The massive cyberattacks that struck JPMorgan Chase, along with other leading U.S. financial services firms, illustrate just how vulnerable larger institutions can be to cyber-attacks. They also show why it's so critical for organizations to encrypt all customer data, says Chuck Easttom, a computer security and forensics expert and author.
"We simply are not doing enough to protect data," Easttom says during this interview with Information Security Media Group. "Having data sitting on a server unencrypted is an egregious omission in the security posture. ... Unfortunately, there are lots of companies, not just banks - healthcare, hospitals, all sorts of organizations - that have, frankly, too low of a security posture."
Organizations have to get ahead of regulatory mandates and make cybersecurity part of their overall corporate strategy, with understanding and buy-in from the top, he says.
"Organizations don't have to wait for regulation," Easttom says. "They need to start bringing security to the forefront of all their conversations ... and those conversations need to be at the highest level."
Larger Organizations Make Easy Targets
Having cybersecurity discussions at the board and C-suite level is becoming increasingly critical, especially for larger organizations, he says.
"The larger the network can mean the easier to get in," Easttom says. "They have so many points of connection, with outside vendors, with partners, with remote workers coming from home to log into the network. There are so many points of entry that the chances of me [as an attacker] finding one of those that is vulnerable are pretty high."
Because the risk of network intrusions is so high, encrypting all personal information, including contact information about customers, should be a top priority, he adds.
"I am amazed at how often people don't encrypt their data," Easttom says. "Major companies don't do it, and I'm frequently called to work on cases where personal information was sent in an email that was unencrypted and then stored in a database somewhere that wasn't encrypted. And the sad thing is, encryption is so easy to implement."
Easttom points to the common availability of email encryption services as an example.
"Very few people I talk to actually encrypt their email," he says, even though email encryption is very easy and inexpensive to implement.
The same is true for database encryption, Easttom says. "Database encryption is relatively easy to implement; but a lot of companies don't do it, which means if I can get any level of access to your network, I have a really, really good chance of being able to read this personal information, because it's there in plain text," he says.
During this interview (link below photo above), Easttom also discusses:
- Why socially engineered schemes that rely on personal information stolen in breaches are a growing concern;
- How banking institutions could improve their customer education campaigns about phishing and other socially engineered attacks;
- Why board and C-level involvement in cybersecurity is now essential.
Easttom, an independent consultant, has written 19 books, including several about computer security, forensics and cryptography. He holds six patents and 38 computer certifications, including many security and forensics certifications. Easttom has conducted training for law enforcement, federal agencies, Department of Defense-related personnel and friendly foreign governments. He frequently serves as an expert witness in computer-related cases and is a speaker at industry events.