Imagine learning there has been a string of break-ins in your neighborhood. Imagine being surprised when it happens to your house – despite your lack of security cameras. Similarly, businesses often wait until it’s too late or there is an issue to become “proactive” about a problem or underlying threat.
The truth of the matter is, those burglaries didn’t seem real, until they literally hit home. It’s eerily similar to the way organizations have been operating for years; a security strategy is non-existent until there is a rushed or panicked NEED for it. More often than not, companies consult with security specialists when they have a problem, and surprisingly enough, many do not take advantage of a guided plan regardless of the potential consequences.
Why it is, as home owners and as business owners we think that the problem will just go away, fix itself or never really affect us? The most likely answer is the lack of knowledge around threats. Homeowners know they have to lock their windows, doors, and potentially leave lights on to scare off intruders, but for businesses, there are multiple areas of vulnerability. Some areas include employees – both remote and in the office – on whom hackers have cashed in during this pandemic.
Hackers taking advantage of your untrained employees could be just one piece of a disastrous and costly puzzle. What about the outdated hardware and software on every computer that is not taken into consideration? Patches, upgrades, outdated devices – while these things could literally and figuratively be collecting dust, they could also be threatening the security of your business.
Here is another analogy for you, security – or lack thereof – is like peeling an onion. You get through the very obvious outer layer (your employees) only to find a green, unusable layer below it (your outdated hardware/software). Stick with me here. You’re then relieved to get to the next layer (because your eyes have been burning since taking the onion out of the cabinet) only to find, that thin, sort of slimy, inedible piece of onion is the lack of security monitoring on all of your systems. At this point, you’re glad to salvage the rest of this onion because you’re ready to boil this chicken soup, but now you’re slightly underprepared with only a few pieces of a crucial vegetable. Lacking in layers of flavor for your chicken soup is very similar to lacking in a security strategy.
Putting analogies aside, real examples of businesses falling prey to attacks are everywhere. The 2017 Maersk hack is a good, worldly example, because according the LA Times, it cost Maersk $300 million and 2 weeks of interrupted business. Additionally, the catastrophe was escalated because of how many layers it contained – or lack of security layers – that contributed to it.
In this instance, there was no real way to pinpoint exactly where it started, who it started with and how exactly it all happened. We can only assume that there were multiple layers that contributed to the downfall.
What sort of tips do we recommend to prevent any sort of attack – large or small?
The best way to future planning is to take a consultative approach to your business. Talking about and discovering the different areas of your business that could be left susceptible are the first steps. Then, figure out what risks may lurk in those areas. Lastly, creating a roadmap or plan for a security strategy or overall initiative is the best bet to incredible protection.
But let’s break it down further. In the case of Maersk, there were a ton of employees all over the world. There were many devices, servers, networks and potential risks.
Where do you start when you want to think about security?
Tangible, physical risks
As previously mentioned, your devices’ hardware and software contribute to the list of places that need to be protected and could potentially leave you at risk. Hardware updates are imperative, because a poorly operating machine is putting your business at risk, and the software that is installed on it tends to be forgotten about because it runs in the background. Continued updates to the software ensure that all patches and upgrades are made in order to keep your system safely running.
The end-of-life for Windows 10 is a great example of a regular piece of software many businesses have, and when support ended this year, no more security patches were available. In the Maersk instance, the ransomware attack took advantage of non-updated vulnerabilities such as Microsoft. This leaves systems vulnerable to hackers because it gives them a way in. It would be great if we could set it and forget it, but unfortunately software companies initiate updates to make sure the technology is keeping up with your business. Making sure these updates are a priority is imperative.
Scanning, Discovery, Planning – oh my!
While all three of these things are not nearly as scary as lions, tigers and bears, the lack of their existence can be as destructive as all three wild animals. Continuous vulnerability scanning is a proactive approach to knowing your risks and then remediating them. Vulnerable systems could have contributed to the Maersk hack, considering how quickly the virus was able to spread. In fact, it seems that it moved laterally, indicating a worm that was able to penetrate all systems quickly, easily and undetectably. The ransomware seemed to have started with one computer, but quickly moved to other vulnerable systems.
Once detected and escalated, a situation can be discovered and steps taken to reduce the damage. With a Security Information and Event Management (SIEM) solution in place, a worm, virus or any other anomalies can be recognized and escalated to the appropriate party. But without a security strategy that includes a SIEM solution and an incident response plan, a real threat turns into a hack and a huge headache for any business owner.
Safely exploit your business
This may sound absolutely crazy, but there is a safe and effective way to figure out your business vulnerabilities. In order to evaluate the security of any organization, its infrastructure and applications, you must do so with a skilled individual. Simulating these real-world attacks can help determine whether or not a hacker is able to get in. However, just like the worm virus in the Maersk attack, it’s also incredibly important to understand how far the attack can reach.
These attacks should be done by a person, not an automated process, as a person will uncover intricacies a machine cannot. The ultimate goal or outcomes are tactical and strategic remediation for any system vulnerabilities.
Finding and exploiting those flaws before someone else does is incredibly valuable. It ensures that you can build a strategic security plan to protect your entire business.
Be skeptical – and train your employees to be too
Just as unlocking the door to your home when a stranger knocks feels a bit off because we are educated to not let strangers in, the same should apply when you get an email with an attachment or a link you weren’t expecting. In fact, the biggest way hackers get into your business is through unaware employees. Spoiler alert – they could be your biggest vulnerability! If one employee (whether they are in their home office or headquarters) clicks on an email that contains a virus, the entire company is now susceptible, unless there are security layers in place.
Managed security awareness training (MSAT) gives your employees the training and education they need to be the first line of defense, or as I say, the human firewall. And full transparency to how your employees are doing in their training is insightful to learn where more education is needed.
While you’re probably done with the analogies, there’s just one more. The lack of a security strategy that includes multiple layers of protection is like inviting an avalanche into your business. Once one vulnerable piece is shaken, the whole organization can come unraveled. It is not only one failure that led to the Maersk hack, rather multiple layers of failure that contributed to one of the biggest hacks ever seen. By keeping your cyber hygiene squeaky clean, your cybersecurity plan moving forward and your employees well trained and educated, you can rest assured that one potential risk won’t bring down your whole business. And of course, if you’re curious on how to get started with a business security strategy, we are here to help! For more information visit our website, or email SecuritySales@AllCovered.com.
In partnership with Microsoft 365, Konica Minolta and All Covered have created an ebook covering how to assess your security performance, ways to lower your ransomware risk, the importance of endpoint security and how to embrace the opportunities of digitalization securely. Download it for free here.