The business community is under tremendous scrutiny – from regulators, shareholders, customers and the media – all of which can investigate a company with just a few keystrokes. While today’s technical resources are invaluable for learning more about business practices and offerings, they’ve become powerful tools for clever and aggressive cybercriminals: Increasingly, offenders are using technology to engage in data and identity theft, e-mail intrusion, account hijacking, malware and other unlawful invasions of critical network resources.
In particular, ransomware attacks expanded last year and are expected to become even more frequent during 2016, according to the New Jersey Department of Law and Public Safety. The ransomware virus locks digital files and holds them “ransom” until victims pay, usually through untraceable means such as Bitcoins. Business users as well as government agencies, hospitals, private institutions and individuals are vulnerable to the paralyzing virus, typically launched through an infected e-mail that appears official.
“We’re calling attention to the growing threat of ransomware so consumers can take precautions to protect themselves and their employers from these insidious viruses,” Steve Lee, acting director of the New Jersey Division of Consumer Affairs, said in a recent press release. “As cybercriminals grow more sophisticated in their attacks, [computer users] must become more vigilant in avoiding them.”
Several New Jerseys firms – including Grid32, BIO-key and Rsam – specialize in helping business users protect their data and strengthen overall cybersecurity.
‘We’ll Break In and Show You How We Did It’
Grid32 of Newark is a service provider of preventive security audits. “Essentially, we hack into a network and show companies how we did it, in order to help prevent a real-world attack,” explains Seth Danberry, Grid32 president and co-founder. “We are ethical, highly trained hackers hired proactively to identify a company’s security flaws. The end result is a comprehensive audit report which outlines exactly what the company can do to fix those flaws and move cybersecurity to a much higher level.”
Danberry concurs that ransomware is among today’s most common business cyber threats, “particularly because these criminals go around a company’s technical defenses with phishing and social engineering to trick end users to install the ransomware virus.”
The second most common threat is the fraudulent wire transfer request, usually sent to a corporate accounting department. “Requests to wire money to an account look very legitimate. People wiring the money realize too late that they’ve been duped,” Danberry says.
What’s the low-hanging fruit in terms of business cyber protection? “First, train your end users!” Danberry exclaims. “It’s simple, inexpensive and critical. You may have a talented IT team that maintains the greatest firewalls and defenses, but those are useless if I can trick your end users into clicking on a fraudulent link. Second, be proactive: Examine current potential problems before they become serious issues. It’s much less expensive to prevent a cyber attack than to clean up after one happens. Third, make cybersecurity a boardroom topic: Be sure it’s presented to and addressed by every user in the company, from top to bottom, not pushed to a single department.”
User Authentication: You Can’t Hack a Fingerprint
BIO-key, based in Wall, specializes in fingerprint solutions, leveraging its line of compact USB fingerprint readers, as well as those already incorporated into laptops, to identify and authenticate users in various contexts. Clients primarily include organizations within the enterprise, healthcare, blood center, education, government and retail point-of-sale segments, where BIO-key technology is used in different ways, with the common theme of providing effortless secure authentication.
“Applications range from positively identifying a person in a fast, secure and automated way, to preventing credential sharing – a growing security concern not effectively addressed by today’s strong authentication solutions,” reports Jim Sullivan, BIO-key’s senior vice president of global sales. “Most security products assume people have great interest in protecting their credentials, but what if I want a smarter friend to take a final exam for me, or a co-worker to clock-in for me when I’m running late? With BIO-key, even if I wanted to share my identity, I couldn’t.”
In addition, “companies are realizing that strong identity is one thing, but strong and convenient is another,” Sullivan says. “User authentication shouldn’t be so onerous that it takes functional time away from the job.”
To show how the market has moved to accepting biometrics, Sullivan points to AT&T, a long-standing BIO-key customer. In a May 3, 2016 blog, Bill O’Hern, senior vice president and chief security officer for AT&T, announced the company was rolling out fingerprint identity in a security solution called AT&T Halo. “Today, everything requires passwords, passcodes, security questions and user names,” O’Hern stated. “Imagine being able to skip this process entirely and sign in to your corporate network or a private database with only your fingerprint, or by clicking a button on your phone or smart watch. At AT&T, we are making this happen. We’ve developed a new authentication system that’s mobile friendly, effortless and highly secure. This means we can move away from today’s reality of forgotten passwords, pin codes and user names without sacrificing security.”
Managing Risk Across the Enterprise
Defending against a cyber attack is just the tip of the iceberg: Underneath the surface lies a very complex process of managing risk to avoid fines and damage to reputations, finances and business relationships, including vendor trust.
Rsam, headquartered in Secaucus, provides a governance, risk and compliance platform for Fortune 1000 companies that allows information security professionals to effectively manage risk across their enterprises. The platform helps users lower the possibility of cyber attacks and avoid related losses and regulatory fines.
“Enterprises increasingly are being held accountable for threats previously considered outside of their control,” Vivek Shivananda, CEO of Rsam, tells New Jersey Business. “For example, along with protecting their own networks from attack, companies must also consider the security of their vendors’ networks. Commonly, attackers will hack into a supplier’s network and use it as a launching point to get inside the network of their actual target – often a large enterprise. Managing the scope of vendor risk is challenging, especially since big companies can have tens of thousands of vendors across the world.”
Monitoring and responding to cyber attacks is a very difficult job because adversaries always have the upper hand, Shivananda states. “For most companies, it’s a daunting task to monitor and quickly identify actual security incidents in anything remotely close to real-time. Enterprises need a mature monitoring process that can bring together event and alert data from disparate sources into a single repository for correlation, reporting and advanced alerting. This will enable the company to more quickly and efficiently prevent data theft. The reality is that security incidents are unavoidable, but enterprises equipped to respond quickly can significantly mitigate risk.”
New Jersey companies victimized by a cyber attack can receive support by clicking on the New Jersey State Police’s Cyber Crimes Unit website (www.njsp.org/division/investigations/cyber-crimes.shtml), or by calling 609-584-5051 ext. 5664.