Enterprise Security Requires Back-To-Basics Approach

Cybercriminals have in recent years become known for being inventive, technologically sophisticated and well-organized enough to break into systems of all kinds, large and small. For example, half of the United States’s fuel supply was recently frozen, as the pipeline that carried it has been taken hostage by ransomware cybercriminals using encryption. The pipeline is up and running again, but the fuel delays and ripple effects will likely be felt for weeks.

But just because cybercriminals can perform all of this high-tech wizardry to beat our best efforts at securing our systems, that is not their preference, noted Chief Information Security and Privacy Officer for CO-OP Financial Services Paul Love in a recent conversation with PYMNTS. They would rather skip trying to break through all of the high-tech, super-efficient point solutions designed to keep them out instead of focusing on the paths of least resistance — the basic stuff institutions or their employees forget to secure because it seems so minor.

 

“First and foremost, make sure you have the basics in place. It’s very often the basic thing the attackers will look for and take advantage of versus taking on [the expensive], specialized tool that’s monitoring for one type of attack. Make sure your systems are patched and that your employee base knows how to respond to phishing emails. People will typically focus on point solutions, but forget the basics,” said Love.

Those are oversights that cybercriminals have learned to love when taking on enterprise systems, and have come to count on them. In going back and looking at the root causes of some of the biggest institutional hacks, more often than not, it was that small, basic upgrade that got skipped that the clever criminal exploited, said Love.

Attackers will generally keep an eye on the news and be ready for the current “scheme theme,” in hopes of taking advantage of the unaware, he noted. That said, new tactics don’t mean they’re abandoning the tried-and-true stuff like phishing scams because, with some minor modifications, they work over and over again.

And while cybercriminals will never go away, said Love, enterprises can do a better job of preparing themselves end to end to take on the challengers in their various forms. And that often starts with better communication about the threats — and how best to take them on.

“The first part of security communication is determining what drives your audience and what they care about,” Love explained. “Once you understand the business drivers for your organization, you have to speak in plain, business-focused language — without acronyms — and tell the story of your data. Your audience may not be as deeply involved as you are in the subject matter.”

That doesn’t mean they don’t care. Your audience probably cares deeply about security but also needs to understand what they can do to help, he said.

Gaining that understanding also means correctly building the experience for an appropriately wide range of consumers. For example, Love said he has seen issuers cut off card accounts that buy too many pre-paid phone cards in a row, which can indicate that a card has been stolen and the thief is batch-buying cards. Often, but not always, that is the behavior of a consumer who doesn’t have regular phone access — and cutting off access to their account adds even more complexity to their lives.

Properly managing card security doesn’t just mean protecting the consumer from fraudsters, noted Love. It also means ensuring that the data that an enterprise works so hard to secure is then used carefully and in thoughtful ways that truly benefit the consumer.

“Really understanding data and applying a diversity, equity and inclusion lens to it will really help an organization make sure they’re doing what’s best for their credit union members, as well as ensuring that they’re protecting the organization,” Love said. “The ethical use of data is very important from a security and privacy perspective, as well as in terms of good corporate citizenship and protecting consumers and employees from harm.”