Leadership In Action
Take Five on Information Security with Vince Doran
“Eighty percent of cyber incidents involve some sort of human involvement.”
This startling stat was shared by Vince Doran, ProSight’s Chief Information Security Officer. Despite the increase in cyberattacks, there are ways to keep your organization secure. In this educational conversation, Vince explains how ProSight safeguards the sensitive data that flows through its systems—and reveals more interesting tidbits on the topic of information security (or InfoSec, for short).
1. Would you say there’s one group responsible for the majority of today’s cyberattacks?
VD: Right now, it really comes down to two primary groups. The largest is organized crime, by far. Back around 2002 to 2004, organized crime groups started developing cyber capabilities. They knew if they didn’t have some sort of hacking ability, they’d be left behind. Cybertheft brings in a significant amount of dollars to organized crime families.
The second group is nation states that have limited revenue streams. Maybe they don’t have natural resources they can readily exploit, or they’re heavily sanctioned. As a result, they’ve developed cyber capabilities to fund some of their activities. Since the primary motivator for threat actors (or cybercriminals) is always money, they’re after anything they can readily and easily monetize—like social security numbers and bank card numbers. Those are the sought-after items.
2. What are the main ways cybercriminals gain access to a company’s systems?
VD: They’re opportunists, so they’ll look for the easiest way in—like sending a phishing email to get an employee to click on a link. In about 80% of these incidents, there’s some sort of human involvement: someone responding to a phishing attempt, inadvertently supplying their credentials to a fake website, or clicking on a link that downloads malware onto their computer. Our systems have a high degree of reliability to detect this type of fraud, probably over 90%, but there will always be some that get through.
Then, there’s business email compromise: A threat actor can gain your credentials and send an email as you to people who would most likely trust it—and that email could potentially contain links, malware, whatever the case may be. In plenty of organizations, I’ve seen business email compromise result in a wire transfer that was fraudulent.
We’ve also seen a lot of information in the news around ransomware. It seems like these occurrences are almost weekly, certainly monthly. The ability to deny an organization access to their systems and the data within those systems will bring a company to its knees. More and more, we’re seeing organizations pay ransom to the cybercriminals responsible to get back online. In the case of an insurance company, they could potentially gain information about insureds—like policy limits, for instance, so it sort of gives them a playbook on how to negotiate. “If you don’t pay us X dollars, we’re going to release this publicly.”
3. Since ProSight deals with so much sensitive customer data as part of our business, how do we ensure our Information Security is top notch?
VD: One of the things we do is leverage two security rating organizations to monitor our security posture for areas of vulnerability: SecurityScorecard and BitSight. They’re like TransUnion and Equifax, the credit monitoring companies, but for security monitoring. In terms of scoring, they use a rating system of basic, intermediate, and advanced. ProSight’s score is in the advanced range for both companies. What does this mean? If a company is in the mid-basic range, they’re five times more likely to suffer a breach than a company in the advanced category, like ProSight. This shows our partners and customers how seriously we take information security.
4. Are there any emerging cyberthreats to look out for on the horizon?
VD: Cybercriminals adapt quickly to the times, and we’re starting to see them move to something called smishing. It’s phishing, but via text message. The trend today is for people to use their personal mobile devices for business instead of a dedicated work phone. Unfortunately, IT departments don’t have a lot of control over the security of these devices, and a lot of them are running older operating systems that have vulnerabilities. Criminals can potentially exploit the phone and undermine two-factor authentication, especially through text since it’s a target-rich environment and people tend to trust texts more. So, it’s important for companies to look for processes to help protect against this growing threat and come up with creative solutions to secure these BYODs (Bring Your Own Devices) so employees can still have the convenience of carrying one device.
5. Any words of advice to help businesses strengthen their InfoSec efforts?
VD: Information security is the entire company’s responsibility, so put a robust education plan in place: new hire training, annual employee awareness, and quarterly phishing exercises to monitor areas of vulnerability. Remind people not to reuse passwords. It’s these little things that really help employees understand and recognize the various tactics being used by cybercriminals. My motto is: “Be vigilant. Be a little skeptical. But don’t be afraid.”
As we wrap up our time together, Vince shares some final thoughts: “Information Security is meant to support the business, not the other way around. That means collaborating on projects to push the business forward while keeping the information secure.”
To chat with Vince Doran about all things related to InfoSec, reach out to him here.
—Written by the ProSight Team