On June 25, 2015, clients and friends of First Long Island Investors came together to learn more about cybersecurity. Robert DeStefano, Executive Vice President, and Chief Information Officer at Astoria Bank, and Bhavesh Chauhan, Security Solutions Engineer at Verizon, led a discussion on the information security landscape and provided ideas and strategies for reducing the impact a cyberattack could have on individuals and businesses.

From left, Bhavesh Chauhan, Ralph Palleschi, and Robert DeStefano.

Bob DeStefano led off the conversation with an overview of cybersecurity.  Some of his points included:

• A cyber-security threat is any action that may result in unauthorized access to or manipulation/destruction of, the integrity, confidentiality, or availability of an information system
• The security landscape has changed dramatically over the past few years and continues to change. Newer and more sophisticated threats are availing themselves daily
• Completely preventing all cyber threats is next to impossible, but both individuals and organizations should focus on how to (a) minimize the impact of an attack (b) ensure they have the best identification and remediation possible and (c) respond quickly in the event of an attack.  Having a firewall is not enough to protect yourself. Multiple layers and strategies of security control from different vendors should be combined to prevent and monitor potentially damaging breaches.
• The potential of a cyber-security threat needs to be taken seriously because it can significantly impact the reputation and financial position of a company or an individual
• Cybercrime is increasing due to the ability of cybercriminals to operate from countries where they risk little intervention from law enforcement, and cybercriminals are beginning to make substantial money for their efforts
• Recent studies estimate the average cost of a data breach to a major company/financial institution to be approximately 3.8 million dollars. This is up 8.5% from the previous year.  This hard-dollar cost is in addition to the reputation risk and customer confidence risk that an organization faces
• A good cyber-security plan includes risk management and mitigating strategies including adequate resources and support from the board and executive management, development and implementation of cyber-security policies, use of multiple layers of security controls from different vendors, third party oversight, education and awareness of all employees, risk assessments and penetration tests, cyber-security insurance coverage, ensuring computer/mobile devices and preventative software stays updated, and having an incident response plan

Bhavesh Chauhan then shared with the group some highlights of Verizon’s 2015 Data Breach Investigation Report. 

• The Data Breach Investigation Report is put together annually by Verizon to review the types of vulnerabilities that many companies are seeing and provide insight and perspective on how companies can best allocate resources and dollars in the prevention and response to cybercrime. The report brings together information from 70 contributing organizations and analyzes nearly eighty thousand security incidents across 61 countries for events happening in the 2014 calendar year
• One of the primary challenges of the security industry is that in 60% of cases, attackers are able to compromise an organization within minutes. Additionally, there is a wide gap between the time it takes a cybercriminal to compromise and organization and the time it takes a defender to detect a compromise.  In 2014 this gap started to shrink, but it is still significantly wider than the information security community would consider acceptable.
• For two years in a row, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing. Even with the increased awareness of phishing, 23% of recipients open phishing messages and 11% click on the attachments.  Of those who open the email, nearly 50% open the email and click on the phishing links within the first hour of receipt
• Software and hardware companies regularly issue patches and updates to fend off common vulnerabilities and exposures (CVEs). From the analysis, Verizon found that 99.9% of the vulnerabilities exploited in a cyber-attack were compromised more than one year after the CVE was published.  Bhavesh reiterated the importance for both individuals and organizations to ensure that they update all of their devices (computers, tablets, mobile phones, etc.) with patches as soon as they become available
• Somewhat surprisingly to the information security community, mobile devices are not a preferred vector in data breaches. Only a negligible 0.03% out of tens of millions of mobile devices were infected with truly malicious exploits
• The most common types of cyber-attacks in 2014 were point of sale (POS) intrusions, crimeware, and cyber-espionage. In looking back over the last 10 years, the top three have changed, but overall there are still only 9 core intrusion types
• While there are a vast number of strategies organizations can use to protect themselves and their customers from cyber-attacks, being able to focus efforts is key. Organizations should use this report to see how their industry and companies of their size are being attacked and then build a plan that can most effectively protect them  from attacks
• A copy of the report can be downloaded at the following link: http://www.verizonenterprise.com/DBIR/2015/