“Warning: Your computer systems have been hacked.”
It’s the news no executive team wants to hear, but it’s become increasingly commonplace in today’s interconnected world.
In March 2014, just months after Target and Neiman Marcus fell victim to cyber attacks, another threat to data privacy was discovered: the “Heartbleed” bug. This vulnerability is essentially a hole in the prevalently used OpenSSL library, which is responsible for the encryption of Internet data (including usernames, passwords and credit card information). In fact, reportedly two-thirds of all websites use the OpenSSL software for their online communication.
The vulnerability could have allowed hackers to obtain information stored in the memory of the affected systems. Fortunately, entities using the exposed versions could apply patches to repair the issue through a newly released version of OpenSSL. However, the extent of the damage has not been fully determined, and Internet users’ personal data was vulnerable for more than two years until those fixes were provided.
Know your risks
Executives can sometimes be caught unaware of the prevalence of computer security breaches — mistakenly presuming that these attacks and network disruptions happen only in larger entities or other industries. However, cyber attacks are no longer a concern for just large, multinational businesses. According to the 2013 Small Business Technology Survey conducted by the National Small Business Association (NSBA), 44 percent of small businesses have experienced a cyber security attack.
Furthermore, the 2013 Cost of Cyber Crime Study: United States conducted by the Ponemon Institute, a data protection and information security research firm, reported that, in relation to cyber crime, small organizations incur a considerably higher cost ($1,564) than larger organizations ($371) per capita.
Computer security firm Symantec reported in its Internet Security Threat Report 2014 that the repercussions of those attacks included potential damage to brand reputation from media coverage, loss of consumers’ trust, lawsuits and bankruptcy.
Prepare your defenses
Prevention is essential when it comes to making sure malicious hackers don’t vandalize your information systems or make off with your valuable trade secrets, customer lists or financial data. Here are some ways you can minimize the chances of becoming the victim of a cyber attack:
Inventory your data. Catalog where you store customer lists, financial data and inventory information, so you can assess its vulnerability. It may not always be on site. For example, some material may be stored on personal computers in the possession of current and former employees.
Assess risk. In-house or outside IT professionals can help analyze weak spots. They can determine whether you possess the most effective, up-to-date software available to protect against dangerous virtual predators like worms, malware, trojans and viruses.
KraftCPAs’ information systems (IS) security team performs penetration (pen) tests for clients of all sizes across many industries. Pen tests are not required for every business, but they do provide valuable insight that can benefit any company.
Communicate with vendors. Data security is a collaborative effort among all of a company’s partners. For example, if you grant a third-party shipping company access to proprietary supply chain data — such as your customers’ demand and inventory levels — that information could be stolen if a hacker breaches the shipping company’s computer systems.
Limit data-sharing to only those supply-chain partners that absolutely need it. Don’t be afraid to inquire about your partnering companies’ IT security programs or request those vendors with weak IT controls to beef up their efforts.
Protect your business
Unfortunately, some businesses don’t know that their systems, intellectual property and important business records are vulnerable to cyber attacks until it’s too late. Contact your KraftCPAs advisor, or a member of our IS assurance and consulting practice, to discuss how we can help with your IS security measures.