Improving cyber security starts with accepting that your organization is not immune from cybercrime and educating yourself on the biggest threats to your computer networks and data. You can then begin taking concrete steps to shore up your cyber security defenses.
This article looks at the five biggest cyber security risks organizations face, then offers a five-step battle plan for the fight against cyber criminals.
5 TOP CYBER SECURITY RISKS
You might think that most business leaders are well-aware of the threat posed by cybercriminals. After all, high-profile breaches at Sony, Target, and innumerable other organizations have generated a flood of media coverage and social media chatter. Despite that, far too many business professionals still don’t grasp the size and severity of the threat.
One of the toughest mindsets to overcome is one that believes the organization either has nothing worth stealing or is too small to be targeted—or both. Wrong. Everyone is at risk.
Still think you’re too small to be a target? Hackers usually target anyone with a vulnerability in their IT systems. And when they do pick a target, hackers sometimes choose small organizations solely to gain access to other organizations.
The bottom line is that you don’t know what you don’t know. If you don’t realize you are at risk, you are not likely to take steps to identify and subsequently mitigate the risk.
Passwords continue to be a major security risk for organizations. The Verizon RISK team’s Data Breach Investigations Report found that 76% of corporate network breaches directly resulted from lost or stolen credentials. Weak, easily hacked passwords are also a concern. SlashData’s annual “Worst Passwords” report, which is compiled from millions of leaked passwords, has found that since 2011 the most frequently used passwords are “123456” and “password.” And not only do people use simple, weak passwords, but they also often use the same one for everything, further magnifying the risk. A breach exposing passwords on a social networking site might seem unrelated to your business. But what if an employee’s password was exposed in the breach and his or her place of employment or bank was identified on a profile page? The compromised password could be used to attempt to log in to other systems. Add in what is now standard remote access to systems by vendors, and the problem again grows larger. Several major breaches have involved compromised vendor credentials.
As hard as it is to believe, Sony actually had a folder called “Password” on its breached network. It’s hard to imagine how this could happen in an organization so large, but during our IT security audit work, we routinely see not only passwords written down in all kinds of places, but also unsecured password documents stored on employee computers and mobile devices. Don’t do this.
If you are overwhelmed by the number of passwords you need and just can’t remember them all, you might want to consider using a password manager that securely stores your passwords for various sites. With this approach, you need to remember only the strong password you create to access the password manager. You can find dozens of password managers with an online search. We recommend device-based managers as opposed to cloud-based ones, provided you have device security protections in place.
The purpose of a phishing email is to entice the reader to click on a link or an attachment, opening the door for hackers to steal data or infect systems with malware. The Target breach and many others started with a phishing email.
Phishing emails come in many forms, notifying you of a package shipment delay, potential fraud on your credit card, or a lottery win, just to name a few. While many phishing emails are filled with misspelled words and grammatical errors, others are very well-written and look quite believable.
A targeted phishing email is known as ‘spear phishing’. This occurs when the email is not completely random but has relevance to the recipient. For example, if you receive a message that looks as if it came from your bank warning of possible problems with your account, you are more likely to heed the request to click on a link than if you receive a random message supposedly from a bank where you do not have an account. The ability to craft spear-phishing attacks to specific targets is why seemingly harmless breaches of email addresses can be dangerous.
Organizations use filtering to prevent many phishing emails from reaching employees, but some slip through in even the best systems. And it is quite difficult to get users to slow down and think before opening emails and clicking on links and attachments. Our company performs phishing tests for many of our clients, and even when the employees have been trained on the dangers of phishing, the click rate is still surprisingly high. In organizations with no training, the click rate can be alarming.
Remember, all it takes is a single click to potentially infect an entire network.
Malware, or malicious software, is installed without the user’s knowledge, typically from an attachment in a phishing email or a visit to an infected website. The user usually has no idea his or her computer has been infected, and the malware can stay dormant for months before it is used to steal data, including passwords, or to take over systems.
Another scary fact is that the bad guys no longer need technical expertise to write the malware. That’s because virtually anyone can purchase malware online; all that is needed is malicious intent and a few hundred dollars.
Misfortune Cookie, Poodle, Shellshock, Heartbleed, Freak, Venom, Logjam. This isn’t the band lineup for the latest Lollapalooza rock concert. These are the names used to identify computer vulnerabilities that millions of computer users are exposed to.
A vulnerability is a flaw or weakness in a system that hackers can exploit. Software is written and released much more quickly than ever before, so the risk of security holes is naturally greater. The vendor must provide an update or patch to close the hole, and then systems must be updated.
For many years, most vulnerabilities were found in operating systems (Windows XP, Windows 7, etc.), but individuals became accustomed to setting systems for periodic updates, somewhat diminishing the number of weak systems. So the criminals took a new approach and began to look for vulnerabilities in applications including Adobe Flash and Java, a common application module. Many individuals and organizations never update these applications because they are unaware of the risk.
The vulnerabilities discovered each day are astounding. These are known as zero-day vulnerabilities because a remedy is not available at the time of discovery. Organizations must keep everything—servers, workstations, laptops, routers, switches, firewalls, and even mobile devices—updated all of the time. This is a daunting task.
A 5-PRONG CYBERSECURITY BATTLE PLAN
Cyber risks are so great these days that management must get involved to ensure that appropriate mitigation strategies are in place. What can business leaders do?
