Thwarting cybercrime starts with risk assessment.

One of the most important ways that businesses can protect themselves against cybercrime to is perform a thorough risk assessment, according to cybersecurity experts.

“Make sure you do a proper risk assessment to determine where you are vulnerable,” advised Chris Convey, vice president and chief information security officer with Sharp HealthCare, one of San Diego’s largest employers.

While it may not be possible to close every gap, companies should look for the most significant vulnerabilities within their computer networks and focus on those, Convey said.

At Sharp, cyber-risk assessments are performed annually, Convey said. Smaller companies that don’t have their own cybersecurity specialists can bring in outside consultants for an independent assessment of their cyber defenses.

Level of Assessment

Eric Basu, CEO of Sentek Global, a San Diego-based cybersecurity, engineering and software development firm, said, “Every company should look at this, from one person working out of their home, to a billion dollar company. They all need to do some level of assessment.”

The basic level of assessment involves running an automated program to look for network vulnerabilities, which can be done by an outside company, or using free, open-source software available online, said Basu.

The next level of assessment involves penetration testing by a certified ethical hacker, said Basu. This is someone who knows and uses the same tools and methods employed by actual hackers.

Penetration testing can include a variety of attempts to gain access to the computer network, from phishing emails to phone calls, all with the goal of obtaining log-in information such as user IDs and passwords. Penetration testing might even include efforts to physically enter the company’s building, and access its network through a computer terminal.

Data held on business servers can be worth big bucks to cybercriminals, said Basu. Credit card numbers sell for $2 to $4 apiece on the “dark web,” so a customer list with 100,000 entries could fetch $400,000. Medical records are even more valuable, selling for $20 to $80 apiece because they contain sensitive information such as Social Security numbers and birthdates, allowing the bad guys to use them for identity theft. Medical records for celebrities can sell for thousands of dollars apiece.

Among the top targets of cybercriminals, said Basu, are banks, government offices and defense contractors, the latter often attacked by foreign adversaries, in an effort to steal state secrets.

Going After the Giants

Tech companies, such as Qualcomm, Apple and Microsoft, are also targeted by thieves due to their valuable intellectual property, Basu said.

Today’s scammers have moved beyond the so-called Nigerian prince ruse, said David Inmon, CEO of Redhorse Corp., a San Diego-based government contractor in the technology field. In that infamous scam, emails were sent to potential victims, asking for bank account info or advance payments, in exchange for a share of the prince’s fortune.

In the modern version, Redhorse team members have received emails, purportedly from Inmon, asking them to wire tens of thousands of dollars to an account in Shanghai, or to purchase Apple gift cards and provide the codes on the back of the cards. The money is supposed to be for a special project, and the employees are admonished to keep the payments secret.

So far, Inmon said, the scams have not been successful, but the company remains vigilant and has put in place robust cybersecurity measures.

Complete Plan

Robin Gonzalez, chief technology strategist with Redhorse, said the company has conducted assessments of all of its systems, and has created a series of documents, including a system security plan, a cyberincident response plan, and a list of milestones and actions needed to keep its security measures up to date.

Every day, Gonzalez said, there are literally thousands of attempts to penetrate the company’s defenses, by actors from around the world. That’s why businesses need to maintain a high level of preparation and awareness of cyberthreats.

“It’s pretty much across the board. As long as you are connected to the internet, you are vulnerable,” Gonzalez said.