An Example of a Cyber-Incident

After learning about the exploitation of the US Government employee data base breaches of the NSA and IRS and the exploitation of the Social Security system affecting 21.5MM people , maybe it's time for you to direct at least one eye towards your data security.

There are three basic business types we see typically when it comes to IT security – possibly you recognize yourself as one of them?

Some small company's IT Security is still run like Mr. Gunslinger's – This is a true story but the names have been changed to protect the embarrassed!

Mr. Gunslinger started his first restaurant 5 years ago and instantly had lines out the door. Everyone knows you don’t mess with Gunslinger and his baseball bat. Two or three restaurants later Gunslinger can no longer do bookkeeping by hand and has to put his books on a computer. He hires Ms. Bookkeeper. Ms. Bookkeeper makes the deposits from the restaurants, does online bank reconciliation, answers emails, posts on Facebook (as well as personal email and other social media) and pays the bills all on the same computer. One day Ms. Bookkeeper gets an email from Mr. Gunslinger to send a check for $9,000 to a new vendor for a bakery oven. Ms. Bookkeeper emails back that she has the check ready for Mr. Gunslinger’s signature. Mr. Gunslinger responds that this is time-sensitive, Ms. Bookkeeper should sign and mail the check. Ms. Bookkeeper then calls Mr. Gunslinger just to verify (as this is not the usual procedure for such a purchase) and as you might have guessed by now Mr. Gunslinger knew nothing about the order. On closer inspection, the emails had come from GunslingAr not GunslingEr.

While mulling over how this happened, Ms. Bookkeeper getsa call from the local bank informing her that someone is trying to cash a check for $3,300. All the right information was on the check (ABA #, Account #, even a good-looking signature) but bank felt it was worth a call - just to be sure. The check was a well printed fake. Bad checks started coming in from six different accounts.

Mr. Gunslinger goes to the local police who bump it up to the State Police and FBI who promise to investigate the matter. Mr. Gunslinger promises to update the authorities as/if/when new occurrences and to change all existing bank accounts.

We're not done with this incident yet:

Ms. Bookkeeper gets another email from Gunslingar inquiring about the original check he had instructed Ms. Bookkeeper to send out. Ms. Bookkeeper immediately forwarded the email to the State Police.

What happened next? Ms. Bookkeeper looks at her computer and, right before her very eyes, every single email to and from Gunslingar is erased, one at a time. Upon investigation we had established that Gunslingar had taken complete control of her computer months before!

Most small company's IT Security is run like Mr. Softee's - Again, names have been changed to protect the embarrassed.

Mr Softee’s modus operandi, as it relates to IT Security, is I trust my people, therefore I will not become a victim. Softee likes to hire friends and family. Where special skills are required, Softee will hire specialists who may or may not have been recommended by friends/family.

Mr. Softee might even have the same person make deposits, write checks and do bank reconciliations, Yikes! BUT, even Mr. Softee has an outside firm do a look see and do the write-ups and tax returns.

Typically, Mr. Softee has someone running all IT functions who has been with the company for many years. Softee's IT guy will tell Mr. Softee – “Don’t worry, I have all the anti-virus and current patches in place – we are secure,” so Softee is assured that his business is not at risk because his IT Staff says so.

Suddenly, on the worst possible day, the website is hacked and PC’s data are corrupted. Mr. Softee is scrambling to reach out to important customers to apologize; the bookkeeper is changing bank accounts; police are called in, and, well, I am sure you get the idea.

What’s wrong with what Softee did? Mr. Softee had outside auditors for his financial records, but no one doing even a cursory outside audit of his IT infrastructure.

A few small company's IT Security is run like Mr. Pragmatic's and are the epitome of Trust but Verify

Mr. Pragmatic trusts his bookkeeper, but he has a different person sign checks than who deposits $$. Someone else does the bank reconciliations and an outsider comes in regularly.

Mr. Pragmatic trusts his IT staff – he thinks the world of them – they are the most talented in the world. But he has an outside auditor perform Vulnerability assessments and Penetration Tests.

You've gotta know that if you are breached, you run the risk of a compromise of your data, your customer’s data, and any information that has touched the compromised systems.

We are the outsider auditors.

Our Simple Three-Step Process

1. Meet with one of our cyber-security engineers to provide basic information about your technology environment and we respond with a proposal.

2. Schedule and perform testing and we provide a detailed report of our findings including a detailed action plan for remediation.

3. We meet with you to review our findings and recommendations and if desired, we assist you in remediation.

Intrigued? Call us at 212-328-1160 and let’s have a chat!

Cardinal Data Systems, Inc.

New York, NY