Accept that your organization is at risk
This cannot be emphasized enough. CEOs, CFOs, boards of directors, managing partners, and other organizational leaders need to see cybersecurity as the huge issue it is and devote adequate resources to maintaining a secure environment. Executives don’t have to become computer geeks, but they can certainly learn the basics and what questions to ask.
Change starts at the top.
The CEO should not be exempt from the rule that passwords must be changed periodically. Management needs to establish and embrace a culture of strong security.
Educate yourself and your organization
Everyone in every organization needs security training. This means more than just sending out an email telling people to use secure passwords and to not fall prey to phishing emails.
The massive Target security breach started with an employee at one of the company’s vendors clicking on a link in a phishing email. Do your employees know how easily they could inadvertently open the door to such a cyberattack? Get that message across with ongoing cybersecurity training that covers new and old threats, defines the organization’s security controls, sets employee expectations, and explains the consequences for violating procedures.
Implement strong IT controls
Organizations need their IT department (or outsourced vendor) to implement and maintain a comprehensive list of data and network security controls. You usually won’t be responsible for directly implementing these controls or knowing exactly how they work, but it is helpful to understand enough to at least ask the right questions.
Among the basics you need to know are:
This first line of defense includes firewall and intrusion detection systems, in addition to intrusion prevention systems. These should be configured with appropriate restrictions to block and filter both incoming and outgoing internet traffic.
Endpoint security requires each computing device on a corporate network to comply with established standards before network access is granted. These measures protect the servers and workstations and include items such as administrative access limitations and anti-virus protection.
Part of the control environment should include a monitoring program for all IT systems that is frequent and ongoing.
Authentication and administration controls.
Authentication controls for the network and all critical systems should require complex passwords that expire periodically and restrictions on invalid login attempts, such as three strikes and you’re out. Strong controls over user administration are needed as well.
Incident response and business continuity.
Finally, each organization should have appropriate business continuity and disaster recovery plans that include specific incident-response procedures for dealing with a cyber event.
Stay current on updates and patches
Updating and patching are the responsibility of the IT department and actually fall into the above category of IT controls, but they are such a critical security component that they warrant a separate discussion.
Organizations must keep all systems up to date at all times.
That sounds simple—until you see the list of items that need updating. Among the items are firewalls, routers, switches, servers, workstations, laptops, tablets, phones, and peripheral devices such as printers and copiers. Management needs to ensure that IT—whether in-house or a vendor—updates all operating systems (Windows 8, Windows 7, etc.) and applications (Java, Adobe Flash, web browsers, etc.) with vendor-supplied patches. In addition, anti-virus/malware protection is needed not only for desktops and laptops, but mobile devices as well, including employee-owned devices that connect to the network.
Make sure IT establishes an inventory reconciliation, which ensures that all systems are protected. Encourage the IT team, or your vendor, to assign this role to someone—preferably not an IT “firefighter”—who has time to fulfill these duties.
If you outsource your network support to a vendor, make sure that your contracts establish and assign clear patching and updating responsibilities.
Test your security and controls
To determine its cyber security risk level, an organization should rely on two types of periodic assessments—vulnerability testing and controls testing.
Vulnerability testing involves the automated scanning of systems to determine if known vulnerabilities (security holes in software) are present. The tests should assess protections against threats both external (outside hackers) and internal (insiders or hackers that gain internal access).
Controls testing verifies that the controls described above are functioning properly. Many organizations undergo a review of select controls as part of their financial audit, but this does not typically look at the entire environment. High-level oversight should ensure that IT promptly remediates any issues discovered during testing.
Organizations also need to regularly assess vendors that either host their data or have access to them via internal systems.
KNOWLEDGE IS POWER
The scope of the cyber security threat can be staggering. A good analogy is the story of the little Dutch boy who put his finger in a leaking dike, a small effort that helped prevent a huge disaster. What would have happened if the little boy had not acted? Even worse, what if there had been many more holes—ones no one realized were even there? The results could have been disastrous.
That’s the situation facing many, if not most, organizations of all types, . In my company’s information technology security reviews for organizations, no matter what type of entity they are or what industry they are in, a first-time check of their IT defenses usually reveals several security issues that need to be addressed.
Cyber security is a daunting challenge—one without a foolproof solution. The good news is that you can help your organization take steps to bolster its defenses. In the end, your organization can’t eliminate the threat of cyber attacks, but a mix of education, controls, and testing can significantly reduce the risk.
NOTE ON PASSWORDS
We recommend that you should create passwords that start with the same lengthy prefix, such as a childhood telephone number, for example, ‘5044201995’ or ‘password4site’. Follow this with the name of the account, such as Gmail, Amazon, or Facebook. Finally, end with a four-digit personal identification number (PIN). The results are strong lengthy passwords that you have a good chance of remembering, such as the examples shown below:
Gmail account password: passwords4sitedelta7543
Amazon account password: 5648214569amazon9312
Facebook account password: passwords4sitefacebook5547
Using this approach, the PINs are all you need to remember, and because hackers don’t know the length we use, these passwords are very strong. With so many passwords today, this approach gives you a good chance to remember them.
Because uppercase and special characters are more difficult characters to type, especially on a smartphone, you can avoid these characters unless they are required.