This article will answer the following questions:
- What is cyber exposure?
- What are the different cyber exposure categories?
- Why should I track my company’s cyber exposure?
- What is Disclosure of Sensitive Information?
- How can my company be affected by External Data Breaches?
- Is my company’s information sold in Black Markets on the Darkweb?
- What is Exposed Financial Information and how can it harm my company?
- How can I control our employees’ Exposed Credentials?
- How can Personal Information pose a threat to our company?
- Is my company a target for Hacker Groups?
- How do I know if our company has an Internal Data Breach?
- Do Cloud services pose a new type of risk?
- Is our company liable if our data is stolen from an outsourced service?
- What are the legal repercussions if our company doesn’t store data securely?
Know the Current Liabilities
Before the cloud, everyone had his or her own little medieval IT castle—the data centre. Much like a real castle, it had a perimeter wall (network edge), a gate with guards who allowed or blocked access (firewall) and different defence zones within the walls (network segments). It was pretty simple to identify liabilities—they came from the guys trying to ram in the castle door.
Today, the perimeter is gone. We live in a network of small villages where the data now resides. An attack could come from anywhere. Most people, especially if they’ve been in the business for a long time, have not moved to the new paradigm yet. They’re not thinking about outside services, but they should be. It’s the cybersecurity manager’s responsibility to shift that paradigm so people are thinking about vulnerabilities from the attacker’s position, not from a supposedly safe spot inside their own castle walls.
To do that, the cybersecurity manager needs to know how much the company has been exposed to security risks, now and in the past. This is cyber exposure, and it doesn’t just mean data leaked to the public or breached from the organisation. Data can be leaked from partners, the supply chain, employees, clients, or anyone with access to company information.
Types of Liabilities Due to Cyber Exposure
We have met a number of cybersecurity managers who had long careers in their companies. They got very nervous after learning that they never knew about many of their liabilities and cyber exposure. Now, they wondered, were they hacked three years ago but the cybersecurity manager was never informed?
If you’re new to the job, make sure you won’t be surprised about the past. Do your homework about exposure so you’re not blindsided by people coming to you with exposures. As the security expert, the cybersecurity manager must be the one to inform others. That’s the job.
If a cybersecurity manager has the means to learn about their liabilities; they should use that means. Surprisingly, many people decide not to do so; they decide not to be informed. That’s sorely misguided. Here’s some of what they are missing:
The liabilities can be split into eight different categories or sectors. Any new cybersecurity manager needs to know if any of these things has happened already—or, in the worst case, is happening on their very first day on the job.
Disclosure of Sensitive Information
The first category of liability is disclosure of sensitive information. Every company has internal emails, documents, data, and pricing. Tech companies have source code, proprietary software they’re developing, and trade secrets. If this stuff gets leaked out, it is first and foremost a reputation risk. This must be looked at from two perspectives: what it means for the business and what it means to risk management people.
External Data Breach
The second category is an external data breach. This is a data breach through third parties—business partners, supply chain vendors, HR, payroll companies, payment processors, and financial institutions. It’s a theft of company information, and the company doesn’t have any control over it. For example, if HR gives their employees’ private information to an outsourced payroll company and that system gets hacked, every employee’s address and bank account numbers could be breached.
Once the data is stolen, there’s nothing the company can do. The data is out there, and it’s no longer within their control to protect it. The liability in these cases will be viewed as the company’s, not the external service providers. In the eyes of the users, the data was in the hands of the company and it was stolen—they don’t care that a third party vendor was the source of the leak; they trusted the company to protect their information. They will say, “I gave the information to you, and you lost it.” This category of breach is common with cloud service providers.
Black Market Activity
The third category is black market activity. This happens when people sell company information to the highest bidder, usually on the dark web. Black market activity might be initiated by a rogue employee who’s offering to sell information for money or by an outsider soliciting an employee to sell them information. There are dark web forums that specialise in inside information trading. These marketplaces allow users to say what kind of information they want and ask how much it would cost. Then the hackers start bidding. “You pay me $250 or $500 and I’ll get all 50,000 customers home addresses and social security numbers for you.”
Black market activity is dangerous, even when the information hasn’t been lost or breached. Just the fact of someone saying publicly that they are willing to pay for or sell this kind of information makes it more likely such a transaction will take place in the future. An alert cybersecurity manager wants to know if their company is being talked about on the dark web. Whether the data has been lost or not, you need to be aware if someone is talking about you. You need to know if you’re a target.
Exposed Financial Information
The fourth category is exposed financial information. If the company is sending money to someone else, there’s a transaction log, and these get leaked quite often. Usually, transactional information is stolen, but thieves may also walk away with complete credit card or bank account numbers.
It sounds like it might not be a big deal—companies send millions of dollars to one supplier and thousands to another. But if hackers know how much money clients are routinely sending to which companies, they can pretend to be those companies and send out fake invoices or emails claiming the customer should have sent a larger amount, thus duping the company into paying a fake invoice to the hacker’s bank account. Or if a company sends 10 million dollars every month, one month they might get the same invoice with a different bank address. People are routinely selling information gleaned from credit card access and database dumps that are stolen from banks with all of their customer records and transactions at the ready. A cybersecurity manager needs to know if this has happened already.
The fifth category is exposed credentials. This includes passwords, usernames, combinations, or some kind of security token. When hackers steal this information, they can access company systems. The challenge is, it doesn’t matter how well you’re secured, how many systems you have, or how many people you have working on your cybersecurity team. If someone gets the password, they can log in, and no one will be aware of it because it’s a legitimate login.
Most employees will reuse their work-related usernames and passwords in external services. Usernames are typically based on email address that contain the domain name suffix of the company. It’s a little like tagging your house keys with your home address. When your keys get lost, the burglar who finds them will know exactly where to go. When company credentials are stolen, it’s the same story—the thief now knows how to access your company.
This is nearly impossible to control because it happens completely outside of the company. There’s no way the organisation can watch what’s happening everywhere. This exposure is beyond the company’s reach.
The sixth type of liability is personal information. This includes people’s names, physical addresses, social security numbers, hospital data, and even personal hobbies. The risk here is identity theft and fraud. If a thief has enough information about a person, they can open a bank account, get a payday loan, or credit accounts to make fraudulent purchases.
Sometimes hackers get all the information they need from data breaches, and sometimes they have to search for more to complete the picture. If the information is leaking from the organisation, hackers can construct complete profiles of people and then use that to further hack into company systems or to buy things.
Identities are hard currency. They enable synthetic fraud. In this type of fraud, criminals use personal information to construct real-looking profiles and sign up for services, make unauthorised purchases, and so on.
Also, consider this. if you get an email from your boss from his LinkedIn account, and you check that account looks like his, then agree to click a link, how can you know if you were fooled by a spear-phishing email? Or was it actually from the boss? Most people have no means of distinguishing a well-crafted fake profile.