“It is not enough for a company to rely on an annual audit, because as valuable as it is to receive a third-party assessment, it is only a ‘point in time’ look at the state of a company’s security. Evaluating a company’s data security is a perpetual endeavor.”
Kevin Ricci is the director of information technology at LGC+D, and since 2006 has served as a founding member and a co-leader of LGC+D Solutions, the firm’s IT Solutions group offering clients specialized information technology expertise and services such as IT auditing, consulting and data analysis.
Following LGC+D’s recent cybercrime breakfast seminar for leading business women, Ricci spoke with Providence Business News about what businesses need to know about cyber attacks and how to protect themselves.
Ricci holds a B.S. in computer information systems from Bryant College, as well as several industry-recognized certifications, including ISACA’s Certified Information Systems Auditor, Certified in Risk and Information Systems Control, and Microsoft’s Certified Systems Engineer.
PBN: Companies today are becoming more and more aware of the basic tenets of cybersecurity – implementing strong passwords, encryption, antivirus software, etc. – but what are some potential threats of the cyber world that are not yet well known or safeguarded against?
RICCI: One of the key threats that can circumnavigate many of the best technological defenses is “spear phishing.” This type of attack, which is less of an attack and more of a well-crafted deception, is when an attacker sends an email to you posing as a trusted person or entity, such as a bank or credit card company that you do business with. At a quick glance, the sender’s address looks authentic and the message includes details that are specific to you, such as a purchase you have recently made (and posted about on Facebook), so you lower your defenses believing the message to be legitimate.
From there, you will be asked to reply with information, open an attachment, or click a link to a website. If you fulfill any of these seemingly benign requests, the spear phisher has succeeded in making you do their bidding. The reply containing sensitive information such as a PIN number is not going to your credit card company, the attachment no doubt contains malware that potentially opened a backdoor for accessing to your computer or network, and the link you followed to your bank’s website where you entered your social security number is in fact just a well crafted facsimile run by the spear phisher.
PBN: What kind of training should companies provide for their employees to ensure a strong defense against cyber attacks?
RICCI: The best way to avoid spear phishing and many other types of cyber attacks is by educating your employees on how to be aware of potential security risks, how to avoid them, and to immediately notify the security contact if they suspect one has occurred. This type of training should be held at least once a year, with emailed reminders and mini-trainings being provided on a more frequent basis as risks change or evolve. In addition to providing guidelines and best practices, these trainings should include examples of what damage an attack can inflict to drive home the point of how real these attacks are and how important security is to a company. The training should also include a policy that each employee is required to read and sign, indicating that they understand and will follow the company’s security policies.
PBN: What is cyber insurance and how can it benefit companies looking to protect sensitive data?
RICCI: Cyber insurance are policies purchased by a company that help mitigate losses in the event of a cyber crime. There are several different types of cyber insurance policies available that aim to mitigate the wide variety of expenses that can stem from a data breach, including privacy and network liability, network damage, and public relations and response expenses. In addition to limiting the financial damages resulting from a cyber attack, there are other advantages to having cyber insurance. Because most insurance companies base the cost of premiums on a company’s level of preparedness against cyber attacks, this type of insurance may help curb the number of successful attacks by promoting widespread deployment of preventative measures and best practices.
PBN: Is it enough for a company to rely on an annual audit by a third-party IT administrator to ensure its data is protected, or should companies implement other practices as well to evaluate the security of a system?
RICCI: No, it is not enough for a company to rely on an annual audit, because as valuable as it is to receive a third-party assessment, it is only a “point in time” look at the state of a company’s security. Evaluating a company’s data security is a perpetual endeavor, and to accomplish this, periodic internal audits as well as real-time monitoring solutions should be in place, with results reviewed and documented on a frequent basis to assure that the proper security baselines are being met.
PBN: How does LGC&D help its clients understand, identify and prevent cybercrime and other cyber threats?
RICCI: LGC&D can help prevent cyber threats by evaluating your company’s current IT policies, procedures and security and identifying and explaining any vulnerabilities that may exist. An important part of this process is data mapping, or the documentation and understanding of where a company’s most sensitive and important information and data resides so policies and procedures can be designed to protect those sources. From there, we can provide guidance and solutions that can help you establish the security that you need to protect yourself and your data from the many cyber dangers that threaten your business.