5 Best Practices to Integrate Cybersecurity With Your Business Strategy

What Does an Effective Business Strategy Look Like?

For many businesses, it’s been a long time since the business strategy was initially developed. If it was created a few years ago, it’s likely missing cybersecurity as one of its strategic initiatives. The role of cybersecurity has dramatically changed for the C-suite and should be re-evaluated in terms of its impact on strategy.

Any successful business will have a solid definition of its mission, values, and goals. In today’s landscape, every organization is in the business of cybersecurity. It should have significant part to play in the overall strategy for the company’s success. How can you do this? By adopting the following five best practices to integrate cybersecurity with your business strategy.

5 Ways to Integrate Cybersecurity With Your Business Strategy

Integrating cybersecurity with your business strategy shouldn’t be as painstaking as it may initially seem. Whether you’re in the beginning phases of establishing a business strategy or your organization is re-evaluating your long-term goals, you can follow these five best practices as a starting point to integrate cybersecurity with your business strategy.

1. Identify your business’ key goals and aspirations

What is the overall purpose of your organization? Evaluate the specific milestones you have set to realize that purpose and now look at them in a new way. How does cybersecurity make or break the mission? This are important considerations to integrate into your strategic initiatives.

2. Pinpoint areas of weakness in your cybersecurity hygiene

When you evaluate risk throughout the organization, C-level executives are particularly strong at considering threats impacting financial risk, competitive changes, loss of key employees, market shifts, environmental events, and other disasters. Now, add cybersecurity risk to this same equation. Don’t make the mistake of assuming an IT department is covering this base. Executives must seek out the same details on potential impact from cybersecurity threats as they do in other areas. Conducting a risk analysis can help you identify weak areas in your cybersecurity hygiene and risk-rank vulnerabilities that need to be addressed first. You might need a third-party information security expert to provide an unbiased view of your risk. Specialists at KirkpatrickPrice can help pinpoint weak areas in your cybersecurity hygiene, give you advice on how to remediate those findings, and help fine tune your strategic initiatives.

3. Determine how your people, processes, and technology need to evolve

The cybersecurity landscape is constantly changing, and you need to make sure that your people, processes, and technology are able to swiftly adapt. Humans are generally the root cause of security incidents – whether it’s out of ignorance or deceit – and so it’s up to your organization to ensure that all personnel understand the cyber threats they’re faced with on a day-to-day basis. Requiring annual, thorough security awareness training is one way to do this. As for your processes and technology, how often do you update them to meet information security best practices? Do you conduct internal audits to validate the security of your processes and technology? Are you making investments in technology that will improve the cybersecurity of your organization?

4. Implement a strategy for cybersecurity best practices

Once you’ve identified your key goals and aspirations, identified areas of weakness in your cybersecurity hygiene, and found ways that your people, processes, and technology need to evolve, you need to decide how exactly you’ll be implementing these five best practices. Will you use a framework like NIST to guide your efforts? Will it require you to partner with an MSP or hire more IT personnel? Do you need to hire an independent, third-party firm to validate your cybersecurity efforts?

5. Leverage cybersecurity and compliance for success

Strategic planning is what guides all that you do in your organization. Cybersecurity and compliance are strategic initiatives that serve as benchmarks for your business. Do we have a cybersecurity mission? Have we identified our cybersecurity goals? What are the plans to get there? Have we defined the resources we need? Are we monitoring our progress to quantify success? Ultimately, these will become strengths that are important to your clients and other stakeholders. You might train your sales and marketing teams on how to communicate your strategic differentiation in the market because of your cybersecurity and compliance strengths. Leading firms have a dedicated cybersecurity landing page on their website that explains the “why” behind cybersecurity and how it serves as a strategic goal in their business.

All in all, cybersecurity can no longer be an afterthought or kept at arms-length from the boardroom. It must be a proactive effort – one that is ingrained in the company culture and strategic purpose. If your business is struggling to adopt these five best practices to integrate cybersecurity with your business strategy, let’s find some time to talk to see how we can help you.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

Key Takeaways from the SEC’s Cybersecurity Guidance

How Much Is Your Data Worth to Hackers?

How much do you think a buyer on the dark web would pay for stolen data?

How much would you estimate a hacker can profit off of personal data?

The truth is, the price of stolen data is worth the risk for hackers but always costly for organizations that store, process, transmit, or destroy personal data.

How Do Hackers Make Money?

When a system is breached and personal data is stolen, the hacker involved in the malicious activity will typically sell or advertise that data on the dark web. Even if your company is small, a hacker will cast a wide net to obtain stolen information from multiple sources.

If they steal personal data from your organization, it will cost you money – that’s the end of it. It’s up to you to decide if the cost of stolen data is worth it, or if proper information security testing is a better investment.

