Thwarting cybercrime starts with risk assessment.

One of the most important ways that businesses can protect themselves against cybercrime to is perform a thorough risk assessment, according to cybersecurity experts.

“Make sure you do a proper risk assessment to determine where you are vulnerable,” advised Chris Convey, vice president and chief information security officer with Sharp HealthCare, one of San Diego’s largest employers.

While it may not be possible to close every gap, companies should look for the most significant vulnerabilities within their computer networks and focus on those, Convey said.

At Sharp, cyber-risk assessments are performed annually, Convey said. Smaller companies that don’t have their own cybersecurity specialists can bring in outside consultants for an independent assessment of their cyber defenses.

Level of Assessment

Eric Basu, CEO of Sentek Global, a San Diego-based cybersecurity, engineering and software development firm, said, “Every company should look at this, from one person working out of their home, to a billion dollar company. They all need to do some level of assessment.”

The basic level of assessment involves running an automated program to look for network vulnerabilities, which can be done by an outside company, or using free, open-source software available online, said Basu.

The next level of assessment involves penetration testing by a certified ethical hacker, said Basu. This is someone who knows and uses the same tools and methods employed by actual hackers.

Penetration testing can include a variety of attempts to gain access to the computer network, from phishing emails to phone calls, all with the goal of obtaining log-in information such as user IDs and passwords. Penetration testing might even include efforts to physically enter the company’s building, and access its network through a computer terminal.

Data held on business servers can be worth big bucks to cybercriminals, said Basu. Credit card numbers sell for $2 to $4 apiece on the “dark web,” so a customer list with 100,000 entries could fetch $400,000. Medical records are even more valuable, selling for $20 to $80 apiece because they contain sensitive information such as Social Security numbers and birthdates, allowing the bad guys to use them for identity theft. Medical records for celebrities can sell for thousands of dollars apiece.

Among the top targets of cybercriminals, said Basu, are banks, government offices and defense contractors, the latter often attacked by foreign adversaries, in an effort to steal state secrets.

Going After the Giants