Cyber attacks are increasing every day and can emanate from sources that the information technology department never checks, an expert said Tuesday.
Ryan Vela, Dallas-based regional director of North America reactive and proactive cyber security services at Fidelis Cybersecurity, cited data stating 70% of security professionals think they have done enough with respect to security, but 40% still expect to be breached.
“These numbers show a disconnect in organizations; clearly there is not an understanding here,” Mr. Vela said during the Risk & Insurance Management Society Inc.’s Enterprise Risk Management conference in Chicago.
Hacking email is easy and inexpensive, he said, noting that hackers advertise online that they will break into personal email for the equivalent of $200 in bitcoins or $500 for a corporate email account.
Mr. Vela recalled an incident where a hacker who was already in a large oil company’s system noticed that one group ordered takeout from a Chinese restaurant every Friday. The hacker created a PDF that said it was an updated menu. But when workers clicked on the menu, the hackers were able to download code to the users’ PCs and give the hackers access to the business’ data.
“There are many other ways to hack into a company’s systems. Hackers can use printers, thermostats and video conferencing equipment,” Mr. Vela said.
“The No. 1 missing item today is viewing encrypted channels, not the web or http or email. Look at your VPN connections. These are the channels bad guys communicate on because they know you don’t look there,” Mr. Vela said.
Directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an IT issue, according to the National Association of Corporate Directors.