How Much is Hacked Data Sold For

Symantec released an in-depth Internet Security Threat Report in 2019 that lays out a cost sheet for the most commonly sold personal data.

Here’s how much hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen identity – $0.10-$1.50
  • Medical notes or prescriptions – $15-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35
  • Full ID – $30-100

While these numbers may seem small in terms of individual pieces of data, the total sum of how much is data worth starts to add up.

If you store passport data, how much could a hacker earn by breaching your database? If you process online payments, how much could a hacker earn by skimming your site? The cost of the individual may be minor, but when you view it in terms of entire databases of personal information, the costs can make a huge impact.

The Real Cost of a Personal Data Breach

Let’s take a look at a recent breach that made headlines – DoorDash. The food delivery service was breached in September 2019 when a hacker stole private information of 4.9 million customers and delivery workers which included full names, delivery addresses, phone numbers, digits of credit cards and bank accounts, and hashed passwords.

If we use the data from Symantec’s report that claims, at the cheapest price, full ID packages can be sold for $30, we can estimate that the personal data stolen from DoorDash was worth $147 million. The hacker that breached DoorDash’s system is probably sitting on a good profit right now. Do you want your organization to be the next target for a hacker looking to make a good buck off stolen personal data?

How to Stop the Hacking Money Machine

So, what can you do to protect your organization from fueling the money machine of hackers selling personal data on the dark web?

You can start by annually testing your processes and controls to make sure your system can withstand common hacking tactics, whether that’s through your internal audit team or the external penetration testers who are skilled enough to spot suspicious activity. Staying updated on current hacking tactics provides greater assurance that your employees will recognize an attack early on.

Organizations have a great responsibility to protect individuals’ personal data because they store, transmit, process, and destroy so much of it. Whether it be employee data or client data, you need to have practices in place that secure information and work against a hacker’s tactics.

If you’re interested in learning more about third party penetration testing to mitigate the risks you face, contact KirkpatrickPrice today!

More Data Security Resources

Executive Insight into the Importance of Penetration Testing

What are the Stages of Penetration Testing?

Breach Report 2019 – September

Dangers of XSS Attacks at Healthcare Organizations

In October 2019, Citizen Times reported that Mission Health, North Carolina’s sixth-largest health system and HCA Healthcare’s North Carolina Division, had disclosed a data breach caused by a cross-site scripting (XSS) attack.

Cross-site scripting (XSS) vulnerabilities rank among OWASP’s top 10 web application security risks. XXS occurs when a web application doesn’t properly sanitize user input and their input (such as malicious code) is either reflected or stored on the returned page. The best way to combat the dangers of XSS vulnerabilities is to perform code review before the application goes into production.

This attack, which injected malicious scripts into Mission Health’s e-commerce web application, wasn’t found for three years. Fortunately, the e-commerce site didn’t impact any PHI, but three years’ worth of names, addresses, payment card numbers, expiration dates, and CVV codes were sent to unauthorized individuals.

Can you imagine if this XSS attack targeted a web application that touched PHI? Could code review have found this XSS flaw? Would penetration testing have helped? This data breach is just one more example of the added precautions healthcare organizations must take to identify all areas of risk and implement cybersecurity best practices, even if they have to go beyond HIPAA requirements.

Cybersecurity in Healthcare

The amount of data breaches that occur within healthcare prove it to be an industry that isn’t keeping up with the cybersecurity threat landscape. According to IBM’s 2019 Cost of a Data Breach Report, the healthcare industry has the most expensive data breaches – the average totaling $6.45 million.

What makes data breaches even more expensive? Time. The time it takes to find the breach and the time it takes to contain and respond to it. IBM reports that, on average, it takes organizations 206 days to identify a data breach and 73 days to contain that breach.

That means when a data breach occurs, it will take the organization about nine months just to find and stop it. Unfortunately for Mission Health, the time it took them to find the injected malicious scripts was about three years – much higher than average.

Perform Code Review to Find Cross-Site Scripting Flaws

Cross-site scripting occurs when a web application doesn’t properly sanitize user input and their input (such as malicious code) is either reflected or stored on the returned page. In Mission Health’s case, it was stored – which can have a severe impact. Web applications are one of the most common attack surfaces for data breaches, and OWASP has determined the XSS flaws are among the 10 most critical security risks to web applications.

It’s extremely difficult to find and remove XSS flaws from a web application, but OWASP says:

“The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output.”

Code review is a tedious job, but someone needs to do it so that XSS flaws or injected malicious scripts don’t go unnoticed for three years.

Part of thorough code review is testing against OWASP’s XSS prevention rules:

  • Never Insert Untrusted Data Except in Allowed Locations
  • HTML Escape Before Inserting Untrusted Data into HTML Element Content
  • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
  • HTML escape JSON values in an HTML context and read the data with JSON.parse
  • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
  • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
  • Sanitize HTML Markup with a Library Designed for the Job
  • Avoid JavaScript URLs
  • Prevent DOM-based XSS
  • Use HTTPOnly cookie flag
  • Implement Content Security Policy
  • Use an Auto-Escaping Template System
  • Use the X-XSS-Protection Response Header
  • Properly use modern JS frameworks like Angular (2+) or ReactJS

Web Application Penetration Testing

Once code review is performed, a web application penetration test should also take place. The goal of the penetration test is for no additional web application vulnerabilities to be discovered. If there are, that means the code review wasn’t thorough enough – but penetration testing is valuable for validating this.

Web applications can be problematic for many security analysts who don’t have the experience to be testing them – especially if it’s done in conjunction with code review. We often see other firms blindly assign an analyst to a web application project, but without the proper knowledge and expertise, a penetration tester can miss important findings within the web application. That’s why web application penetration testing methods at KirkpatrickPrice include the following, plus more:

  • Forced Browsing
  • Session Management
  • Cookie Manipulation
  • Source Code Disclosure
  • Response Splitting
  • File Upload/Download Attacks
  • URL Manipulation
  • Injection Attacks for HTML, SQL, XML, SOAP, XPATH, LDAP, Command
  • XSS

At KirkpatrickPrice, we also take a hybrid approach to code review that includes both automation and manual assessment in order to find any vulnerability that, if discovered, could be abused. Our team of highly skilled penetration testers have the expertise to understand the complexities of your code.

If you want to avoid a data breach due to unnoticed, cross-site scripting flaws like the one at Mission Health, contact us today.

More Penetration Testing Resources

Guide to 7 Types of Penetration Tests

Think Like a Hacker: Common Vulnerabilities Found in Web Applications

7 Reasons Why You Need a Manual Penetration Test

4 Ways to Minimize Risk in IoT Devices

Internet of Things (IoT) technology makes daily tasks easier. From smart home devices to entire smart cities, these interconnected devices are changing the way we interact, do business, and live our lives. But with any new technology implementation, there are risks involved, and this especially rings true for IoT. Because the demand for IoT devices is projected to rapidly increase — Gartner predicts that the number of IoT devices in use will reach 20.4 billion by 2020 — organizations must be proactive in mitigating the threats to IoT technology. So, how can they do that? Here are four ways to minimize risk in IoT devices.

4 Ways to Minimize Risk in IoT Devices

1. Take Inventory

The first step in reducing the risks associated with using IoT devices is taking inventory. What IoT devices are currently connected to your network? How are they being managed? How are you updated when a new IoT device is added to your environment? What BYOD policies do you have in place? To limit the attack surface, knowing what you have is crucial. This means knowing what devices, both hardware and software, your organization has deployed as well as the IoT devices your employees bring into your environment.

2. Design for Security

Organizations are quickly developing and adopting their own IoT technologies, and with that, vulnerabilities are bound to slip through the cracks. But rushed development and/or implementation can have detrimental results. When adopting or deploying IoT technology, organizations must be sure to carefully design for security. Developers must be proactive and lay a foundation for security before the device falls victim to potential attacks like malware, ransomware, or DDoS. For example, during the development stage, developers need to consider what type of data must be collected and how it will be secured. For IoT devices that transmit sensitive data like protected health information or payment card data, organizations should consider using various encryption methods, like firewalls or SSL. In recent cases, healthcare devices are amongst the most vulnerable IoT devices for malicious attacks, like the Medtronic CareLink 2090 — a device designed to monitor pacemaker settings — and the Medtronic MiniMed 508 — a device used to monitor insulin. Because these devices had poor authentication and encryption features, the software became vulnerable to malware infections and malicious use, putting patient lives at risk.

3. Perform Risk Assessments

Whether your organization offers IoT technology as a product or service or uses it to conduct business, performing a risk assessment is essential for mitigating any and all potential vulnerabilities. Even if the IoT device has been developed with security in mind, there could still be unidentified vulnerabilities that could be exploited by a malicious hacker. Not to mention, there are likely IoT devices in use by your organization that you might not consider a traditional attack vector, and those devices are equally as important to assess. For example, an American casino experienced a data breach via their aquarium because a malicious hacker compromised their IoT temperature sensor, gained access to their network, and stole data about high-paying customers. By performing a risk assessment, organizations will be able to identify and mitigate potential weaknesses, no matter where or how seemingly non-threatening they may be, in their IoT technology and will be more prepared to avoid possible security incidents.

4. Undergo Penetration Testing

Before deploying any IoT technology, organizations would be wise to undergo IoT penetration testing. Why? Because even with the most experienced development and internal audit teams, some vulnerabilities may remain undiscovered. By receiving third-party assurance via penetration testing of the IoT devices your organization is using, you can ensure that your organization’s data and reputation remains secure.

