Four ways to guard against lax cybersecurity

When companies that do most of their business online are hacked, it is yet another sign that people need to rethink their cyberattack readiness, at home and at work.

Recent news about CloudFlare and LinkedIn breaches – and data from a recent survey by KPMG – underscore the dangers of lax cybersecurity. The CEO of CloudFlare, a provider of cloud-based services “to help secure and accelerate websites,” had his home Gmail account hacked in May, leading to a breach in company data.

KPMG essentially played the role of cybercriminal for the survey, taking aim at Forbes Global 2000 companies. KPMG’s Cyber Response team did research using public domain data on the companies’ sites and found that 78% of organisations are leaking data, The leaks occur in numerous ways, including normal activity such as interacting with a customer in an online forum.

The sectors most likely to let slip data useful to hackers: technology and software.

The KPMG research showed that thousands of usernames, passwords and other data could be accessed from company sites. Hackers, like cybercriminals, used software to search the portals of the sites and find potentially valuable information.

The survey, Publish and Be Damned, also found that 71% of the companies are using potentially vulnerable and out-of-date versions of Microsoft and Adobe software.

What about automatic updates? They’re not so automatic, said Dale Rowe, a Brigham Young University professor who specialises in cybersecurity.

“When you’re on your home PC, and the Windows update is bouncing on the bottom of the screen saying, ‘Update me,’ it’s easy to say yes and go away for five minutes while it restarts,” Rowe said. “You hear about these companies being exploited because they forgot to apply this patch that has been out for a year, and you think how silly they are, well, they probably have 5,000 workstations, 2,000 servers and 500 of those are facing the internet without any screen attached to them. You only need to overlook one system for the whole thing to come undone.”

Making security a top priority

Rowe grew up in England and has worked as a consultant to businesses there. He said security, while important to firms, is not always a top priority for day-to-day business.

“A system administrator’s main concern is keeping a company up and running, keeping the services operational,” he said. “Security often comes secondary to that.”

That’s why documents left in web servers, even ones not clearly accessible through a company’s website, can be a concern.

Rowe offered tips to companies and individuals to help guard against data breaches:

Hire a reputable company to do a penetration test of your website. “A good pen-test team will actually take on the role of hacker; they’ll scrape the data and try to get into your site. Finding a reputable company to do that can be worth its weight in gold. The OK companies will just tell you how to fix the problem, but the good ones will provide policy-based recommendations instead of patches that just fix a problem.”

Practise good password hygiene at home and at work. Rowe said companies need to do a better job encrypting passwords to avoid the problem LinkedIn encountered in June, when 6.4 million users’ passwords were stolen. “Hashing” and “salting” of passwords, each a form of encryption, are highly recommended (here’s more on “seasoning” and a company’s role in password protection).

Individuals can help themselves and their organisation by not relying on the usual crutches, such as “password1” as their password. The criminals have figured out most of us use easy passwords and like to reuse them on different sites. “Be really careful using the passwords on different sites,” Rowe said. “It’s hard, because we have so many, but your high-level passwords, like for banking, should not be duplicated.”

Take time to look for stale documents that could give away company information. Do not look solely at what is visible on the internet. “Look at the directory space of the web server,” Rowe said. “Look at where the page is hosted, the databases. Look for anything that’s out of place. If you’re looking at an image folder, and you see a bunch of PDFs they dragged and dropped in there, that might be a red flag. (Companies) presume that because the document’s not linked, that it’s safe.”

Educate your workforce about sharing content. There are filters and detection devices a company can put at its perimetre to watch what data should not be going out, Rowe said. “But at the end of the day, that’s really user education and employee education. Whatever they send outside the corporate boundary is going to be viewed by someone else. It’s not a case of ‘may be’ viewed; it will be viewed by someone else. Nothing outside that boundary is secure, unless it’s strongly encrypted, and even then, there’s still a risk.”

Related CGMA Magazine content:

“PwC: Internal audit has to play a more substantial role in information security”: Companies must do a better job of evaluating and updating their security policies as data breaches grow in number and sophistication, PwC says in a recent report. To shore up their defences against cybercriminals, companies should institute three lines of defence. PwC calls on management to empower internal audit to ensure employees are following protocol and that the company is up-to-date as new cyberthreats emerge.

—Neil Amato (namato@aicpa.org) is a CGMA Magazine senior editor.