Whether your IT guy lets you know or not, your business critical assets are NOT SECURE!
No system is secure. If you think otherwise you are fooling yourself. A study by Ponemon revealed the truth. Out of 2000 companies tested the penetration testers claimed that only 13% posed any difficulty. Read that again. All 2000 were breached! Only 13% showed any difficulty to break into.
These are not just 2 person small businesses. They range from large enterprises to small and medium sized businesses. An article in The Wall Street Journal stated even the NSA and Homeland Security admit their vulnerability. NSA spent over $54 million to protect their systems and they still got hacked – the same year. DoD said they know the bad guys are in their networks, all they can do is try to keep them from gaining access to critical data.
If you had a pen test and the testers were not able to break in – FIRE THEM they are incompetent.
You may not think you have any secret data that someone would want but you are mistaken. There are generally 3 types of ‘Hackers’ Government sponsored Advanced groups, Hactivists and Cybercriminals. They are all after the same thing but for much different reasons.
David Stelzl explains it best in his book Digital Money.
- APT’s -Large well funded, often government sponsored groups are generally involved in espionage and stealing data that will advance their technological advantage over other nations.
- Hactivists – they are usually not really concerned with money or trade secrets. They want to advance a cause like save the whales or environment. They attack to gain leverage over a company with the goal of making the company change its views.
- Cybercriminals – these can range from unskilled general criminals to small groups with the goal of separating you from your money. The most common form of attack is ransomware which encrypts your data making it unusable until you pay their ransom. This is by far the most prolific and devastating to the SMB’s who are attacked. They will generally use some sort of social engineering to gain access to your systems.
A report in the WSJ stated that malicious software will generally reside on a system for an average of 250 days before it is activated or deployed and can be up to 14 months before the infection is found by the victim.
One important thing to remember is, just like everyone else, hackers are LAZY. They will always go for the low hanging fruit. Just like a burglar will continue on to the neighboring house if yours has a security sign in the front yard. They will weigh the risk and move on to an easier target. So what do you do. Make it harder for them. Here are a couple things you can incorporate in company policy to get headed in the right direction. Just remember that you will also need to enforce them strictly, otherwise you are just wasting your energy and time.
1- Passwords. – have a strong password policy mandated at the corporate level and make NO exceptions. I also recommend you require multi-factor authentication. NEVER make exceptions – even for the Executives, they are the most often targeted by hackers. Password complexity and length policy should also be implemented. All systems passwords should require reset at least every 90 days.
2- Emails. – Never trust a link in an email. Even if the senders email address seems to be right. It just takes and easy check to verify a valid link; Hover over the link and check the link that pops up in the lower part of your email program. If you are still unsure DO NOT CLICK! You can send a new email to the supposed sender to verify(do not reply – type in the email address yourself.) Alternatively you can call the person to verify if you know them personally. IF it is from your bank or another place you regularly do business with do a web search or use a personally bookmarked link you have.
3- Devices. -Never plug in a USB that you do not know its history. If you find one on your desk, in the cafeteria or in the lobby or parking lot DO NOT USE IT! If you believe someone may have misplaced it, take it to your IT dept and have them verify it. They should have the ability to check it out on a non-connected computer or one that is a VM or in a ‘sandbox’ environment that is isolated from your network.
I hope these tips help you in keeping your network, employees and family a little bit safer when using technology.
For info on how to test your users and train them to be your data security champions get in touch, Your users can be your best defense.