digital illustration of head with binary code raining on an umbrella

Under Attack

Gabelli School Experts Weigh In on Rising Cybersecurity Threats to Business

By Chris Quirk

he U.S. Marshals Service is a federal law enforcement agency with a wide range of responsibilities, including running the Witness Security Program, commonly called the “witness protection program.” On February 17, 2023, officials at the Service learned their computers had been hacked. While a government representative was quick to tell NBC News that no one in the program was in danger as a result of the hack, this incident is a prime example of the potential dangers of cybercrime.

As we rely more and more on social media, online databases, and even the connectivity of appliances in our homes, the potential vulnerabilities that consumers and businesses face are increasing sharply. From annoying spam to the global scale of the Yahoo hack—where the personal information of 3 billion accounts was stolen—cybersecurity breaches will likely affect almost every individual at some point. If you are one of the 183 million credit card holders in the U.S., chances are you’ve received a security alert from your financial institution flagging a suspicious transaction.

As cybercrime becomes more prevalent, cybersecurity is now everyone’s business. For businesses, according to a 2022 study by IBM, the average cost of a data breach is $4.35 million, and 83% of the organizations surveyed stated that they had already been victims of a cyberattack.

THREATS AND VECTORS

Cybercrimes against companies can take various forms, from ransomware, where a company’s data or operations are locked by means of malware or another attack, to breaches of confidential customer data that can lead to financial fraud and the erosion of trust in a firm. Data attacks, said Ed Stroz, BS ’79, come in three basic flavors—they attack either the availability, confidentiality, or integrity of the victim’s data. “Attacks on the availability of data are easy to detect, such as with ransomware,” he said. “Attacks on the confidentiality of the data or the integrity of the data are very difficult to detect and investigate.”

Stroz, a member of Fordham’s board of trustees, is also chair of the advisory board of the University’s International Conference on Cyber Security (ICCS). As a cofounder of the cybersecurity consulting firm Consilience 360, and previously, founder of the digital forensics firm Stroz Friedberg, he has spent the bulk of his career—including 16 years with the FBI—fighting cybercrime.

One particularly insidious type of attack he noted is the use of one company as cover for attacking another company. “Adversaries, in order to conceal their point of origin, will often go into one computer network and use that as a hopping point to get to the main target,” Stroz explained. Once discovered, the blameless party may be dealing with a big disruption and called to account for alleged negligence for allowing the main target to be victimized. “Even if they’re completely innocent, somebody’s saying that they should have noticed that someone was using their system as a way station for a bigger crime. What happened?”

Supply chains are another attractive entry point for a cyberattack, said Robert Chiang, Ph.D., associate professor and area chair of Information, Technology, and Operations at the Gabelli School. “Oftentimes, your supply chain partners will have access to your system so they can manage their logistics and inventory. That can be a huge source of vulnerability, and attackers can go through third-party business partners rather than attacking your system directly,” he said. “Not every business partner is going to be as sophisticated in terms of cybersecurity as you would be.”

Carl Young is a cofounder of Consilience 360 and executive in residence at the Center for Professional Accounting Practices at the Gabelli School. Young worked for 15 years at the FBI as a senior executive focusing on technical issues and for ten years in the private sector. One novel supply chain attack he noted uses actual manufactured goods. “Suppose your business is one where you supply technology to customers. If that technology is itself compromised, that’s a security issue and it’s also a business issue.”

BALANCING THE EQUITIES

But none of this happens in a vacuum. Businesses are always working to implement improvements to streamline consumer experiences and internal business flows, and security can sometimes take a back seat. “You can achieve high efficiency in transactions and analytics. However, if that comes at the cost of data loss or data theft, then you have to make that trade-off explicit,” said Chiang. “Same thing in terms of usability. If people don’t have to use two-step authentication or other security measures, the experience may be marginally smoother, but the likelihood of compromising the integrity of your enterprise systems becomes greater.”

