Twitch has provided an update on a security leak it experienced earlier this month, confirming it did not expose users’ login credentials. In a…
Cyber security issues aren’t limited to paranoid whispers within the tech community. President Barack Obama and his administration identified cyber security as one the most serious economic and security threats to commerce.
If you don’t think your data is at risk, you need to understand that in the Information Age, data is currency. This is especially true in business, where you’re dealing with contact, credit card, banking, and other sensitive information about your customers and employees. Not making security a critical part of your infrastructure is the equivalent of leaving your house unlocked and placing a neon sign that asks people to take all your belongings in your lawn.
Data breaches sometimes occur as the result of the most innocent lapses in judgment, but the reason is irrelevant to the customers and employees you put at risk when data is compromised. Target’s data fiasco late last year showed everyone the importance of revisiting your enterprise risk management (ERM) strategies and business continuity plans to try to eliminate the risk of security breaches.
They’re putting the potential cost of the breach in the range of US$500-million to US$1.1-billion, and the company is being dragged in front of the Senate to account for how it handled the event.
Here are the three mistakes that make your data — and your company — most vulnerable to cyber attacks.
1. You underestimate threats inherent to your infrastructure
You handle money, no matter what type of business you run, yet you may not consider that the information on your computers and network is much more valuable than any single transaction you make. You have consumer data, user names, passwords, IP addresses, and even multiple computers and nodes connected to the internet — all ripe targets for any attacker. (Botnet attackers love running from remote computers as every free resource they can get their hands on increases their ability to do evil.)
Fifty years ago, if you’d opened a business, you would have scouted a prime location — not a building in a back alley known for its high crime rate. But the internet is that back alley, and users are bombarded by attacks every day.
In 2002, I brought up a server and monitored port and socket traffic. Even a decade ago, the instant it was connected, it was under siege by malicious bots searching for vulnerabilities. That issue has just grown exponentially over the last 10 years. Any resource online is a rich target that needs to be protected. It’s your responsibility to ensure that your environment is safe by constantly monitoring, tracking, signing, and analyzing your data and computer nodes. Taking an all-encompassing approach allows your business to build a secure foundation for your infrastructure and data.
2. You protect your network, but not your data
The latest Apple vulnerability is an example showing that encryption doesn’t always protect what you think it will protect. You need several layers and can’t rely on any single security technology.
This over reliance on encryption, and not on the authority of data itself, means that people can alter data once they’ve gotten access. If you don’t monitor and audit that data, anyone can change it without your knowledge. This can come in several forms:
- Forging documents or emails as if they were yours
- Altering binaries and putting Trojans on your network
- Changing the results of any data platform you may be using for metrics
- Altering financial data to their own end
Often, you can’t stop these things from happening. But you can know when they are happening and make the choice to react and take steps to protect you and your company.
It’s important to know what you’re up against. The coordination and level of breach Target experienced is not uncommon. If you’re the chief information officer of any Fortune 100 company, people will have eyes on you. The attacks won’t be simple, and the hackers will play the long game, taking however much time is necessary for a financial payout.
It’s also not just about encrypting your data: Make sure that you sign your data to be able to have veracity. This includes all your applications, documents, and anything that is material to the business. Follow best practices for user authentication, and update your programs and software. Train and educate your staff, letting everyone know that they’re part of ensuring a safe environment within your company. You never know when attackers will strike, and they will strike where you least expect it.
3. You don’t have a proper continuity plan
It’s not a matter of whether you’ll be attacked, but rather when and how often. Just like a natural disaster, major traffic accident, or war, your business needs a continuity plan in place to respond quickly to cyber attacks. Your reaction time is your second-best security system (remember that monitoring and tracking your connections and data is first), so make sure operations, legal, PR, and everyone else in the business is on the same page and able to smoothly manage the transition from “business as usual” to “Houston, we have a problem.”
Your customers are aware of the data risks, and they expect these types of attacks, so it’s not the breach itself that will cause them to lose trust in you. Rather, it’s your response. If your machines are compromised, it’s better to raise alarms early and be transparent than to be called out later for ignoring, covering up, or even causing a data breach. Remember: It’s much easier for people to change a password than to stay on the phone with their credit card company for hours, disputing fraudulent charges.
Security requires an investment, and the ROI is hard to judge. Perhaps you have an insurance plan through a team of dedicated professionals, or perhaps you’re being hit up for “protection money” by one of Nucky Thompson’s goons on “Boardwalk Empire.” Either way, hackers are a real threat to your data. People want your information, and they’ll be waiting for a lapse in your security. Don’t give them an easy in.
What best practices do you teach your employees to proactively protect your company from cyber attacks?