Cyber Risk and Big Data: Security Innovation in the Age of Virtual Work
November 18, 2021
By Jorge Bolaños
Sean Roche, the former Associate Deputy Director for CIA Digital Innovation, spoke at EisnerAmper’s Transformation Nation: Driving Intelligent Growth virtual summit. Sean shared his insights on cybersecurity and how individuals and businesses can improve their digital and cybersecurity posture.
Data is one of those most valuable assets a company or individual can have so it’s important to protect it at all costs. Examples of data include a secret formula or other proprietary information, personal information such as your social security number or bank account numbers, and even information you wouldn’t think people were after such as your location or spending habits. Once we understand why people want this information and how hard they’ll work to get it, we can improve our security posture -- which is to say, put ourselves in a better position to protect our data.
Sean discusses his experience in cybersecurity with examples from a national defense standpoint, using the techniques to access the data of terrorist organizations – both foreign and domestic -- to eliminate the threat and keep the homeland safe, namely finding out their locations via cell tower triangulation, IP address, or social media posts with identifying information in the background. While it’s nice to know our government is using these techniques to protect us, we must also be aware that there are individuals and groups out there trying to use those same techniques for malfeasance.
The very first step to improving your security posture is lose the mindset that you’re not important enough to be a target or that there is nothing special enough about your data enough to make it worth protecting. You are, and it is. Granted, you might not be an agent with top secret documents to be the target of nation states, but odds are you are employed by a company with funds to pay its employees. Money is generally what we’re all after and there are people out there willing to do illegal and/or unethical things to get it.
So how do we reduce the risk of being a target? One way is to be aware of your online presence, especially on social media. You might think that keeping your profile private is enough to protect you from bad actors but there are sites that many join where the purpose is to network and connect the dots with other professionals -- which encourages certain valuable information to be shared publicly. LinkedIn, for example, is a social networking site where people share their work experience among other professionals to network and often find better job opportunities. Now a threat actor targeting a specific company can use familiarity to social engineer and manipulate you into thinking they have legitimate business with you and ask you to provide insider information on the company’s behalf. A common example is someone pretending to be an executive and asking you to send them gift cards for some corporate event which you can put in your expense report and be reimbursed for later.
This is an example of “spear phishing,” where doing a little bit of research and reconnaissance can personalize an attack to increase its rate of success. Data is so valuable that most companies have policies in place to control the waste they produce because threat actors would literally dive into dumpsters in search of data the company tosses into the trash. Most have contracts with services such as electronic equipment recycling and document shredding. These are the lengths criminals are willing to go through now that people are becoming more aware of generic phishing scams, which are less effective on a more informed populace.
You probably have an account with a service that uses multifactor authentication (MFA/2FA). When you signed up, they sent a code to your mobile number or email so that in the event of an attempt to log in from an unrecognized device, you would have to prove to the service you are who you say you are by providing that verification code. This simple extra step can greatly reduce your chances of having your account compromised by someone who managed to obtain your credentials in a successful phishing attack. Users who don’t understand how important MFA/2FAis to cybersecurity often consider that extra step to be inconvenient and opt-out whenever possible, leaving them vulnerable to a compromised account.
While its refreshing to think that a company providing a free service has its users’ data security in mind, it’s important to question how a company providing a free service gets its money. Sometimes it’s advertisements, but for the most part that company is likely selling your data – data they legally obtained when you signed it away in their terms of service agreement. The apps you leave open in the background of your phone are collecting all sorts of information such as where you are, what you’re talking about, who you are, your online activity, and who you communicate with.
Who is buying this data? Generally, it is other companies, who want to put out ads specifically targeted to you based on your interests. While most people consider this a fair trade in return for a free and useful service, there are those who consider this unethical and an invasion of privacy. There is now a movement to try to get companies who sell your data to have it presented more clearly like a surgeon general’s warning label on a pack of cigarettes. And then there are criminal organizations buying this data to use maliciously; to curate a phishing attack against you using familiarity so you’re more inclined to fall for the scam.
When people think of “data loss protection” they mostly focus on the cybersecurity protections against hackers trying to steal their coveted data and rarely consider the other factors in which data could be lost. Without proper contingency plans in place, data could be lost due to natural environmental factors. Companies who don’t understand cybersecurity often believe that hosting their data on cloud-based services is risky and that it’s safer on their own servers. While this can be true, this is typically more of a misconception due to the fear mongering about how the internet is unsafe and anyone can tap into communication and sniff packets out of the air. If you do your due diligence, most cloud services have certain security requirements to meet to enhance the safety of your data , especially if they want to compete with all the other potential hosts for your business. Cloud servers/services have much more sophisticated means of backup and replication between multiple sites. In this case, when one location is impacted, they can still provide a service. Having an on-site server hosting your data means that the company must maintain multiple levels of redundancy to protect it against end-of-life support and hardware failures, natural disasters, or criminal acts. The cost of cloud-based services generally covers these protections and the service endeavors to maintain and deliver your data with the most up-to-date encryption standards available -- so all you need to worry about is your internet connection.
You don’t have to be a CIA cybersecurity agent to stop hackers in their tracks. By keeping these concepts in mind and making the appropriate changes to your habits and your system configuration, you can greatly improve your cybersecurity posture and reduce your risk of becoming a victim of a cyber-attack. As an employee at an organization of any size, it is important to remember data protection is everyone’s responsibility and not just the IT department’s. Being cavalier with your company’s security policies can be seen as a threat to its data integrity and must be avoided.