We have all hear the stories on the Internet, a daily occurrence of “X” was hacked, broken into or compromised and thousands of records were stolen. Sometimes it is blatant stupidity, other times it is a concerted targeted attack on an individual either way the protections and systems failed in some way. The criminals have got through not only the first layer of defence but all the way into the inner sanctum of the data’s location. All very bad for business.
Most of the time this happens due to a number of factors, some of which are easier to control that others. How do the bad guys exploit those vulnerabilities and get past that first level.
What are the Cybersecurity opportunities
There are a huge number of cybersecurity opportunities for the cyber criminal to gain access to a corporate network. A attack will consist of some of the following:
- A scripted attack targeted at known vulnerabilities by a large number of coerced systems. (Bonnet and script kiddies)
- A publically announced attack targeted on DDOS attack vectors using ION cannon type attacks (anonymous)
- A bot net attack targeted at the application level of the Internet based system
- A cloud based attack vector using bot net and coerced systems
- A surgically targeted attack at a specific level or target
- A social engineered attack targeted at a specific person or persons.
- Industrial espionage – USB key in the car park of the business.
All of these targeted and random attacks have a number of features in common. They are looking for the following vulnerabilities:
- Passwords – easy passwords or default passwords that have not been changed
- Elevated rights – users with rights well above what is required to do their job or administrators using admin accounts for everyday requirements.
- No auditing or alerts -people being informed when something is happening
- Lack of patch management – having computer systems that have no patch or updates applied.
- Lack of required technology – this is not about spending large amounts of money on front facing systems, this is about strategic implementation of technology, defence in depth.
How do you reduce the Cybersecurity opportunities
So, to focus on these five vulnerabilities, there is a pattern developing that actually comes down to training and awareness.
The largest problem for a business is to get in front of your staff and educate them in how vulnerable they really are to cyber attack. This is an important process within your business. It allows you to not only interact at a different level with staff and management, but it also builds a better business culture. Everyone knows that during these “sessions” you are all there to learn something.
An initial training system, followed by a fortnightly, monthly or quarterly cyber security training session takes the cyber crime awareness within your business to a higher level of protection. This then impacts the rest of the business. Your staff knows that you are deploying better security within the business which can be used in a number of ways, the most noticeable is in marketing.
What can you do
Train your staff. I will say it again TRAIN YOUR STAFF. Think of it as boot camp, basic training. When a new staff member joins your business, they have to forget everything about security from whence they can and learn your way. To do that the faster you get them up to speed with security the faster they will be part of your security envelope.
Once you get them to that level then you need to go that extra bit further. Constant reminders about social media, passwords, email, phishing attacks and malware reinforce the notion that you want them to be safe.
So you have now trained them, the next stage is to make it fun. Run a competition daily asking security questions, first correct answer gets a $15 iTunes card or the like. Increase it to a monthly competition – best of each month gets a plaque as well as a weekend pass to the gold coast.
Be creative, but be persistent. Put A3 / A2 security posters around the office. The defence forces do it because it is effective, it is also inexpensive. The ideas is to bring security into the everyday. This is what they can do to protect themselves, the spin off from that is they then protect the business.