Facing the Inevitabilities of Cybercrime
Preparing your business for the impact of a breach
Cybercrime is an intractable threat to companies around the world. Issues of cybersecurity are enmeshed in our social structures and the advancing rates of our technologies. A cyber breach is no longer an “if” but “when” proposition. It is going to happen.
Daunting. And yet there are actionable steps that every business can take to protect itself and its stakeholders.
Nuts and bolts
Paul Rainbow is SVP and Information Security Officer at Umpqua Bank. “Basic security hygiene is all about prevention,” he says. These are quick steps that every business should take:
- Install antivirus and antimalware protection on every computer
- Implement firewalls
- Be cautious about what you put directly on the internet
- Put an authenticating pin on every company phone
- Keep your systems current with automatic updates
- Maintain strong passwords for different programs and websites
- Store passwords in a password vault that’s installed on your systems
- Use multi-factor authentication whenever possible
But the underlying ingredient to these tactical steps, according to Rainbow, is security awareness.
“Your employees must possess and practice security awareness, especially around social engineering. They need to know not to click on links inside an email message or respond to text messages and phone calls from unknown or unexpected individuals,” says Rainbow.
Another fundamental cornerstone of cybersecurity is safeguarding physical access. “If a criminal gets physical access to your laptop device, they have tools where they can pull the password hash and use rainbow tables to access everything.[1] Hard drive encryption is a solid security measure that anyone can take to protect company and personal data,” says Rainbow.
At its core, the steps that people take to protect themselves at home are exactly the same steps that companies of every size should implement.
“The protective measures that we encourage customers to adopt are exactly the same measures we enforce internally at the bank,” says Rainbow. “Obviously, the level of sophistication and the money that we invest in our infrastructure dramatically help protect the bank at scale, but the basic hygiene is the same that I do at home.”
Taking stock of your infrastructure
Wu-chang Feng is a professor in the Department of Computer Science at Portland State University, where he works on topics in networking and security.
Professor Feng encourages companies to look for software that is continually being tested, maintained, updated, and repaired. “The Chrome web browser, for instance, goes through rigorous testing. Like every night, they’re fuzzing the heck out of the browser. There are more security features built within Chrome than just about any other software application that I know of,” he says.
Sheltered Harbor is a third-party partner to financial firms. The company was formed to protect the banking system from a significant cyber attack.
“The financial data that we protect is not connected to any network that institutions have access to,” explains Trey Maust, Sheltered Harbor’s CEO. “It’s offline, so it can’t be breached.”
At the close of every business day, Sheltered Harbor’s clients back up critical customer account data into the vault. This vault is encrypted, unchangeable, and completely separated from the client’s infrastructure, inclusive of all backups.
Sheltered Harbor’s model provides an interesting direction forward: semi-analog security for a hyper-digital world.
The future of security
Kathryn Albright is Executive Vice President and Head of Global Payments & Deposits at Umpqua Bank. She works with clients to identify solutions and technologies that they can employ to gain efficiencies in capital management.
“Cybersecurity has to be part of your strategy as a business,” says Albright. “You have to build in the education and training around what to do when you get hit. The more agile you can be in detecting and then acting on fraud, the more effective you’ll be in staunching your losses.”
Cyber training for new hires needs to become part of every company’s standard operating procedures. Cybersecurity must be culturally supported from all levels of the organization.
Cara Snow is the Chief Community Engagement Officer at the Technology Association of Oregon (TAO), a nonprofit helping to establish the Northwest as a global hub for innovation by supporting the regional tech industry through business and policy development.
“There are organizations that are now rolling physical security and internet security together,” says Snow. “Companies hire cybersecurity leads and physical security leads to create comprehensive plans to protect their employees and businesses. This is what security will look like in the future.”
Learn more
This is a fight. And your business needs smart, pragmatic, and resourceful allies at your side. Financial institutions hold a pivotal role in counseling, educating, and guiding businesses through the minefields of cybercrime. At Umpqua Bank, we take this job seriously. Let’s talk about how your business is protected.
[1] Password hashes are cryptographic functions that once coded are very challenging to invert. Unless you have the right tools, like rainbow tables. Rainbow tables are used for reversing cryptographic functions such as password hashes.