Everyone Gets Hacked, But the Situation is Not Hopeless

Cyber security expert and author Brian Krebs had a cold dose of reality for financial services companies at the Power of Prepaid Conference.

“It’s easy to think everything, everyone, everywhere gets hacked – I think that’s a good summation of reality,” Krebs said in his keynote talk on April 10. Accepting this reality, he added, is the first step toward improving both personal and corporate security.

“If you accept the fact that companies get breached on a daily basis, then you can do security [better],” he said.

Throughout his talk, Krebs offered ideas and suggestions for how businesses can cope in such a world. The first step is for them to start working together.

An advantage hackers have over cyber security teams is their collaboration through online forums.

“If you need help in the underground there are lots of people there,” Krebs said.

Companies can combat this by sharing information and letting others know when they have faced attacks. An open dialogue not only helps others ward off attacks but also encourages reciprocity.

Once cyber security teams recognize what is happening out in the wild, they can figure out where their weaknesses lie and work to shore up their defenses, which aren’t purely technical.

“People are the most important and most dangerous assets in organizations,” Krebs said.

People don’t change passwords and click on phishing e-mails, but also secure systems and respond to incidents. Training employees and hiring cybersecurity staff are steps that can reduce a company’s risk. Krebs encouraged companies to implement two-factor authentication for customers and employees, noting that system administrators in particular should be held to high authentication standards.

“You can’t secure what you don’t know you have,’ Krebs explained. Identifying the connections and overlaps between physical and cyber security is essential. Businesses should also map out their servers, domains and IP addresses to understand their own vulnerabilities. Response plans also need to be prepared and drilled.

One area where the prepaid industry can have an advantage is managing third-party risk. Krebs said this was “the biggest elephant in the room” no one wanted to talk about, but if a company has a handle on this, they have a handle on security. Prepaid issuers have had regulatory guidance since 2011 from the Office of the Comptroller of the Currency that includes a provision saying banks’ third-party contracts should include: “procedures in the event of service disruption or security breaches that pose a material risk to the bank.”

Of course, guidance needs to be followed with action. An earlier panel at the conference highlighted managing third-party risk. Liz Nutting, senior vice president of strategic partnerships and network relations at Axos bank, said that banks need to do risk assessments at least yearly and more often if risks are high.

Risks need to be reevaluated when a third-party does something like making a major software change, added Alicia Reid, associate general counsel at FSV Payments Systems.

Perhaps the most surprising advice Krebs offered attendees was to encourage people to “hack their companies.” Finding weaknesses is ultimately the best way to manage them. He said companies can hack themselves by trying things like testing common passwords to break into accounts from the outside.

“If you want to know how vulnerable you are, just start hacking your own people,” he said.

The final advice Krebs offered was for everyone to make sure they did not fall prey to thinking that they know more than they do.

“All of us win – personally and professionally – when we challenge our assumptions about security,” Krebs said.