Five Actions Your C&RE Organization Can Take to Help Mitigate Cyber Risk

According to the Identity Theft Resource Center, the number of reported breaches dropped from 1,632 in 2017 to 1,244 in 2018. At first glance, it may appear we’re getting ahead of the malicious actors who perform these breaches. However, the number of exposed records in those years has risen from 197.6 million to 446.5 million, meaning hackers are acquiring more data in fewer attacks.¹ In a more connected economy, organizations are continually at risk. Cybercrime continues to grow as the primary motivation for breaches, growing from 77 percent to just above 81 percent in 2018.²

Real estate investment trusts (REIT), for example, face increasing needs for cybersecurity. At 92 percent, more REITs than ever cite increased cybersecurity risks in their Form 10-K filings, up from 63 percent in 2014 and just 24 percent in 2012. Internet-connected equipment, cloud-based software and vulnerabilities among REITs’ tenants or third-party vendors also may pose cybersecurity risk.

In a recent BKD webinar, “More Connected, More at Risk: Addressing Cybersecurity Concerns for Your Organization,” we examined how compromised data is often sold on the dark web. The dark web is a part of the internet not readily accessible through traditional web browsers such as Internet Explorer, Safari or Chrome, thus requiring an anonymizer, such as a Tor (The Onion Router) browser, to access.

The dark web is vast and contains different types of sites, including:

• Discussion forums and chatrooms – Where common vulnerabilities and information about organizations are shared. This is where hackers often discuss plans for attacks against organizations and recruit other members.
• Paste sites – A place for large data dumps. These may include previously compromised and other dated information. Remember, nothing put on the internet ever truly goes away.
• Marketplace – The most common type of site on the dark web where illicit and other items are for sale. These online shops provide:
  • Drugs and paraphernalia
  • Stolen credit cards
  • Compromised health information
  • Personal identities such as personal records, passports and driver’s licenses
  • Hackers for hire

Stolen credit cards, which compose the majority of items for sale on the dark web, only sell for an average of $1 each. This is because financial institutions have improved the response time for deactivating stolen card numbers, meaning the cards may not even be usable—and if they are, they may only be good for one or two purchases before they’re deactivated.

Other data, such as health identities, can go for $50 or higher, as buyers can use this information for a number of services including routine health care checks, prescription drugs and even medical procedures.

A growing threat to organizations is the use of shadow IT. Shadow IT refers to IT-related software or hardware used by employees that’s outside the organization’s ownership and control. This may include software applications, services or wireless devices. Typically employees use shadow IT with good intent, such as to perform their duties more efficiently. However, they unwittingly expose their organization to a potential cyberattack. Since these items aren’t purchased through regular IT procurement channels, security is overlooked. Gartner predicts that by 2020, one-third of successful attacks on businesses will be against shadow IT resources.³

While the internet poses a number of cyberthreats, here are five actions you can take to help mitigate your cyber risk:

• Know your inventory – Understanding what inventory you have and how it’s used to process data is key. An important part of this is the classification of data. Identifying which information is more critical to protect can help your organization classify the systems and databases that support this more sensitive data. It also can help your organization prioritize these systems and better invest in the security budget.
• Educate your team – Technology isn’t a substitute for employee, board, executive and vendor education. It’s important to document and distribute your security policies. Let them know about the risk of shadow IT products, and advise them on how to acquire what’s needed through the appropriate channels. Another key step is to develop a robust incident response program that you annually review and test.
• Limit access – The principle of least privilege is crucial when it comes to both physical and virtual access. Organizations should control the use of administrative privileges and limit access to only those functions an individual needs to perform job tasks. Don’t forget to maintain good physical security as well. Make sure guests, service delivery personnel and vendors are properly vetted and escorted when in sensitive areas of your facility.
• Plan, prevent and prepare – Consider implementing controls to help mitigate the potential risk caused by your fellow workers, such as locking laptops when they’re away from their workstations and filtering out suspicious emails addressed to employees. This also is a great opportunity to look out for shadow IT products that may exist in your environment. Another idea is to develop a cyber incident response program with a policy that’s communicated across the organization. You also can consider cyber insurance, if you don’t already have it.
• Establish backups – Implement a regularly scheduled backup program that meets your organization’s needs and records retention requirements. It’s recommended that your backups are stored at a different location to provide better security. There are benefits to using cloud-based backups. Also remember to not just back up the data, but the applications as well.

BKD Cyber is dedicated to helping organizations assess their cybersecurity risks, improve their cybersecurity protections and respond to a breach. For insights on the dark web and additional recommendations to help you mitigate risk, watch BKD’s recent webinar. For more information, reach out to your BKD trusted advisor or use the Contact Us form below.

_____________________________

¹ Identity Theft Resource Center, "2018 End-of-Year Data Breach Report," https://www.idtheftcenter.org/2018-data-breaches. ↩
² Hackmageddon, "2018 Master Table," Motivation charts, https://www.hackmageddon.com/2018-master-table. ↩
³ Gartner, "Gartner's Top 10 Security Predictions," https://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/?cm_mmc=social-_-rm-_-gart-_-swg. ↩