Over the last few years, household goods moving conglomerate Arpin Group has relied on tactic that remains fairly uncommon in the transportation world to ensure that its cyber defenses are solid: using third party firms to launch hack attacks against itself.
Donald Frazier, senior vice president of information technology at Arpin Group, told Fleet Owner that those “attacks” aren’t just directed at the company’s electronic systems, either, as the third firm it hired – Digital Boundary Group (DBG) – also used faxes and well as random phone calls to unsuspecting Arpin employees to try and wheedle passwords and other cybersecurity details from them.
“Penetration tests always find something with every company—cybersecurity is like a race that is never finished,” he explained.
“The results of these tests are so important to our security because we can identify weaknesses and patch them before a criminal can find them,” Frazier added. “And where the vulnerability might occur because of human error, we can train our staff how to watch for the newest scams and attacks so they don’t fall victim to one.”
That matches findings by Arctic Wolf Networks, a leading security operations center (SOC)-as-a-service company, in its State of Mid-Market Cybersecurity: Findings and Implications survey conducted with Vanson Bourne.
That poll of 200 IT decision makers in the U.S. who oversee middle-sized corporate cybersecurity programs found “major gaps” exist between the perception and reality of cybersecurity challenges; while the majority maintained “very high confidence” in their cybersecurity defenses, in reality, they struggled to defend against malicious activity that has become more sophisticated, more targeted and severe, explained David Monahan, a senior analyst with Enterprise Management Associates.
“Many mid-market organizations seem to have a sense of security bravado that leaves them particularly vulnerable to compromise,” he pointed out.
“Malicious activity has been on a steady increase over the last few years and has been especially targeting small and mid-market business because they have valuable data but are generally unprepared for the assault,” Monahan noted.
“About 70% of ransomware attacks happen to organizations under five thousand employees and 60% of the attacked organizations go out of business within six months,” he stressed. “Given these types of statistics, it is imperative that mid-size organizations seriously consider services that are specifically designed to provide the mid-market businesses with enterprise-grade security that fits a mid-market budget.”
The bottom-line threat is so much larger today because the “monetary impact’ from data breaches is growing exponentially, according to an annual global study sponsored by IBM Security compiled by the Ponemon Institute.
The most recent IBM/Ponemon study, released late last year, determined that the average cost of a data breach increased 29% to $4 million since 2013, while the number of cybersecurity “incidents” continue to grow in both volume and sophistication, with 64% more security incidents reported in 2015 versus 2014.
And as cybersecurity threats become more complex, the monetary harm they inflict continues to increase as well, the IBM/Ponemon study finding that companies now lose $158 per compromised record.
“It’s certainly a tough sell to a transportation company to spend money of cybersecurity testing every year – and it is a yearly effort,” added Arpin’s Frazier.
“What drives a lot of our cybersecurity concern comes from our customers; they are sending and receiving information that must be protected. But how do you know it’s secure? You can throw all the money in the world at security solutions, but you really won’t know if they work unless you test them,” he explained.
“Our systems get connected to thousands of other systems: we don’t want someone to be able to use one of them to drop into our database and take blocks of information: addresses, phone numbers, social security numbers, etc.,” Frazier added.
That’s why DBG, the firm Arpin hired ot test its cyber defenses, deployed the same methods that a criminal might use to discover and exploit the company’s potential vulnerabilities, Frazier noted.
The test started by gathering information about Arpin through publicly available sources such as social media, domain registries, certificates, email, mobile phones, etc.
Once phase on was complete, DBG then attempted to break into Arpin’s systems by exploiting possible points of vulnerability, such as sending emails, texts and faxes to employees with malicious links or forcing entry via known software bugs, he said – adding that this “penetration test” is repeated on an annual basis, occurring on a random date so that Arpin staff cannot prepare for it.
“In the end it’s worth it to educate and make workforce more aware,” Frazier emphasized. “We do 30,000 shipments a year, plus 60% to 65% of our business happens between May 1 and Sept. 1. That puts a lot of pressure on all of us – and since it’s all happening in the electronic age, we need to be prepared.”
Many enterprises believe they are safe because they have the “traditional” perimeter defenses in place, noted Brian NeSmith, CEO of Arctic Wolf Networks, but such defenses “fall far short” of what’s needed for rigorous security in today’s complex threat environment.
“The challenge smaller enterprises face is that they have all the same security issues as large enterprises with only a fraction of the budget and less specialized personnel,” he explained.
That’s why such “penetration testing” to ensure Arpin’s cyber defenses are secure is proving vital to the company in more ways than one, Arpin’s Frazier added.
“You can’t tell if you are saving money by having this in your budget, but we’re not dealing with hacking problems – that is the real return,” he explained. “A lot of times our employees get embarrassed over a mistake, but we are focused on educating them via these tests, not penalizing them.”
Frazier pointed out that it’s hard to truly inculcate good cybersecurity practices unless you’ve been compromised.
“That’s why you can’t look at such testing as a pass/fail exercise – it’s about educating everyone on the importance of good cyber security practices,” he emphasized. “That’s the approach you need to take.”