the hands of an attacker. To avoid compromised credentials, consider two-factor authentication or do away with passwords by using passwordless authentication for your users.
When you think of a bad actor, who do you think of? Do you think of the bad guys outside of your organization, or do you think of someone who might work for your organization? While yes, there are criminals outside your company, it’s potentially far more damaging to your enterprise when the call is coming from inside the house.
Malicious insiders are employees who expose private company information through privileged misuse – using their access to hurt your company or make money by exploiting your data or networks. To avoid this, know who is behaving suspiciously; monitor data and network access for odd behavior and make a point of knowing which employees are disgruntled.
Not all insider threats are malicious. Some are simply mistakes. Take misconfiguration, for example. When there’s a configuration error, that can leave an organization open to threats and risks. If an Amazon Web Services bucket is misconfigured, that can leave valuable data open to the public internet, and your organization will never know who has seen that data. To avoid this, put processes in place to make sure every part of your network is configured correctly and consistently monitor your networks for inconsistencies.
If you’re sending unencrypted data, you could be inviting a problem. Data encryption translates your data into another form that only people with access to a secret key or password can read. The purpose: protecting your data during storage or transmission between networks. When there’s no encryption or weak encryption, a bad actor who has hacked into a system will simply be able to read your sensitive data. The solution is simple: strong encryption, especially for sensitive data.
Web application attacks are any attack on your enterprise’s internet presence. They often target e-commerce but can also target any other web application. These attacks include SQL injection and cross-site scripting. These sorts of attacks are focused on a particular goal, such as repurposing the web app for malware distribution, for example. You can prevent some of these attacks by using web application firewalls, utilizing secure development, and monitoring for vulnerabilities.
In the last year, much of the workforce has remained at home, working remotely. This has understandably caused security issues. Home wireless networks aren’t as secure as they are in the workplace. Also, your average home network doesn’t have firewalls, and some workers may be using their personal devices to access your network. Criminals are understandably focusing on these insecure endpoints as a way into your enterprise. While many workers are returning to the office, you can protect your remote workers by consistently monitoring your endpoint security and responding to incidents quickly.
The average cost of a data breach has now reached over $4 million, hitting a record high during the COVID-19 pandemic.
On Wednesday, IBM Security released its annual “Cost of a Data Breach” report, which estimates that in 2021, a typical data breach experienced by companies now costs $4.24 million per incident, with expenses incurred now 10% higher than in 2020 when 1,000 — 100,000 records are involved.
So-called “mega” breaches impacting top enterprise firms responsible for the exposure of between 50 million and 65 million records now also come with a higher price tag — reaching an average of $401 million to resolve.
After analyzing data breaches reported by over 500 organizations, together with a survey conducted by Ponemon Institute, IBM says that the “drastic operational shifts” experienced by the enterprise due to the pandemic, stay-at-home orders, and the need to quickly turn processes remote prompted higher costs and increased difficulty in containing a security incident once it had taken place.
IBM estimates that roughly 60% of organizations moved to the cloud to keep their businesses running — but ramping up security controls did not necessarily follow.
When work from home was reported, so was an increase of up to $1 million more when a data breach occurred — with the highest rates of $4.96 million in comparison to $3.89 million.
The most common attack vector for enterprises experiencing a data breach was compromised credentials, either taken from data dumps posted online, sold on, or obtained through brute-force attacks. Once a network was infiltrated, customer Personally identifiable information (PII) including names and email addresses was stolen in close to half of cases.
Over 2021, it has taken an average of 287 days to detect and contain a data breach, 7 days longer than in the previous year. In total, on average, an organization will not detect intrusion for up to 212 days, and then they will not be able to fully resolve the issue until a further 75 days has passed.
Data breaches in the healthcare industry were the most expensive, at an average of $9.23 million, followed by financial services — $5.72 million — and pharmaceuticals, at $5.04 million.
However, according to IBM, companies that employ security solutions based on artificial intelligence (AI) algorithms, machine learning, analytics, and encryption all mitigated the potential cost of a breach, saving firms, on average, between $.1 25 million and $1.49 million.
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, VP of IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation, and the adoption of a zero-trust approach — which may pay off in reducing the cost of these incidents further down the line.”