As a technologist, what I love most is the creativity. Dreaming up new architectures and solutions that can change and improve our lives. Becoming a CTO after 25 years in my profession is a privilege and an honor. The job takes some courage especially when considering all the security threats coming from every possible direction. All those nefarious hackers trying to gain access to all that priceless data and get it to the dark web.
Security has always been and is increasingly a core element of any CTO's role. A close partnership with our CISO and her organization has helped our teams, technical and non-technical, at ACTIVE embrace an overall culture of cybersecurity across our enterprise.
But we are NEVER done. Cybersecurity incidents are on the rise, and there is a myriad of methods that cyber criminals use. Let’s look at some statistics recently published by the PurpleSec security team in Washington D.C.
Malware
Malware or malicious software come in the form of computer viruses, trojans, spyware, ransomware, adware, worms, file-less malware, or hybrid attacks.
Recent malware attacks have become more sophisticated with the advancement of machine learning and targeted spear phishing email. As a result, malware infections have increased from 12 million in 2009 to a whopping 813 million in 2018 and 92% of malware is delivered via email.
Ransomware
Ransomware are nefarious systems that have gained access to networks, largely through phishing mail, in order to effect encryption of data on networks rendering the data inaccessible. This can paralyze any organization or user. A demand for significant dollars to decrypt the data follows leaving only two options for victims which are to pay the ransom or rebuild their systems which can be costly. It is estimated that ransomware attacks worldwide rose 350% in 2018 and these attacks are estimated to cost $6 trillion annually by 2021. In 2019 ransomware from phishing emails increased 109% over 2017 and 1.5 million new phishing sites are created every month.
Social Engineering Statistics
As a mom this one I find even more troublesome. The psychological manipulation of people into performing actions or divulging confidential information via methods like injection of malicious code on public websites, impersonation of credible persona on the web or on social media. Victims of social engineering attacks can range from a corporate executive to an elementary school student. Even seasoned IT professionals can be victimized by this type of attack. Social engineering attempts spiked more than 500% from the first to second quarter of 2018 and 98% of cyber attacks rely on social engineering.
To further complicate the matter, the rushed response to COVID-19 in the business arena has created massive gaps in cybersecurity -- and security incidents have increased as a result.
The security firm Malwarebytes produced a report from a survey they performed in late summer 2020 that yielded some troubling metrics.
As a CTO, I can unequivocally say that I have spent many hours contemplating how we can know what we don’t know in order to protect the data entrusted to us by our customers. Thankfully I am not alone in the challenge of proactively protecting our customers’ data. Here at ACTIVE, we benefit significantly from the highly skilled security team of our parent company, Global Payments. ACTIVE's security plan is well-conceived and highly evolved, due in large part, to ACTIVE’s existence as a wholly owned subsidiary of Global Payments.
ACTIVE’S data security plan leverages a 7-layer approach to data security. The 7 layers are (1) Governance & Personnel Security, (2) Physical Security, (3) Network Security, (4) Platform Security, (5) Application Security, (6) Storage Security, and (7) File and Data Security.
Every day we looking to further our success in the area of security. We have recently completed an in depth evaluation of the tooling applications (Administrative User Interfaces, or “AUI”) we provide to our event organizers. As we look to increase the functional elements of the tools we provide to our event organizers, we need to ensure that we secure the accounts of our event organizers. We are happy to announce that we have implemented a Multi-Factor Authentication security feature for our AUI’s. MFA is pretty simple, and organizations are focusing more than ever on creating a smooth user experience. Most people already use it in some form. For example, you’ve used MFA if you’ve:
- swiped your bank card at the ATM and then entered your PIN (personal ID number).
- logged into a website that sent a numeric code to your email, which you then entered to gain access to your account.
MFA helps protect our customers by adding an additional layer of security, making it harder for the bad to impersonate our customers to steal data. Our event organizers’ information is safer because thieves would need to steal both password and email accounts to gain access to the AUI’s.
Be a CTO at Home!
Security isn’t just for CTOs and the corporate world. Many of the best practices we employ at work can be applied at home.
November 30 is National Computer Security Day and it’s a day that I have marked on my calendar to audit my home network and my kids’ devices as well as my own. Here are the things you can do to ensure that you have a safe computing environment at home:
- If you use social media, it’s a good time to review your privacy settings. See any new friends or connections you don’t know? Social media is another way identity thieves, viruses and computer fraud is committed.
- If you are running a PC make sure to enable and run your Windows updates and turn on Windows Firewall.
- Install and or update antivirus software and make sure it is scheduled to scan your device on a regular basis.
- Update all software that you are running on your device.
- Always use strong or complex passwords and make sure you do not have the same one for everything.
- Never share passwords and don’t write them down.
- Make sure your password is required to access my computer.
- Uninstall unused programs.
- Update the password to your wireless network.
- Back up critical data to an encrypted external drive or to a secure cloud location.
- Use caution when browsing the Internet and teach your kids the same.
- Log off the computer when you are not using it or set it to automatically logout when idle.
- Never allow web browsers to store or remember my passwords.
- Run disk cleanup and periodically remove temporary Internet files.