Cyber security is big news these days and a major threat to all organizations as criminals attempt to hold computers—and your business—hostage in exchange for payments to bitcoin before they release their stranglehold on your bits and bytes.
This is serious stuff as global companies like Target and Home Depot, government departments, and even private businesses are the targets of these attacks.
You need to protect your business. And, you need an expert to attest that your business is secure, or at least as secure as it can be, given the inherent risks of having humans interact with systems.
I spoke with several experts regarding cyber security recently and here is their advice to protect your business and computer systems.
Brian Martens, owner of Net Results, advises his clients to apply common sense. “The simplest way to keep the bad guys out is to use powerful passwords and change them frequently,” says Brian.
“Another simple and important step is to keep all software, operating systems, and anti-virus software up to date.”
Training your employees to only open emails from known sources, and not clicking links to websites embedded in emails, are low cost and highly effective protection methods. Otherwise, clicking on unknown links is like telling the bad guys, “Yep, we’re here, come on in, and take what you want,” he says.
“The key is to encourage an environment of knowledge and understanding around the end users,” he advises.
Another sneaky method the bad guys and their computer robots use to get into your system is with “injection attacks,” according to Praveen Puri, president of Puri Consulting in Chicago. Injection attacks are when hackers go to a user entry form and, instead of entering data such as a name, they type computer or database code such as a command to change a password or create a new log in.
To prevent injection attacks, your software developers need to follow industry standards by using parameterizing, which forces data input to be treated as data and not as code.
An effective strategy is to “use multiple layers of security and backup and not just rely on a single virus detection software,” advises Kevin Pare, owner of KSP Technology. Having a layered approach to security includes using up-to-date virus software, having multi-tiered backups including offsite backups, filtering all email using a product like Barracuda, and monitoring your entire system. “You need to make sure the duplicate backups are being done and properly stored, and the entire system is monitored in real time,” says Kevin.
Michael Parent is a professor at Simon Fraser University and instructor in the Institute of Corporate Directors, where he taught us about cyber security recently. His presentation was fascinating and scary. His main message was that complacency in IT departments and ignoring initial alarms can cause serious problems later. Approximately half of breaches are internal, due to the people problems identified above. The IT system needs to be aggressive in monitoring and dealing with the initial stages of intrusions, hence the kill chain.
For example, the recent data breach at Target, the retail company, was caused by poor protocols at a vendor that had access into Target’s system, even though the vendor allegedly followed basic protocols.
In conclusion, the biggest risk is your people. We, as humans, all have biases, fears, and want to protect our egos and our jobs. It’s not natural to want to tell your boss about something bad happening. Your system needs to overcompensate for the weaknesses of your humans.
As Professor Parent says, “a lot of people get religion after they’ve been hacked.”
Why wait? How effective is your cyber security? How effective is your overall enterprise risk management plan?
If you’d like help identifying and mitigating your risks so you can protect your business, give me a call or send me an email at [email protected].
Thanks for reading! Please feel free to share this newsletter.