The Tribune

Deloitte’s Shavonne Smith warns that even the most innocuous actions can expose companies to cybercriminals . . .

From viruses and worms to rootnets, trojans, bots and more, malware - short for ‘malicious software’ – has become the cybercriminal’s weapon of choice for subverting digital devices.

No device is immune. Malware can infect anything that accepts electronic information, including such unconventional targets as cash registers, cameras and even cars. This increase may represent a significant vulnerability in environments where employees use smart phones, tablets, laptops and other mobile devices for both personal and business purposes.

A company with highly mature anti-malware will address the problem from both the user and technology sides. On the user front, a company should develop, communicate and enforce policies that limit the use of personally-owned devices for business purposes and vice versa. This can help prevent users from infecting corporate devices with malware prevalent on sites visited mainly for personal reasons, as well as reduce the risk that an infected personal device will contain sensitive corporate information.

Loose lips still sink ships

No one questions the need to protect information that a company designates as confidential. What many people do not realise, however, is that cybercriminals can also benefit from information that the company and others intentionally share.

Human resources may unknowingly put details in a job description – say, for an IT security position – that reveal the precise version of the enterprise resource-planning platform your company is running, and the security software you are using to protect it.

An employee posting to a social media site may mention in passing that he or she manages the company’s passwords, thereby telling cybercriminals exactly who they need to target - using phishing and other social engineering tactics - to gain access to your company’s network. Stringent policies should be written into the company’s agreements with employees, suppliers and contractors.

Mature cyber threat risk management: Proactive and preemptive

To conclude, we would like to note that the approach we have outlined in this series is not intended to be a substitute for a formal, rigorous IT security assessment performed by specialists.

Instead, we have endeavoured to give companies a head start towards understanding their own capacity and capabilities for managing and mitigating the ever-present risk that cyber threats pose today.

The insights a company may gain through these steps can help guide further inquiries that examine the issue in greater depth. This may include requesting a formal assessment on how a company can move its cyber threat risk management practices toward a more proactive, preemptive and mature approach.

In closing, we believe that exploring cyber threat risks with the executive team can yield dividends beyond helping a company to improve governance in this area of risk alone. It can also provide an opportunity to build a more productive dialogue with executives about IT risk management in general.

• NB: The information in this series is based on the Deloitte white paper, ‘Risk intelligent governance in the age of cyberthreats’. For more information on Deloitte Bahamas Risk Advisory Services’ Cybersecurity offering, contact Lawrence Lewis, risk advisory services partner, at 1(242)302-4898 or llewis@deloitte.com, or Shavonne Smith, senior risk advisory services consultant, at 1(242)302-4880 or shasmith@deloitte.com.

Ms Smith holds a Master of Science (MSc) degree from Capitol College in Baltimore, Maryland, and specialises in information assurance and network security. She also holds the CISA designation (Certified Information Systems Auditor), and several Microsoft certifications.