Under Attack
As cybercrime becomes more prevalent, cybersecurity is now everyone’s business. For businesses, according to a 2022 study by IBM, the average cost of a data breach is $4.35 million, and 83% of the organizations surveyed stated that they had already been victims of a cyberattack.
THREATS AND VECTORS
Stroz, a member of Fordham’s board of trustees, is also chair of the advisory board of the University’s International Conference on Cyber Security (ICCS). As a cofounder of the cybersecurity consulting firm Consilience 360, and previously, founder of the digital forensics firm Stroz Friedberg, he has spent the bulk of his career—including 16 years with the FBI—fighting cybercrime.
One particularly insidious type of attack he noted is the use of one company as cover for attacking another company. “Adversaries, in order to conceal their point of origin, will often go into one computer network and use that as a hopping point to get to the main target,” Stroz explained. Once discovered, the blameless party may be dealing with a big disruption and called to account for alleged negligence for allowing the main target to be victimized. “Even if they’re completely innocent, somebody’s saying that they should have noticed that someone was using their system as a way station for a bigger crime. What happened?”
Supply chains are another attractive entry point for a cyberattack, said Robert Chiang, Ph.D., associate professor and area chair of Information, Technology, and Operations at the Gabelli School. “Oftentimes, your supply chain partners will have access to your system so they can manage their logistics and inventory. That can be a huge source of vulnerability, and attackers can go through third-party business partners rather than attacking your system directly,” he said. “Not every business partner is going to be as sophisticated in terms of cybersecurity as you would be.”
Carl Young is a cofounder of Consilience 360 and executive in residence at the Center for Professional Accounting Practices at the Gabelli School. Young worked for 15 years at the FBI as a senior executive focusing on technical issues and for ten years in the private sector. One novel supply chain attack he noted uses actual manufactured goods. “Suppose your business is one where you supply technology to customers. If that technology is itself compromised, that’s a security issue and it’s also a business issue.”
BALANCING THE EQUITIES
REMEDIES
As Chiang pointed out, there is always pressure between business and security needs, which are sometimes at cross-purposes. “But security really has to be an inherent part of the processes, the workflows, and the technologies that are rolled out.” Young strongly concurred: “IT departments typically know what they are doing. So I think it’s important to also bring people together to control and manage the business processes. Get the technologists in the same room with the people that are responsible for governance, so everyone hears the same message. Everyone needs to know the business implications of security restrictions and the business implications of liberal information access.”
Failing to act can be costly in more ways than one, noted Barbara Porco, Ph.D., clinical professor of accounting and associate dean of graduate studies at the Gabelli School, whose research also focuses on environmental, social, and governance (ESG) issues.
“Stakeholders of all types are demanding transparency reporting not just from material financial risks, but also risks associated with weaknesses that could jeopardize the going concern of an organization,” she said. “The consequences of recent security breaches like the ransomware attacks can be unrecoverable from both a loss of asset value to a loss of trust.”
Conversely, Porco noted, addressing the risks posed by cyber threats can lead to benefits beyond just security. “As requirements for ESG disclosures intensify throughout all industries, cybersecurity reporting can enhance a company’s reputation,” she said. “In addition, although the most popular ESG concerns focus on climate change and governance, cybersecurity is a critical social issue, and taking proper measures is an opportunity for an organization to build trust with their stakeholders.”
For consumers looking to reduce risk, a quick but effective cybersecurity enhancement is to use multifactor authorization, or MFA, for sensitive accounts like banks and credit card portals. “Instead of just username and password, there’s something else that you have to have in order to get into an account,” Stroz explained. “People are beginning to accept this more for their personal life and find it valuable.” That acceptance has made it easier for large organizations to implement it, and experts cite it as one of the best defenses against phishing attacks. “A few years ago, if you mentioned multi-factor authentication, people would look at you like you had two heads or they would think you were extreme,” said Young. “But now it’s become standard, and it’s truly an essential security control.”
Zero trust architecture is next-level cybersecurity for organizations. It requires authentication each time access to an information resource is required and essentially eliminates the distinction between internal and external access. “Once you are in, if you want to go from one part of the network to the next, access isn’t automatically granted. You have to once again authenticate, and that inconvenience is what is giving you the security that you need,” said Stroz. “There are a lot of things you can do to segment your network to train your people to put zero trust and multifactor authentication in robustly.”
Finally, Stroz strongly recommends limiting administrative accounts. “Those accounts are very powerful and sought after by hackers. The fewer of those you have, the better.”
NO END IN SIGHT
-Chris Quirk is a freelance writer based in New York.