Editor’s note: This story is part of a special report from WRAL News about corporate hacking.
RALEIGH, N.C. – Ryan Johnson, a director with Alvarez & Marsal Global Forensic and Dispute Services in Washington, answers five commonly asked questions about hacking.
1) What kind of companies are the biggest targets for cyber crime?
Companies with proprietary intellectual property, formulas or convertible assets, such as credit card or financial data are large targets. If these companies are in litigation, then their lawyers are targets, too.
2) What are the top two biggest risks to business today?
The top two risks are lost laptops with sensitive data that is not encrypted, and untrained staff opening email attachments with hostile code. Companies should encrypt sensitive information while stored at the company or while being transmitted across the Internet. All staff members need to be trained at least annually on how to protect information under their care and control.
3) If a company does business internationally and its executives travel to other countries frequently, what can they do to minimize their risks based on bringing computers and data into some of these countries?
While traveling, it is best to only take new laptops with no company data and to use web-based email using SSL protections. Look for the lock on the browser window and use the SSL connection whenever possible when sending your logon information. Some people set up a new email account and use it just for a short time, maybe only one trip, in case it is compromised. Always change account passwords to systems that you access internationally in case your logon was intercepted.
4) What are the five most effective security measures companies can implement to protect their assets?
Training is an excellent start to creating an environment that protects sensitive information. Having an external expert review your security procedures is also a best practice. Reviewing logs on servers for bad activity is critical to a security program’s success. Having a written incident response plan in case of an incident before one occurs. Policy, policy, policy, written and communicated with staff is critical, and a low cost best practice.
5) If a company’s network is protected by firewalls, isn’t that sufficient to ward of intruders?
People are the weakest link in security. The firewalls are a necessary technical control, but like doors in your home or business, the hackers will look for other ways of entry, even being invited in by your employees who have not been properly trained to understand the risks to your sensitive information.
Reporter: Kelcey Carlson
Photographer: Greg Clark
Producer: Randall Kerr
Web Editor: Kelly Hinchcliffe
