You’ve Been Hacked

you have either been hacked or you just don’t know that you’ve been hacked. Talk to any cybersecurity expert and you likely will hear that phrase in one form or another. It’s a truism of today’s world, and “no one is immune,” said Nadya Bartol, associate director and cybersecurity capability leader of BCG Platinion. “Everyone will get hacked at some time. You can only reduce your risk, you will not stop it.”

It could be through an email, such as:

• Subject: Information Verification Required [FROM: your bank]: Complete attached form and return;
• Subject: Send Payment ASAP [FROM: company president’s name/email]: Katie, Please send a cashier’s check immediately to pay the attached.

Phishing emails masquerade as from a legitimate entity such as one with whom the employee does business or a senior company executive. While the impact of a dishonest money request is obvious, the effects of a link or downloaded attachment may be less immediately evident but can carry a malicious virus that infiltrates your entire system.

But email is just one way that hackers can penetrate a data system. The Dictionary.com definition of hack is to “use a computer to gain unauthorized access to data in a system.” This can be done in various ways, and you may not even know your system has been hacked. The perpetrator may not have yet reached anything of importance or not yet done anything with the information attained. And that perpetrator can have a range of purposes: It may be “just for fun” to see if it can be done; it could be a criminal or organization seeking to find and sell IDs or otherwise make money. Or perhaps activists want to disable a system or make a point. There are even nation states wanting to bring down a power or conduct espionage.

Sometimes perpetrators end up in an area of your system that was never intended. For example, they were hacking into the financial data and found a door into your production system. At this point, they may simply back out because they’re not interested in that area. Or they could sell the information to someone who would be interested in wreaking havoc with your production — stopping the line, changing ingredients, stealing secret recipes, etc.

PREVENTION. It is impossible to completely prevent hacking, but there are ways to increase your cybersecurity and lessen effects.

1. Hire an expert. “There has to be a qualified person driving security with the appropriate authority and budget,” Bartol said. “Without that, all else are Band-Aids.” Small companies are not immune. In fact, a perpetrator may see them as easier access into the supply chain to link to a larger business. Companies without sufficient internal resources should bring in an outside consultant, said DNV GL Cyber Security Senior Consultant Craig Reeds, explaining that retaining a consultant does not have to be expensive.

2. Set policies. Whether internal or external, your IT person also should be responsible for setting cybersecurity policies which are reviewed and updated at least once a year, according to Reeds. “If they are more than two years old, they’re antiquated,” he said. For areas of low importance or vulnerability, simple solutions can be applied, such as firewalls, port locks, and black and white email lists.

3. Conduct a vulnerability assessment. Similar to that of a food safety or defense risk assessment, businesses should assess and test their systems for vulnerabilities, then prioritize and secure areas determined to be at greatest risk. “A locked door keeps an honest person honest,” Reeds said, but it doesn’t keep out someone who really wants in. Additionally, phishing emails are often very well crafted and able to mask the real sender’s address.

4. Mimic your bank. If you walk into a bank to withdraw a couple hundred dollars from your account, a teller can usually fill your request with money from her drawer. But if you’d like a few thousand dollars, there will likely be a higher layer of security. Should you want tens of thousands, it will generally require management-level access to the vault, and likely a pre-request. Use that same system of layers for your data. Segment your production data from your financial data and put the most important information in a “vault,” Bartol said. “You want to keep your system’s crown jewels behind layers of security.”

5. Educate — and re-educate employees. Although emails can be so well-crafted that no amount of training will ensure nothing gets through, employees should be educated on phishing schemes. Training also should include care in accessing websites, what is normal and not in the system, and who is authorized to access the system — and who is not. “You can’t train only once,” Reeds said. “It has to be constant and everyone should be in the training.”

Businesses should consider cybersecurity in the same way they do food safety, taking a risk-based approach and creating a culture of security.

“Because bad things happen, we have to be proactive in how we’re going to respond,” Bartol said. “Think about it from the beginning, when it is first implemented instead of at the end. Think about it like safety — it becomes how you think about it.”

The author is Editor of QA magazine. She can be reached at llupo@gie.net.