Let’s Talk About IT Security
IT security and cybersecurity are a set of strategies that prevent unauthorized access to organizational assets. These assets are browsers, computers, networks, and data. The goal of IT security is to maintain the accessibility, integrity, and confidentiality of sensitive information. IT security blocks the access of hackers, educates your organization and prepares you and your organization for when something goes wrong. These days it isn’t a matter of if, it is when you have an issue.
Seems counterintuitive for an IT company to tell you that you’re going to have an issue at some point with IT security, doesn’t it? Here’s the thing – we all agree and know that 95% of all breaches are caused by human error. You employ humans, not robots. Humans make mistakes. Preparing for an incident isn’t a surety for failure, it’s a safety net, a risk mitigation strategy, and due diligence for your business.
Who’s the Dude in the Hoodie?
Ever notice anytime you see IT Security, Cybersecurity or Cybercrime in the media you get a visual of a guy in a hoodie? He’s behind his pc and a wall of code sitting in his mom’s basement. That’s not really who commits this type of crime anymore. The who and why are a lot more complicated. For starters, it can pay really well. Let’s look at the objectives behind a few of the most common types of cyber attacks. Every type of attack or attacker has an objective, especially in a business environment.
Types of Cyber Attacks
There are a number of categories for cyber attacks. Enough that I could write about them longer than you’d want to read about it. We are focussing on the top three you’re likely to see in a business environment. The top three are Financial Gain attacks, Nation State, and Corporate Espionage.
The financial gain attack is what it sounds like. These types of attacks are out solely for financial gain. How I can get the average person to hand over the most money as fast as possible? When you think through that objective, the criminal decides what would make the average person do something they normally wouldn’t. Preying on emotions like guilt/fear, desire (catfishing), excitement, and trust are typical for getting your money.
Nation state sponsored attacks are their own animal. These attacks are not perpetrated by the guy in the hoodie. They may be government sanctioned attacks carried out by well paid, well educated, coders. The attacks can have multiple motives and or attack vectors. Most often they are designed for chaos and havoc while they are stealing data. But what types of data are they interested in? What would another nation want? Intellectual Property they could exploit, resell gain market share with. Sensitive data like legal matters, financial data, consumer data and personally identifying information that could be used for fraud.
Corporate espionage or corporate spying has reached new levels recently. Literally, with drones. A drone was used to hack wifi and transmit data out of the company’s secure network from a NYC skyscraper. Typically corporate cybercrime is about getting trade secrets, sensitive market data, do doing damage to files, websites and the like. Sometimes this type of attack is done by an outsider, but most often by a disgruntled employee.
Security Across the Ecosystem
Secure the ecosystem is a fancy way of saying make sure everything in your environment is as secure as you can make it. Most companies, including us, do that through a multitude of things to achieve this goal.
Starting with patch management, we ensure your devices are up to date with the latest fixes for the software it runs. Then, we look at firewalls to control and authenticate the traffic coming in and out of your network ensures you have an idea of what’s coming and going from your environment. A comprehensive anti-virus product that watches files your users touch as well as user behaviors helps to identify malware infections and potential breaches. Next we look at the protection of data at rest and in transit, including cloud based information, with types of encryption. Intrusion detection that identifies unusual behavior in the ecosystem to sniff out actual intruders from an employee working late. Lastly, we look at user authentication that isn’t simply password based.
Unfortunately, we live in a world where we have to assume everything is a threat. Teaching your staff to do the same is the next step.
Educating Your Staff about IT Security
Your staff hears about breaches, hackers and that dude in the hoodie every day from the media. They think they know all there is to know about it by now. However, the truth is knowing about it and recognizing it are very different. Educating starts with conversations about the state of cybersecurity. Getting them to understand what it is, letting them ask questions and see some examples. The real education starts after that with testing them. Have a product that can send them phishing emails to train them about what they look like in their inbox. You can then see how they interact with it. From there, if needed remedial training can be assigned to a user.
Circling back to the beginning of this post, we know that it’s not a matter of if something happens, it’s when. This begs the question of what’s your plan when it does? While you may not be able to think through every possibility, you do know what types of things make you vulnerable. What data do you store, is it personally identifying, what compliances do you fall under? Make sure that you and your CIO are on the same page about your vulnerabilities. Work to secure them as best you can. Then, decide what the plan is for when an employee makes a mistake.
If you’d like more information on IT Security, or would like to attend a live Cybersecurity event, Check out Event Page for our next live Hacking the Hacker event. In the mean time, you can catch Episode 1 of Defence against the Digital Dark Arts on our YouTube Channel.