“The consequences of recent security breaches like the ransomware attacks can be unrecoverable from both a loss of asset value to a loss of trust.”

Conundrums such as this emphasize that a business approach to cybersecurity will inevitably involve trade-offs. “It’s a cost-benefit analysis, and it is important to understand that if you had perfect security, you’d probably have no business,” said Young. “There’s got to be some realistic expectations on the part of both security people and on the part of the business, and it’s a constant dialectic where reasonable, smart people want the same thing—namely, they want to have the business operate and they want to be secure—and they’re going to make some reasonable decisions.”

REMEDIES

Given the seemingly relentless onslaught from bad actors, what can businesses to do to protect themselves? First and foremost, said Young, is to approach the problem broadly. “I think one of the big issues is that there needs to be a general recognition that it’s not just a technical issue. In general, people view cybersecurity as an exclusively technical issue. It’s become increasingly clear that the issues transcend technology and have a lot to do with governance at a high level and how an institution establishes a culture of security.”

As Chiang pointed out, there is always pressure between business and security needs, which are sometimes at cross-purposes. “But security really has to be an inherent part of the processes, the workflows, and the technologies that are rolled out.” Young strongly concurred: “IT departments typically know what they are doing. So I think it’s important to also bring people together to control and manage the business processes. Get the technologists in the same room with the people that are responsible for governance, so everyone hears the same message. Everyone needs to know the business implications of security restrictions and the business implications of liberal information access.”

Failing to act can be costly in more ways than one, noted Barbara Porco, Ph.D., clinical professor of accounting and associate dean of graduate studies at the Gabelli School, whose research also focuses on environmental, social, and governance (ESG) issues.

“Stakeholders of all types are demanding transparency reporting not just from material financial risks, but also risks associated with weaknesses that could jeopardize the going concern of an organization,” she said. “The consequences of recent security breaches like the ransomware attacks can be unrecoverable from both a loss of asset value to a loss of trust.”

Conversely, Porco noted, addressing the risks posed by cyber threats can lead to benefits beyond just security. “As requirements for ESG disclosures intensify throughout all industries, cybersecurity reporting can enhance a company’s reputation,” she said. “In addition, although the most popular ESG concerns focus on climate change and governance, cybersecurity is a critical social issue, and taking proper measures is an opportunity for an organization to build trust with their stakeholders.”

For consumers looking to reduce risk, a quick but effective cybersecurity enhancement is to use multifactor authorization, or MFA, for sensitive accounts like banks and credit card portals. “Instead of just username and password, there’s something else that you have to have in order to get into an account,” Stroz explained. “People are beginning to accept this more for their personal life and find it valuable.” That acceptance has made it easier for large organizations to implement it, and experts cite it as one of the best defenses against phishing attacks. “A few years ago, if you mentioned multi-factor authentication, people would look at you like you had two heads or they would think you were extreme,” said Young. “But now it’s become standard, and it’s truly an essential security control.”

Zero trust architecture is next-level cybersecurity for organizations. It requires authentication each time access to an information resource is required and essentially eliminates the distinction between internal and external access. “Once you are in, if you want to go from one part of the network to the next, access isn’t automatically granted. You have to once again authenticate, and that inconvenience is what is giving you the security that you need,” said Stroz. “There are a lot of things you can do to segment your network to train your people to put zero trust and multifactor authentication in robustly.”

Finally, Stroz strongly recommends limiting administrative accounts. “Those accounts are very powerful and sought after by hackers. The fewer of those you have, the better.”

NO END IN SIGHT

As the “attack surface”—as security experts call it—in a networked society expands, with more devices and the Internet of Things (IoT), so does risk, and opportunities for individuals with malicious intent. “People are always attempting to exploit various system vulnerabilities and look for ways to steal and do bad things,” Young said. “No one is particularly good at predicting how they’re going to do it, but whatever new technology is developed, I’m sure there will be people who are looking to exploit it.”

-Chris Quirk is a freelance writer based in New York.

Back to Issue