We work with hundreds of organizations and I’m always amazed at how little management thinks about or prepares for some kind of security breach. I’ve seen more than a few companies spend more on a single piece of artwork for the lobby than they spend all year on IT security measures. The common refrain centers on “we’re too small to be a target”, or “I’ve got a firewall and anti-virus software, that’s enough.”
We recently saw a mid-sized organization with no anti-virus and virtually no user policies experience a “hostage-ware” attack that literally shut them down for two full business days. Did they then see the value of IT security? You bet!
I wish I could say that this was a rare event, but it isn’t. Many under attack don’t even know it. How can you if you don’t have the security measures to detect an intrusion?
Hackers gain easy access through three pathways – people, processes and systems.
The easiest way is the “people” route. Roughly 80% of breaches come through someone with authorized access.
- Negligence– simple negligence by leaving devices unattended or information in clear sight. For example, I see passwords taped to screens all the time!
- Disgruntled Employees – real or perceived inequities generate a lot of this.
- The Candy Drop – hackers provide CDs or thumb drives to event attendees loaded with malware.
- Phishing – everyone’s has seen these. That cool offer or spoofed vendor message that people willingly click to open.
- Greed – employees willingly selling access information.
Weak processes are another great way to remain vulnerable.
- Weak Network Access Controls – If you don’t have restricted access, robust firewalls, segmented and secure networks and applications and active traffic monitoring, you have weak access controls. If all of these terms sound Greek, I’d be concerned.
- Insufficient Physical Access Control – ready access to offices makes equipment theft a lot easier.
- Poor 3rd Party Security – This is the CLOUD. Vendors can be all over the map when it comes to security and data leakage.
- Insufficient Business Partner Access Controls – malware inserted into business-to-business data transmissions can be easy. Do you have any security policies or testing related to your business partners?
- Weak Employee Onboarding and Termination – Please with a questionable background should not have system access. If someone is terminated, did you lock them out correctly?
- Poor Training – your employees and contractors must be trained and aware of the risks, obligations and policies of your organization.
- Poor Equipment Disposal – Many companies forget to wipe equipment before it’s recycled. With all of the “Bring Your Own Device” permissions, this can be a huge challenge.
The last area concerns System Safeguards.
- Hacking as an Industry – Billions of dollars are stolen every year. Hackers are sophisticated and systematic. Organizations are scanned, sometimes daily, to see if they’re susceptible to security holes. Once access is established, malware is inserted to either run immediately or lie dormant for weeks or months.
- Vulnerable Customer and Web Portals – unattended security holes in portals are a frequent path to hacking.
- Insecure Mobile and Teleworker Access – work-from-home and BYOD are great benefits, but must be secure. Unsecured Wi-Fi is allows hackers to gain access to logged on devices.
The notion of “If” versus “When” comes to mind. After 27 years in the industry, I see security hacks as reality. When they occur, are you prepared? What are you doing to be ready? Look at your IT Business Plan. Where is security as a priority?
Tim Krueger, PEI