Good Management Can Combat Cyber Crime

The bad news: Cyber criminals are out there like big, bad wolves. The good news: Answers to the challenge fall into the realm of good management, and the answers don’t always demand complex, expensive technical solutions.

Security expert Theresa Payton, CEO of Fortalice, LLC, expanded on those points in her presentation to FPA’s Fall Executive Conference. She made these key observations:

95% of all security events result from human error.
Businesses seldom design security systems with the human element in mind
Management can take steps to adjust for the human factor.

Payton, a former White House cyber security advisor, says that on a global scale, cybercrime and espionage costs $445 billion each year. Nearly half of senior executives say they are attacked hourly or daily.

Here’s one example of the problem’s scope. Information technology professionals call it ransomware. It infects a server and “locks up” critical files. Then the cyber criminals demand a “ransom” to unlock the files. Payton notes that the amount is often small—$1,000 is a common figure; cybercriminals think most businesses will pay that and not involve law enforcement because it is not a large sum of money.

Action Steps

Here are steps Payton suggests as ways management can address cyber crime.

First. Practice a digital disaster. In doing that, identify documents critical to your business. Ask: What files, if compromised, would have a critical, negative impact on your business? In the simulated disaster, plan for the steps you have to take. That may include, in the case of a ransom demand, having a reliable bitcoin account in place to pay the ransom.

Second, Payton suggests, move critical files to a new domain name; don’t keep them on the company’s public-facing domain. That allows the company to compartmentalize critical data with fewer employees using that domain name.

Long-term, management needs to understand that 78% of cyber attacks start by tricking a user. She demonstrated how cyber criminals manipulate a user’s social network and spoof the user and email an employee at a work address appearing to be a friend. An employee might open an attachment, infecting the domain with malware.

Another commonly flaunted “rule” is not to access the company’s domain at public wi-fi sites. Again, both hardware and software exists to gain access to business servers in the process.

Training May Fail

Payton says that training can’t always keep people from being human and opening attachments from “friends.” It is going to happen and use approaches such as an alternate domains to reduce risks, she says.

Payton suggests cyber crime insurance. Not only does it provide a financial cushion if an event occurs, it also heightens management awareness of risk factors. For example, Payton cites policy clauses that invalidate coverage if it occurs through the human error of opening an attachment. It may be something to negotiate in obtaining the coverage, and it puts a cost on accepting those errors.