Protecting Your Devices from Cyber Criminals

Next Friday, June 28, marks the launch of Quantum Dawn 2.  While the name sounds like a movie title, the sequel to 2011’s Quantum Dawn is a planned cyber attack coordinated by the Securities Industry and Financial Markets Association (SIFMA) that will involve the participation of major Wall Street firms, the Department of Homeland Security, the Treasury Department, the Federal Reserve and the Securities and Exchange Commission.

Although the focus of Quantum Dawn 2 will be on our financial institutions, these attacks are a very real and present danger to all businesses. Any company with legal access to personal information needs to remain vigilant about protecting that data from cyber criminals. This government simulation should prompt you to ask just how well your company is safeguarding the employee and customer data that resides behind your firewalls.

As Ken Goldstein, VP-global cyber security and media liability manager for the Chubb Group of Insurance Companies, recently observed: “Vulnerability to cyber attacks has changed over the past decade from who is at risk (all companies) to how often security may be compromised (weekly) to how the hackers are getting a foot in an organization’s ‘door’.”

In an article entitled “When Hackers Attack,” appearing in the May-June issue of MFM’s The Financial Manager (TFM) magazine, Goldstein points out that the wide adoption of mobile devices, such as laptops, smart phones and tablets, offers cyber criminals new points of access to sensitive and private information. This is particularly true when a company allows employees to use their personal mobile devices to conduct business.

To illustrate his point, Goldstein noted that survey participants in Ponemon Institute’s “2012 Cost of Cyber Crime Study,” experienced an average of 1.8 attacks per week per company, which represented a 42% increase from the prior year.

In addition to an increase in the number of cyber attacks, we have also experienced a widening number of companies whose data is under attack. For example, Symantec’s SMB Threat Awareness Poll reported that 40% of all cyber attacks target businesses with fewer than 500 employees. “That puts small to mid-size media organizations clearly in the crosshairs of a cyber criminal,” Goldstein warns.

Despite the risk, more than 85% of small businesses do not have a formal written Internet security policy for employees, and more than 80% lacked a written plan to keep the business cyber-secure. This is according to a 2012 National Cyber Security Alliance/Symantec small business study.

Bringing this issue closer to home, Goldstein reminds us that “Media organizations that send staff into the field to cover news events or have sales staff working from mobile offices may rely on mobile devices to get the job done.”

Adding to the risk is the growing number of companies that have adopted a “BYOD” — bring your own device — policy. Goldstein cited a 2012 study by McKinsey & Co. that found as many as 80% of smartphones and 67% of tablets used for work are employee-owned. Moreover, a Dimensional Research global survey of information technology professionals sponsored by Check Point, found that:

• 65% allowed personal devices to connect to corporate networks.
• 78% said there are more than twice as many personal devices connecting to corporate networks now than there were two years ago.
• 47% said customer data was stored on mobile devices.
• 71% said mobile devices have contributed to increased security incidents.

“As that last data point makes clear, security measures for mobile devices are often inadequate and cyber criminals consider their content valuable.” Goldstein points out that “hackers can use information gleaned from these sources to break into other corporate networks.”  

These vulnerabilities aren’t going unnoticed. Goldstein relayed a report by Juniper Networks that found a 155% increase in mobile malware across all mobile device platforms. Another finding relates to lost or stolen mobile devices. Ponemon found that nearly 40% of data breaches occur when a mobile device is misplaced or stolen.

A Defense Check List

Goldstein effectively uses these statistics to get the reader’s attention. But his point is not for us to conclude that security breaches are inevitable. Instead, he’s hoping increased awareness about the growing risk of cyber attack motivates us to be more personally vigilant about the mobile devices in our care and our participation in corporate programs designed to mitigate these risks.

 As he observes, “Knowing what to do if an employee’s mobile device is compromised can ensure security for thousands of customer records.”

With that goal in mind, Goldstein offers the following recommendations:

Develop and maintain a network security and privacy policy — The policy needs to be comprehensive and to specifically addresses threats to mobile devices. “Chief information officers should oversee the procedures and ensure their implementation throughout the organization.”

When it comes to the devices themselves:

Encrypt, Encrypt, Encrypt — Some phones may not have data-encoding software built into the operating system.  In these instances, users will have to rely on third-party applications.

Use a Password, Make It Strong — “Many people do not bother to use a password to protect their mobile devices, or they use one that is too weak,” Goldstein says. He encourages using  a combination of letters, numbers and other characters.

Wipe It Clean — All major smart phones have some kind of remote erase capability. When a device is lost or stolen businesses need to be able to wipe the contents of the device clean.

Set Up Cyber-Attack Alerts — Network intrusion software can help businesses identify unauthorized break-ins. Goldstein also recommends having managers check logs regularly for unusual activities.

The Role of Liability Insurance

Your insurance provider can help defray the cost of a data breach or intrusion arising from mobile devices and a company’s internal network.

“Insurance companies offer third-party liability coverage for lawsuits that arise as a result of a data breach or network intrusion. Insurance protection also is available for first-party expenses, such as privacy notification expenses; the cost to change account numbers; crisis management; and public relations expenses, as well as losses from business interruption,” Goldstein explains.

He also recommends looking for an insurer that has expertise in handling these particular types of risks. Not only will the policies vary by insurer, some firms may also offer a range of services to assist businesses in managing cyber risks. As Goldstein points out, “Some insurers have panels of legal counsel that can offer guidance in case of a data breach.”

This last point is one of the reasons that MFM has given its highest form of recommendation, our endorsement, to the Chubb Group of Insurance Companies as the preferred provider of property and casualty — including professional and management liability insurance — for our members. With more than 40 years of experience in the media industry, we believe that Chubb is a financially strong resource for tailored media business solutions.

A copy of Goldstein’s article is currently available on MFM’s website. If your company is among those without a comprehensive network and privacy policy, I hope you’ll give it a close read. Even if you do have a good policy in place, you may find it offers some new perspectives.

As Goldstein concludes: “Nightmarish situations can turn into safe-and-sound realities when companies establish a post-breach protocol; quickly recognize a breach, and effectively shut it down with a security team ready to investigate.” 

There’s no doubt in my mind that everyone would prefer that type of security breach outcome to the nightmare scenarios we have seen unfold for companies whose customer data has fallen into the wrong hands. I say, put that Ben Franklin adage to work: an ounce of prevention is worth a pound of cure.

Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary. She can be reached at [email protected]. Her column appears in TVNewsCheck every other week. You can read her earlier columns here.