I have the perfect 100% guarantee to protect your information systems from ANY cyber-attack. You will pay me handsomely for my solution too. Here it is: Cut the power cord on your PC and bury everything in concrete. Problem solved! Ha, hack that hackers! Although this drastic measure is theoretically effective, it’s obviously a non-starter. However, the idea does illustrate a greater and more important point: if your systems are powered up and connected in some way to the Internet, then you are susceptible to cyber-attack. Period.
How do you really know you are protected as you can be? How do you know the solutions in place are actually working? In this blog post I will provide you 7 critical factors to help you evaluate whether your company has taken the prudent steps to protect itself from cyber criminals. Again, nothing here is fool proof but it is folly not to heed these words. For good measure, let’s first discredit two prevailing myths about the current state of cyber-crime.
Myth #1: Cyber-crime affects only large organizations. One of the biggest misnomers out there is the crazy idea that risk is directly proportional to the size of the company. FALSE! Although cyber criminals a few decades ago set their sights almost exclusively on very large targets, the reverse is now true. Criminals are specifically targeting smaller organizations and individuals for two important reasons. First, smaller organizations tend to lack the security controls to adequately protect themselves thus are easier to attack. Second, these smaller transactional crimes are often not pursued by law enforcement due to the sheer volume of reports, lack of man-power to prosecute, and the cost to recover smaller funds.
Myth #2: Most Cyber-criminals are whiz kids having fun. Perhaps the notion of a 15-year-old kid hacking into the Pentagon makes for an interesting 1980’s Hollywood movie, but the reality looks much more like a 1970’s movie that had nothing to do with technology: The Godfather. That’s right, today’s cybercriminals behave much more like a highly organized, efficient, and effective crime family. Make no mistake: Cyber-crime is a well-funded (sometimes state funded), international, highly motivated and insanely profitable business. That’s correct, a “business”.
So now with those two myths debunked, you are ready to take a hard look in the mirror to help evaluate and protect yourself.
- Train Employees on Security Best Practices. If you do nothing else, pay attention to this. The #1 threat to business networks are the employees using them. A hacker can often con a user into infecting an entire network by opening and clicking a sinister e-mail or a visit a website that can take control of your computer. If they don’t know how to spot suspicious e-mails, online scams, or other nefarious activity they could become the unwitting puppets helping to compromise your network. Your employees should be required to attend periodic self-defense training whether online or in person. There’s a lot of cost and time effective online training designed to help non-techies protect themselves.
- Create an Acceptable Use Policy (AUP) and Enforce It! An AUP outlines how employees are permitted to use company-owned PCs, devices, software, Internet access and e-mail. I highly recommend you create a policy that defines exactly what they can and cannot do. But a policy alone is worth zero unless you are willing to put some teeth into it. You must enforce policies with content-filtering systems that can log, audit and control the types of Internet traffic and even websites that can be visited. This is essential if you are subject to any sort of compliance.
- Passwords and Passcode Policy. Creating and enforcing a password policy on most systems is child’s play for any IT administrator. But many overdo the controls and create policies too cumbersome. This then creates a backlash from users who revolt. A good password policy is about balance – not about how burdensome we can make it for people to logon. Password policies should force users to select moderately complex passwords (length and diversity of character types), keep history of passwords (to prevent re-use), and force changes periodically (once a year is not periodic or prudent). Find the right balance for your organization. Unless there are compliance or regulatory issues I recommend passwords to expire every 120 days. And don’t forget about mobile devices. All of them should be required to use a pin-code for access.
- Keep Your Updates Up-To-Date. The recent WannaCry Ransomware attack was successful in some organizations because it exploited a vulnerability in the Windows Operating System that had been fixed by Microsoft many months ago. If your computer was up-to-date with Windows Updates, then you had very little to worry about. But if not… well then, congratulations, you were part of the news! Now patching itself has its inherent risks (by potentially introducing new bugs) and should not be managed lightly. But avoiding or delaying it too long can have costly consequences.
- Invest in Disaster Recovery. Disaster Recovery (DR) solutions sound complex and expensive. There was a time when that was true. But there are many reputable technologies and vendors offering enterprise-grade (read: big company) solutions for reasonable and even low prices. Look upon DR as an insurance policy. We all hate to pay the premium, but sure are glad we did when there is a problem and we need coverage. A proper DR solution will help you recover lost or destroyed data and can thwart a Ransomware attack by restoring data at a point just before the attack.
- Understand and Control Shadow IT. Shadow IT, simply stated, is the collective sum of all technology in use by your organization that your IT department either did not authorize or even know is being used. Take Google Drive for example. An employee needs to share a confidential document with an external trusted party. Instead of asking IT for help, he decides to create a Google Drive account and share it that way. Your IT department has no idea this employee just violated a company policy, is in breach of legal compliance or put the company reputation at risk. Shadow IT is incredibly difficult for IT managers to control because much of it exists on “BYOD devices” (Bring Your Own Device) such as tablets and Smartphones, or takes the form of a cloud-based service accessible by any web browser. The world of technology is rapidly advancing at a dizzying pace. We can’t know everything that’s out there, but be rest assured that if a technology exists your employees will find it likely before IT does.
- Penetration Testing. Pen Testing is a service whereby you hire a company to hack into your systems. Wait, what? Yes, you pay them to hack you. Of course, they are a reputable company that specializes in finding holes and weaknesses in corporate IT systems. They do so ethically and with the intent on helping you strengthen your defenses after they “hack” you. Many such firms will work with you either on a one-time, periodic and even continuous basis.
Cyber-crime is not going away and will only likely get more complicated with time. The criminals are highly motivated by money and the ease of access the Internet provides makes their reach global. No one is safe but there are many things you can do to protect yourself to minimize and manage the risks. The seven factors above are some of the most critical to review. But you if you are unsure of your current state then I advise you consider an audit from a reputable IT Service Provider.
Thank you to Robert Cioffi for contributing this article!