Square-Off: Are Corporate Cyber Defenses Adequate?
It's not just about the technology, stupid. That's the collective message of the four expert commentators in this CFO Square-Off opinion forum, which addresses the issue of how CFOs and their corporations should be addressing cybersecurity in the face of rapid advances on the hacking front. Instead, finance chiefs should be focusing on their companies' systemic risks rather than just software. However, many companies are failing to address cybersecurity adequately because they tend to underva ..
A rash of recent, politically-motivated cyberattacks has thrust cybersecurity and spear phishing into the spotlight. But as we watch this global political drama unfold, we may be distracted from a much more urgent threat within our own organizations. There’s nothing preventing cyber-savvy criminals from attacking companies with tactics that have already shown their effectiveness in the political realm.
Identity deception played a major role attacks like the one that struck the email system of John Podesta, Hillary Clinton’s presidential campaign chief, last year. Such deceit has become a major cyber security challenge because it targets the weakest link: the end user. Social engineering techniques have evolved to a state where it is no longer a question of if someone will fall for an attack, only when. But does the private sector really understand the business threat, and are corporate cyber defenses strong enough?
The problem is that many companies are blind to the threat, as well as the potential damages. Between October 2013 and December 2016, the FBI documented $5.3 billion in losses from business email compromise (BEC) attacks, a prevalent form of targeted email attack which typically uses some form of identity deception. Key company executives have also been fired after their companies fell victim to a cyberattack.
The first step in addressing the threat is to understand it. Some organizations are concerned that attackers may attempt to spoof them to consumers, typically as part of phishing campaigns. Others worry about emails targeting their employees (e.g., BEC emails); attempts to trick employees to download ransomware; or attempts to infiltrate the organization to steal sensitive data.
Still others worry about the liability of an employee account being taken over by an attacker and used as a launchpad in other attacks. Different threats correspond to different countermeasures, with the most important distinguishing factor being whether the threat picture involves targeted attacks or not. That’s is because traditional security measures use “blacklisting”, which can detect scattershot phishing emails, mass-malware campaigns, or typical spam, but fail to detect targeted attacks.
For a quick take on an organization’s cybersecurity defenses, a good indicator is its DMARC record. DMARC is a free, open email authentication standard that companies can set up themselves to get a quick take on their organization’s cybersecurity preparedness. (Full disclosure: Agari offers a service for the implementation, monitoring, and reporting of DMARC.)
Besides functioning as a litmus test of preparedness, the standard also addresses a critical security vulnerability: spoofing. In fact, the U.K. government has mandated that all government agencies use DMARC.
But enterprises shouldn’t wait for government guidance to understand their security needs. Every company should implement cybersecurity technologies that combine traditional email filters with a system that can detect identity deception.
Further, the security industry should do its part by identifying attack trends and making them public. This will help decision-makers stay informed. For our part, Agari is observing a demonstrable increase in the volume of attacks from corrupted accounts. These compromised email accounts, and the emails sent from them, are particularly hard to detect with traditional security technologies.
In the current political environment, it seems we’ll be focused on Russia for some time to come. It would be beneficial if the scrutiny is not limited to their involvement in 2016, but also how to prevent these attacks in the future — for both the private as well as the public sector. Ultimately, the private sector can’t rely on the government to solve this problem, but any insights that are useful for the government are bound to be valuable for enterprises.
Markus Jakobsson is the chief scientist at Agari, a cybersecurity firm.