- Cyber security breaches pose a real risk to the technological foundation of commerce
- The scale of hacking makes it a question of “when” not “if” your organisation will be hacked
- Along with appropriate security measures, organisations need a protocol to handle cyber attacks
Forget growing debt or escalating trade wars. The leading concern among banking leaders in the United States is cyber attacks, a survey by the US Depository Trust and Clearing Corporation found. Across the globe - and New Zealand is no exception - threats to the technological foundation of commerce are real.
It's something cyber security expert and "ethical hacker" Daniel Weis knows all too well. His job is to ensure his clients don';t make the headlines by falling prey to the latest hacking scandal.
To beat hackers you have to think like them, and Weis is a recognised expert in his field. He was one of the first 10 people in the world to earn the Certified Ethical Hacker version 7 (CEH v7) certification. Not only does Weis have a professional's trained eye for system weaknesses, he also understands the steps organisations can take to fend off cyber attacks and avoid the ensuing financial and reputational fallout.
Cyber resilience is being able to ride the storm and come out as unscathed as possible.
Being hacked is inevitable
Last year's 4.2 billion-plus recorded security breaches demonstrate just how real the threat of cyber attacks is. However, this figure could be much higher. Cyber attacks often go unreported.
In New Zealand, breach reporting may apply to organisations that are subject to the European Union General Data Protection Regulation (GDPR) regime. But beyond this, reporting is voluntary, though this may change following the introduction of the Privacy Bill in the New Zealand Parliament in March 2018.
The sheer scale of hacking activity has underpinned the view that being hacked is inevitable. As an ethical hacker, Weis aims to ensure the right controls are in place to prevent hackers reaching sensitive data. Ultimately though, "cyber resilience is being able to ride the storm and come out as unscathed as possible," he says.
Hackers are smart
Weis's role reads like something from a sci-fi thriller. He's paid to break into systems to protect organisations from illegal hackers, who often operate from the darknet, where hacking is big business.
Underground forums act like a Trade Me for hackers plying their wares - anything from malware to trojans and bots. Weis is quick to bust the myth that hackers are spotty teens operating from university dorms or suburban bedrooms. It took more than two decades for Weis to become proficient in all aspects of ICT, though he cautions, "Hackers are smart. They are technically very proficient and comfortable in a range of areas of ICT." And they continue to get better every day.
Ironically, the weakest links criminal hackers target can also be among the easiest to strengthen. Weis has breached organisations simply by approaching reception dressed as a service guy, or by imitating legitimate employees. As he explains, "I can come up against the toughest organisations with all sorts of security controls, but they can often be easily bypassed just through an obvious password."
Weis says the good news is that it is becoming harder to hack into company networks. But it takes commitment to stay on top of the latest security vulnerabilities to cut the risk of criminals getting in.
He advises all organisations to take some basic precautions. Stick to well-known sites, check URLs to be sure the site is secure, and don't follow links in emails. He also recommends using Edge as a web browser, having endpoint protection installed on machines, and using a password manager.
It's also worth considering issues created by legacy systems. Are there numerous entry points into the network, and are staff trained in cyber security?
Importantly, does the organisation have an established protocol to respond to security breaches? Weis's experience is that being open and honest about what has happened and explaining how the situation will be addressed can be the start of earning customer forgiveness and thereby preserving the organisation's reputation.
Daniel Weis is a key speaker at New Zealand's 2018 Audit Conference. Sign up to hear him in person.
Audit Conference 2018 | Auckland
Book your tickets to Audit Conference 2018 today.Find out more