2015 is the Year of the Sheep according to the Chinese calendar. The Chinese are known to be particularly superstitious, so I’m told they aren’t necessarily looking forward to a prosperous new year. It’s not that sheep are bad luck, but legend has it that only one out of 10 people born in the Year of the Sheep will find happiness in their life. Perhaps that gives many of us in the IT world a reason to look at the year ahead with an equally dour, if not downright fearful eye. If recent history is any indication, 2015 may go down as the Year of the Hack.
The devastating cyberattack on Sony Pictures Entertainment and the studio’s initial decision to pull “The Interview” amid threats to moviegoers has taken on a life of its own with charges and countercharges being lodged by the company, the U.S. government, the hackers, and their North Korean sponsors. We’ll leave the argument over reactions and punishments to the pundits, but there is no doubt that the issue of cybersecurity is now front and center for companies of all sizes.
2014 left businesses like eBay, Target, and Home Depot reeling. Restaurant chains like P.F. Chang’s and Domino’s Pizza were targeted and were threatened to pay up, or else. A “state of the Internet” report by Akamai Technologies showed hacker attacks on websites in the third quarter of 2014 up by 400% over a year ago! Here’s the bottom line. If your business or institution has a website or even an internet connection, you’re a potential target.
“Computer networks were designed by human beings,” says Duane Norton, Director of Technology for a national IT networking firm and a fifteen year veteran of the cyber-wars. “If a person can build it, another person with a different agenda can usually figure out a way to infiltrate it. The key is to make it as difficult and time consuming as possible, so the hacker moves on to a more vulnerable target.”
Norton and his colleague. Director of Technical Services Gerry Gosselin recently put together a presentation entitled, “Cybersecurity: IT’s Everyone’s Business,” and delivered it to a group of small and mid-sized business leaders concerned about the potential impact on their organizations. Not surprisingly, most were amazed that their companies, a bank, a college, even a small insurance agency, were shockingly at risk to a cyberattack.
Norton and Gosselin say the direct costs of a security breach are far more than just identifying and plugging the leak. “Once you conduct your forensic analysis, you’re just getting started,” says Gosselin. “Identifying victims (both inside and outside the company), legal fees, PR services, delivery of required disclosures, and the cost of providing identity and credit protection are next. Add to all of that, the staff time devoted to handling the incident, lost business, lost customers, lost data and intellectual property, it’ll be all you can muster to keep from losing your reputation too,” he says.
Data breaches occur when a hacker gains access to an inside resource. Once inside, they’ll move laterally, looking for a password or security vulnerability that allows them to escalate their privileges and navigate anywhere they want to go.
Norton and Gosselin offer up the following tips for strengthening your cybersecurity efforts from a technical perspective.
- Enforce a strong password policy, asking employees to change them every month.
- Conduct regularly scheduled perimeter and network security audits by qualified outside firms (your internal IT staff is often “too close” to recognize vulnerabilities).
- Install software patches as quickly as possible.
- Centralize your anti-virus and anti-malware programs.
- Reassess your system monitoring and logging procedures.
On the strategic side, bring IT into the business mainstream. Don’t just tell your IT people what to do, allow them to be a part of business decisions with security a key concern. Tell them what you’re protecting, and why. Make sure all employees understand that cybersecurity is everyone’s business. You’d be surprised at the percentage of attacks that originate by someone simply leaving a cell phone or tablet in a taxi, having a list of passwords pinned to the wall of a cubicle, or forgetting their ID at a cybersecurity conference (yes, Gerry and Duane found someone’s security card on a chair at the end of their presentation!).
2015 is the Year of the Sheep. Don’t be sheepish when it comes to IT security. Happy New Year.