Securing Your IoT Devices: Invest Now or Pay the Price Later

According to Symantec, “IoT devices experience an average of 5,200 attacks per month” and were an emerging attack vector throughout 2018. Considering this, as threats against IoT devices continue to rise and organizations continue to quickly adopt IoT technology, mitigating the risks associated with using such devices needs to be taken more seriously. By using these four steps to minimize risk in IoT devices, your organization can help secure your data, protect your reputation, and gain peace of mind that the IoT devices in use are as secure as possible. It’s not worth rushing the development or implementation of an IoT device that could lead to a breach later. Invest in security from the start, so you can prevent potential costly data breaches in the future.

Want to learn more about how you can minimize risk in IoT devices? Contact us today to find out how KirkpatrickPrice can help you ensure the security, availability, and confidentiality of the IoT devices your organization uses through penetration testing.

More Resources

What is IoT Penetration Testing?

Risk Assessment Checklist: 5 Things You Need to Know

How to Lead a Cybersecurity Initiative

What is the Difference Between Phishing and Spear-Phishing?

Imagine this…Your employee, Kevin, sits down at the office and opens his email inbox. The first message is from the CEO of your company, Chris, with the subject line “Priority Task” The email seems urgent. He opens it quickly and reads his task.

Personalized Spear-Phishing Attacks

Because Kevin wants to quickly complete this task for his employer, he rushes to reply. He follows the instructions he receives in a follow-up email, which leads him to send private access information to a “client,” AKA the spear-phisher behind this entire email thread. If he was trained on proper security measures, Kevin would have recognized the familiar spear-phishing tactic of personalized, yet random requests from c-level executives. He would have realized the email address was unfamiliar and the urgency in the message was uncharacteristic of his boss. Instead, he fell for a common spear-phishing tactic which led to malicious access to his company’s data.

To make sure your employees recognize the familiar tactics of phishing, you first need to know the various strategies malicious individuals use to gain access to sensitive information. Let’s talk about the difference between phishing and spear-phishing.

What is Phishing?

Phishing is any effort from an attacker to gain sensitive information from an individual via email, social media, and even phone calls. In the context of a business entity, these malicious individuals make contact with employees asking for private information that can lead to access of company systems, processes, or data. These attacks are not personalized. Instead, they are mass-generated with the hope at least one individual will fall for the trap.

It’s not uncommon for employees to fall for these simple phishing attacks. In fact, Verizon’s 2019 Data Breach Investigations Report claims that 32% of breaches involved phishing. That’s a difficult number to grasp. Phishing is not a complex or expensive tactic that attackers use. It’s about casting a wide net and, as evidenced, it’s successful in gaining access to companies’ private systems.

Phishing vs. Spear Phishing

Spear-phishing differs from normal phishing in that spear phishing is targeted and personalized. Spear-phishers target specific individuals with custom messages. They spend more time and energy on finding personal information to create tailored attacks. For businesses, spear-phishers tend to act as c-level executives or fellow employee. The emails, phone calls, and messages from these malicious individuals tend to hold a level of urgency to convince victims to act quickly.

Spear-phishing is more likely to be successful in gaining access to sensitive data as it appeals to the familiarity of a victim. The tech company Ubiquiti learned about the impact of spear-phishing firsthand in 2015 when employees fell victim to an attacker’s tactics. The spear-phisher targeted Ubiquiti employees by imitating a company employee and asking for an unauthorized international wire transfer. The attacker targeted Ubiquiti knowing it handles international transfers often, and it worked for them – the company lost $46.7 million to these spear-phishing attacks. It led to legal action and countless hours remediating the security issues found from this attack.

Was this leak of information and financial resources inevitable? Absolutely not. If proper information security procedures were in place, employees would have been aware of possible attack tactics. Whether it’s personalized or not, phishing is effective. Make sure your organization is even more effective in securing its data and private information.

Hunt for Your Vulnerabilities Before Hackers Do

Who would you rather have locating the security weaknesses within your company – a malicious hacker or a security professional that you hired to secure your assets? At KirkpatrickPrice, we recognize the value in thorough penetration tests that seek out your vulnerabilities and work to correct them. Our team of expert penetration testers use a variety of penetration tests and social engineering to locate the security issues your organization may not recognize.

Do you want to find out your organization has a security vulnerability after you’ve already lost millions to a malicious attacker?

Of course not!

Be proactive. Contact KirkpatrickPrice today to learn how we can help you become secure.

More Information Security Resources

What is Network Penetration Testing?

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Three Types of Social Engineering Attacks on the Financial Services Industry: Would Your Employees Fall for Them?