When Andrew Stanley received the email from PayPal, he knew immediately that something was amiss. There in the PayPal domain name, “under one of the a’s” was a Turkish accent mark called a cedilla.
“If you looked at it on your laptop monitor, it looked like a little speck of dust,” said Stanley, who is the chief information security officer at Philips, the Amsterdam-based healthcare and consumer lifestyle company.
“I didn’t use anything with PayPal and I said, ‘What is that?’ I happened to put my finger on it and it didn’t move. That’s when the light went on,” Stanley told the audience at the recent MIT CIO Symposium, where he was a guest speaker in a session titled, You were hacked: Now what?
Of course, what caught the expert’s eye, a layman could easily miss. In fact, laymen do easily miss such warning signs on a regular basis. According to a recent study, over 90% of cyberattacks start with a phishing email.
Educating employees on how to detect and prevent phishing attacks continues to be a crucial step in protecting sensitive information, Stanley said. Tabletop exercises simulating online attacks and penetration testing are other good ways to test an organization’s – and their employees’ — cyber incident response capability.
“Penetration testing forces you to be a little more real-time. In certain types of pen tests, they are actually looking at your detection systems to see what they can and can’t pick up,” he said.
He also stressed the need for hiring security intelligence staff.
“That’s one of my highest cost investments,” he said. “We have our tactical or technical intelligence team, which is able to look at trends and different phishing attempts and try to correlate that to a particular attacker. Then we have our strategic intel team that’s trying to figure out the ‘why’.”
Figuring out the “why” is vital, because determining the hackers’ intent before the information walks out of the door is going to help organizations prevent such attacks in the future, Stanley added.
James Lugabihl, director, execution assurance at HR management services firm ADP, and also on the panel at the MIT CIO Symposium, said that fostering a security conscious culture is one of the key strategic pillars of ADP’s security organization. “We try to drive that in every opportunity we can within our brand image.”
He laid out several steps to help drive a security culture: Managing privileged administrator accounts, having proper network segmentation and implementing the right crisis management plan. Organizations need to plan properly and focus on the proper execution of their incident response plan, he added.
“I don’t agree with ‘practice makes perfect’; perfect practice makes perfect. Because if you are doing it wrong in practice, you will continue to do it wrong when it hits the fan,” Lugabihl said.