Cybercrime is so rampant today that even as the director and chief examiner for Digital Forensics Inc., I am not immune. In fact, last year’s data breach of the US Office of Personnel Management (OPM) made me a poster child for cybercrime. That hack exposed the data of more than 18 million former and current government employees, including me, a former National Security Agency cryptologist. To make matters worse, the OPM data is now rumored to be in the hands of ISIS.
The OPM hack is just one example, and many more appear daily—a seemingly unstoppable cavalcade of cyber horror that could easily make a cybersecurity professional scream, “THE SKY IS FALLING!” Unfortunately, for many organizations, the sky IS falling. Think Target, TJ Maxx, Ashley Madison, TalkTalk, Sony Pictures and VTech. I could go on.
So what is an enterprise to do? What can possibly be done in the face of this avalanche of cybercrime? Should we hide our heads in the sand? Never, EVER use the Internet? No email? No online shopping or banking? That may be an option—but it’s a short-sighted and inconvenient one. What about people—nearly everyone these days—who rely on the cyber world? What about organizations that cannot live without ecommerce sites, email and everything else that makes the modern world tick?
A little background on what I do for a living: I use investigative and forensic procedures, tools, and industry-standard hardware and software to recover, safeguard, analyze and protect digital assets. I edit a daily threat brief and see up close how organizations become victims of cybercrime. I write blogs and tweet on cybercrime. I live, eat and breathe this stuff.
So what have I learned? What can organizations do to fight this scourge? The answer is simple, and yet the solution is often maddeningly elusive. That is because humans are the weak link in all of this. The biggest threat, for example, is an employee who receives an email that looks legit. Maybe the message appears to be from UPS a day after he ordered something from Amazon. Maybe he clicks on a link that, in actuality, is a spear-phishing attempt that opens a backdoor Trojan malware. And the worst part of all this? The individual and the organization probably have no idea they are victims of a cybercrime. And until they do find the attack—which may take years—all of their data will be flowing out, on a daily basis, to the cybercriminals to use as they please.
Why does a simple click on an email turn into an epic data breach that will take the organization years to recover from, if it does at all? Because everyone is so concerned about what is coming in through the firewall that they are not looking at traffic that is exiting. Sometimes it is the “sloth effect” that gets organizations in trouble. A network administrator fails to patch a well-publicized hole and, as a result, cybercriminals harvest the organization’s data for years before the breach is even discovered.
What can you do? Educate employees on the fundamentals of cyber safety, of course. Provide continuous communication on the types of cybercrimes employees need to look out for. Do something as simple as training your employees to not click on email links even if the email appears to be legitimate. Teach them to never give other humans their personally identifiable information. Organizations also need to hire certified and skilled cybersecurity practitioners. They get it.
While much of this seems painfully obvious to the cybersecurity practitioner, I see every day that many companies are not even doing the basics of cybercrime prevention. If enterprises practiced the fundamentals of cybersecurity, the number of successful cybercrimes would be dramatically reduced.
(About the author: Daniel Libby is director and chief examiner, Digital Forensics Inc., and a menber of the ISACA. This post originally appeared on the ISACA blog, which can be viewed here).