Integrity Blog

Data breaches harm an organizations brand and reputation.

A data breach’s effect on your organization’s reputation

Cybersecurity isn’t just for guarding credit card and personal information. For businesses it is about protecting intellectual property, vendor and client relationships, and operational efficiency. Looking at the bigger picture, you will recognize the impact a data breach can have on an organization and its reputation.

There are direct expenses tied to security incidents. Consulting, attorney, digital forensics, and insurance fees are all prevalent, but those expenses may pale in comparison to the long-term effects that a breach can have on an organization’s ability to retain customers and gain new business.

The Lasting Impact of a Breach

When a breach occurs, there is a sudden shift in how the market perceives an organization. The trust from clients and vendors weakens, prospective customers become leery, and just hearing someone say the organization’s name brings thoughts of vulnerability and weakness. Regardless of how the breach transpired, the reputation of the victim organization will be tarnished. The timeframe for how long this negative impact will last is unknown, but without a doubt, it will have lasting effects on the organization’s brand image.

So, what does all of this mean? Who is responsible and how do we prevent such a disaster? The honest answer is that everyone is responsible, but the only way to change an organization’s security culture is by going through the executive team. The C-suite must lead by example when it comes to cybersecurity. After all, an organization’s future depends on it.

Regardless of industry, every viable organization handles some form of sensitive data. Whether it be Research & Development with consumer insights, the Finance department with corporate bank accounts, or Sales with contract negotiations, sensitive data is being processed by employees and communicated using technology. One slipup by an employee or exploitation of a vulnerable system will expose an organization to cyber criminals, which is why everyone should be aware of security threats and their consequences.

Protecting Brand Image - Security Awareness Training

Information security training is the foundation for building a security focused culture within an organization. Without it, there is no guidance for employee conduct. It is unfair to assume that everyone understands how to properly handle sensitive data or navigate potentially unsafe website and email links. Cyber criminals are slyer and more deceptive than ever, and it is an organization’s responsibility to train its employees to conduct business in a professional, secure manner.

Live, on premise security training from an engaging presenter is an effective way to gain the attention of employees. Videos can be helpful and more cost effective but have a tendency to be boring and unengaging; make sure you are actually training employees, not just checking off a list.

Validating Security Practices

The best way to gauge the effectiveness of your security awareness training is to test it. Social engineering assessments are a real-life test of employee behavior. Here are a few examples of ways to validate your training.

Email Phishing Test – Cyber criminals use phishing emails to infect a victim’s computer with a malicious attachment, and an alarming 13% of people click on infected attachments*. (Verizon 2016 Data Breach Investigations Report, pg, 17) By training employees about email phishing and the harm it can cause to your organization, you can prepare them to spot these emails and avoid them all together.

Testing your employees with an ethical email phishing campaign is a safe yet effective way to gain insight into the vulnerabilities your organization phases when it comes to email communication. Through an ethical campaign, you will be able to see who opened the email and which employees clicked the attachment or link. This will help you understand where you need improvement and how to adjust your training.

Pretexting Assessment - Employees may struggle in recognizing the difference between a legitimate conversation with a valued customer and an unethical pretexter trolling for information. Performing an ethical pretexting phone campaign will help to validate your organization’s security procedures as they pertain to sharing information with customers, vendors, and internal staff.

Facility Access Assessment - Performing an unauthorized facility access attempt with an ethical attacker enables organizations to properly assess building access codes, IT Asset controls, and employee behavior. Integrity’s ethical attackers pose as employees, customers, or contracted workers in an effort to enter a facility and gain access to sensitive information without triggering alarms.

Effectively communicating security risks to the executive team.

As an IT Security Risk Professional, you know better than anyone where you may have small gaps and where you may have gaping holes in your organizations security footprint. The challenge comes in getting the resources to address even some of the most obvious security holes. When requesting resources from the executive team you must compete against countless other requests. Things like marketing and new product launches, sales budgets and growth targets, personnel and HR requests will often get priority of resources if we don’t have a well thought out plan to present our business case, and request the resources to complete the project. Most frustrating of all may be the inability to even get time with the executive team to fully explain your project and the reason it is critical for them to give you the resources to complete it.

To more effectively communicate with the executive team, we must take our cues from them.

Communicate in a way and style that matches how you see them interact with you and the rest of the organization.

  • Learn how they like to communicate; i.e., email, phone, scheduled meeting, impromptu watercooler meetings.
  • Learn what their priorities are for the year.
    • They have objectives that are critical to their success.
  • Figure out how your project will help them meet their priorities for the year.
  • Do your homework.
    • A risk matrix can help clearly illustrate everything you have to manage.
  • Practice and refine your pitch so that you are ready to give it at any time and multiple times:
    • Keep it brief.
    • Keep it on point.
    • Focus on providing quantitative data.

A few years back while I was attempting to secure additional resources for a project I was leading, I ran into obstacles that stopped me from moving the project forward. The Director’s team I was working with did not fully understand and support what I was looking to accomplish. However, one day while I was getting a cup of coffee, the President approached me and drilled me for 10 minutes with questions about my project. I was initially surprised that he knew so much of my project, but thankful I was ready at any time to make a pitch for it. I was happy the Director’s had briefed him, and having earned his trust around that coffee maker, I was eventually awarded resources to move forward.

A good executive team trusts you to look at the security footprint of the organization, prioritize risks, and objectively elevate the greatest risks to the executive team, allowing them to make a decision based on their willingness to accept risk. As an IT Security Risk Professional, you must take every opportunity to earn that trust of the executive team.

Detecting Malware on your systems.

Detecting malware is becoming more difficult. The 2016 Verizon Data Breach Investigation Report (DBIR) details how difficult it is for anti-malware tools to keep up with advances in malware evasion techniques. As such, it can be expected that systems within your environment will succumb to malware. The following tips will help you identify if a system has been infected even if your anti-malware tools fail to detect an infection.

1. Check the following Windows registry keys for unknown executables.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Typically these will be completely random names such as IFAZZS.EXE or 9G8XRT43.BAT. They may also be close to the spellings of valid system files with one or two extra characters such as serverr.exe

You can also use the Startup Tab in the Windows Task Manager for a quick view, however, this will only show applications set to run under the currently logged in user account. A startup event can also be suppressed from showing in Task Manager, so viewing the registry keys is the most effective method.

2. Review the system services for unknown services

Currently registered services are each listed as sub-keys of the following Windows Registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Any keys that are unfamiliar or appear to be random should be investigated to determine if they are legitimate or malicious.

3. Review system event logs

Windows Event ID 7036 and 7040 will list any services that attempt to start. Details such as the command line used to execute the service, usernames and source workstation may be included in these or other events from the Service Control Manager. This information can pinpoint the source of malware including when the source workstation is an IP address that is not on the local network.

Finally, should you find files, URLs or other information you believe points to malware, you can use www.virustotal.com to check the hash, URL or IP for use in malware. You can also search the database for service, file or user names, IP addresses, mutex information and other details found during malware analysis.

Fighting malware is no easy task. Hopefully you’ll find this list of detection techniques useful in identifying a system that may have been compromised by malware.

Get our blog posts delivered to your inbox: