Is your business prepared for a cyber threat? Here are some considerations to help you understand the important dynamics of your security posture strategies:
- End users are the number one security risk in any organization
- Your security strategy needs to be adaptable to a changing threat landscape
- BYOD, 3rd-party cloud and social media are accelerating risk factors
According to a recent analysis by Ponemon Institute, a single cybersecurity attack costs an average of $3.62M US / €4.31M EU. Can your business afford a loss like that?
Recent attacks on business
In the past several years the list of companies that have been hacked has grown rapidly—but you only have to look at the first six months of 2017 and its numerous cybersecurity meltdowns to be convinced that it’s time to make security a high priority.
Here is a re-cap:
- Cloudbleed: In February, Cloudfare, an internet infrastructure company, announced a bug had caused random leakage of potentially sensitive customer data.
- Shadow Brokers: This group first surfaced in August 2016, offering the world a sample of allegedly stolen NSA tools.
This April they made their biggest impact by “outing” a particularly significant array of alleged NSA tools, which included a Windows exploit called EternalBlue. Hackers have now used this same tool to infect targets in 2 high-profile ransomware attacks (see below).
- WannaCry: On May 12 this strain of ransomware hit hundreds of thousands of targets around the world. It walloped public utilities and large corporations, as well as Great Britain’s National Health Service hospitals and facilities.
WannaCry’s long reach was, in part, due to Shadow Broker’s leaked EternalBlue information.
- Petya: Just a month or so after WannaCry, another wave of ransomware infections spread, also leveraged, in part, by Shadow Brokers’ leak.
This malware was more advanced than WannaCry, and has infected many countries—the United States’ pharmaceutical company Merck, Danish shipping company Maersk, Russian oil giant Rosnoft, as well as the country of Ukraine, hitting their infrastructure particularly hard.
- Unicredit: The Italian bank reported biographical and loan data for 400K client accounts was stolen in hacks in June and July. These follow on attacks that took place in September and October of 2016.
- CEX: Just two days ago, as of this writing, one of Britain’s largest retail franchises, CEX, was hit by a data breach that may have compromised the information of as many as 2 million customers – including personal details like names and addresses.
- 198 Million Voter Records Exposed: On June 19, researcher Chris Vickery announced he had discovered a publicly accessible database that contained the personal information of 198 million American voters.
This database was hosted by Deep Root Analytics on an Amazon S3 server. The politically conservative data firm had misconfigured their database.
While some data on the server was properly protected, more than a terabyte of sensitive voter information was left accessible to anyone on the web.
Deep Roots Analytics reported that their site was not accessed by anyone but Mr. Vickery—but that much unprotected, revealing information would be a boon to any cyber criminal.
The 2016 Verizon Data Breach Investigations Report states that web application attacks represented 40% of all data breaches last year, which makes them the most exploited means of illegal entry by hackers.
Criminals target businesses
So, how do you keep “the bad guys” away?
Companies need to learn to address these threats—hackers set their sights on l companies that are poorly protected.
Major hacks, ransomware, and phishing are all on the rise. Many organizations mistakenly believe this happens only to “other” companies. When an attack like WannaCry cripples the UK’s public health system and emergency rooms, that is international news. An attack on a midsize business with 500 employees won’t make headlines anywhere, but according to the 2016 State of SMB Cybersecurity Report, half of all small businesses in the US were breached in the last 12 months.
Their European counterparts are seeing a significant increase in criminal activity such as CEO fraud, human error [social engineering], distributed denial of service attacks and incidents of hacking and ransomware.
Strategies for a strong security posture
Here are some strategies to consider while evaluating your company’s security needs:
This is obvious, but build the highest quality network possible. Pennywise is pound foolish.
That doesn’t mean you have to build Fort Knox and spend all your money on security at the expense of your product. Build a system you have the budget for, but don’t forget about security. Don’t make the mistake of the Deep Roots Analytics group and leave yourself wide open and unprotected.
Perform your software updates.
Encrypt your customer’s sensitive data.
Steve Cullen, senior vice president of worldwide marketing for SMB and. Cloud at Symantec, which puts out the Norton anti-virus software says, “Anytime you’re storing important data when the data is at rest—which means it isn’t being transmitted over the internet somehow—you want it encrypted.”
The greatest security risk to your website is people—both employees and users. You must train employees, update employee policies, require them to change passwords or go through multiple levels of authentication. All users must be informed and educated.
Symantec’s Cullen says, “You shouldn’t be the only one vigilant about protecting you and your customers’ information. Your employees should all be on the lookout, and you as a small-business owner should be there to give them guidelines.”
Do your employees bring their own devices to work? Do they use their own smartphones, tablets, even their own personal computers? If so, your company needs policies that regulate what data employees can access and what happens if an employee’s device is stolen, lost or compromised.
There is a lot of advice out there to “think like a hacker.” That is easier said than done. But you could hire one. There is an ethical community of hackers called security consultants who are paid to test systems. They are even certified by the International Council of E-Commerce Consultants.
The best idea may be to sign on with an Internet-based data-security provider, one that gives you real-time threat intelligence (TI) or join a community of cyber-security experts through an external threat protection service provider.
“They can offload a lot of the burdens that a small [or midsize] business doesn’t, frankly, want to deal with,” says Cullen, who ran his own company before joining Symantec. “I know it wasn’t something that I wanted to spend two minutes thinking about.”
In order to properly track persistent threats, you need data that is:
Additionally, your TI must recommend remediation. This includes things like how to block malware from entering your network.
Be sure to do your homework.
What are the necessary conditions for a Midsize business to adopt TI, which for now has almost exclusively been the domain of LARGE business? TI is simple, affordable and much more reasonable for small IT security teams to implement and benefit by. It provides access to a pool of highly targeted specialists.
Different vendors provide different protection, tools, and services. Make sure you understand what you are paying for and how much protection you are getting.
The Bottom Line
You cannot assume you won’t be targeted. You can no longer feel protected by simply installing an antivirus software program. Proactive steps must be taken to identify and shore up vulnerabilities to save your business from a full-on cyber disaster.
For more information about how Blueliv can assist you with setting up your cyber security program, please feel free to reach out. One of our analysts will be happy to find the best solutions for your business.