2016-09-21 / Front Page

QC Business Breakfast Hears About Cybercrime

By Thomas Cogan
The topic at last Friday’s Queens College Business Forum was ripped from the headlines, being entitled “Cyber Breach Preparedness and Incident Response.”  Handling the breakfast address in tandem were two men with gigantic titles:  James F. Fox, partner/principal, New York Metro Cybersecurity and privacy assurance leader, Pricewaterhousecoopers; and Douglas F. Bloom, director, cybercrime and incident response, also PwC.  Fox started with an ironclad warning:  “Everyone gets breached.” He said he recently advised three companies on strengthening their security, then heard all three ask him if they were now attack-proof.  He had to tell them no.  The great advice in the speakers’ address was that cyber-complacency is unwarranted, but if a company has a security wall and monitors it constantly, always searching for ways a breach can be made, either maliciously or accidentally, and taking countermeasures, security can be maintained.

Fox has delivered his technological skills to a broad range of companies domestically and abroad, while Bloom’s experience includes being an software engineer and a lawyer, as both a federal prosecutor and a criminal defense attorney.  He also teaches law at Fordham University.  Fox said that a recent survey by PwC showed the growth rate of cyberattacks to be half again as frequent as they had been a year earlier.  Bloom said hard intellectual property attacks were up 56 percent in 2015, so how much higher must they be now?  (He said one informational technology officer told him his company was attacked an average of 6,000 times per week.)

Those companies are being attacked by people who want to steal their business, Bloom said.  An awful truth, he added, is that many a company board shows low or no interest in this hazard, so he, Fox and other IT advisors have to make them aware of it.

Fox said cyber-attackers work to find breaches or detours that will ultimately take them to that business core. He spoke of one company that had a great deal of its data stored in its parking garage as some sort of off-site convenience, which left it quite unprotected.  It didn’t take attackers long to work their way into it and hack the company extensively.  A frontal attack on a company’s well-protected database might be difficult but finding another way, such as breaking into its suppliers’ database, would be a more extensive, but likelier successful, attack.

Both speakers agreed that attackers look to inside persons to aid them, whether wittingly or unwittingly.  Bloom said disgruntled employees are the main invasion source, “by far.”  One employee was hacking his company’s system on his own, as an embezzler.  His devices were discovered by outside cyber-thieves who were soon making their own heist.

Fox said the leading “threat actors” are first, so-called hacktivists; then, organized crime, which is after money (hacking provides the mob with its best ROI, or rate of return); then nation states (who, in in contrast to organized crime, wants not a country’s money so much as disruption of its economy).  A state’s operators can plant pinhole cameras, said Fox, “in some of the nicest hotels you’ve ever been in.”  Bloom supplied an anecdote about the time he was in a hotel bathroom when the mirror was fogged up entirely—except for a small, clear circle in the center, behind which a camera was concealed.  Cameras can be placed in many other spots too, to spy on visitors who’ve been set up for such surveillance as seeing how they use their laptop computers.

It was important for them also to tell the audience, which contained many businesspersons, about protection procedures.  They said it is necessary to know where vital data is stored and who has access to it.  Employees must be instructed to reject excess access, which they don’t need, especially if they carry it around with them.  Fox said his nearby laptop could be stolen as he spoke, yet his clients would be under no threat of invasion because he has controlled the data and access information in it, to keep it from being a boon to any thief. 

Bloom said access to data is the heart of the matter.  You must have a plan for data control and practice it constantly.  Fox said it is necessary to have such a plan and then another plan to resort to, if or when the first one fails.  You must also have the right people for primary protection or, if need be, damage control.  Get all employees in on the drill, having first informed them how badly a hack could affect their lives.  Have them practice the protection drill until it is second nature to them.

Fox had another statistic, one he found disappointing:  nearly four in 10 cybersecurity jobs go unfilled.  He said they are jobs worth taking, and while they do require experience with IT systems, they’re not limited to tech-heads.  He said there are opportunities across the entire spectrum, and some of them are going begging, notably in a world where the average time for discovery of a breach, he said, is a year and a half.

He said the lax interest that companies often have regarding their systems can be a result of security complacency, the belief that their technology will keep evil away.  It won’t, without constant vigilance.  As Bloom said:  “If you’re not going to look into the information, don’t collect it.”

 

 

 

 

 

Return to top

Copyright 1999-2018 The Service Advertising Group, Inc. All rights reserved.