Cybersecurity Controls Part 1 of 10 – Good News and Bad NewsTim Weidman
The Bad News
You are going to be the victim of a cyberattack. Sorry to break it to you, and it is a hard concept to grasp but statistically speaking, it is going to happen to you eventually.
That is the new reality of cybersecurity, where the bad guys are so advanced that our current technology can no longer guarantee against a loss. One 2018 study reported small businesses at 67% odds of experiencing a cyberattack and 58% odds of experiencing a data breach in the previous 12-month period.
It might not be today, but you will not avoid it forever. This may seem like fear mongering, alarmism, or sensationalism, but it is the new reality.
Keep in mind, the auto industry has taken this same approach for decades. We don’t purchase automobiles or automobile insurance under the illusion that somehow we will not need the safety features or coverage for an accident. In fact, that industry plans on about four accidents during a person’s driving career. We need to start taking the same attitude toward cybercrime.
With that in mind, here are the new goals in cybersecurity:
- Make attacks less frequent
- Detect attacks sooner (average detection time frame is still measured in months)
- Lessen the damage that happens when an attack gets through
- Quicker recovery time
Today I start a new series on must-have security controls for SMBs, which can help you accomplish these goals. Before I do, a few quick stories from real life:
Sally is the CFO of a mid-sized manufacturing company: Went to a conference in sunny Las Vegas for three days in March. Sally only used her laptop once on the trip, and that was to login to her Office 365 email from the hotel. It took her three tries to login but the third time it worked and there were no further problems. Within minutes, rules were established in Sally’s mailbox which controlled what she saw in her email, as well which emails that she sent actually making it out. The hackers who now controlled her mailbox, used it over the next four months to communicate with customers who owed the company money until they got one to pay nearly 100 thousand in back invoices wired to a bogus bank account. Since the fake banking info actually came from Sally’s mailbox, the customer had no desire to pay again.
George is the managing partner of a small law firm: While on vacation, a hacker logged into his email using a very similar password George had previously used on LinkedIn and other accounts which had their passwords stolen. Now that they had control of his mailbox, the hackers sent out emails to all of his staff and clients containing virus links.
Charlie is the owner of a services firm: Working late one night, Charlie was reading email on a shared accounting sever. He opened an attachment from what appeared to be an important email from a regular vendor. The attachment was blank, so he disregarded it. The next morning every file in the company was encrypted. Additionally, a spreadsheet with customer credit card numbers was among the encrypted files and were compromised. After having to close the operation for nearly ten days, files and systems were eventually brought back online at great expense.
The stories above demonstrate some of the most common attacks – including Public WIFI attacks, Business Email Compromising, Known Password Attacks and Phishing.
These attacks are successful because the target has shifted from technology to people. Because technology is not the target, there is no amount of technology that can guarantee protection. People are the target, and people make mistakes. People have jobs to do, usually more job than they have time, and all people can be fooled under the right circumstances.
So yes, this is indeed bad news.
The Good News:
We are going to talk about controls which can help accomplish the new goals of cybersecurity, which are to make successful attacks less often and less damaging.
Over the next 10 weeks we are going to discuss 10 basic controls which, in my opinion, are the biggest “bang for your buck” in trying to accomplish these four goals. These are not expensive pieces of equipment and do not require turning all of your business processes inside-out. Putting up a decent fight against cybercrime does require a budget and for you and your staff to make changes, but it can and should be done.
To sign up for notifications for future segments in this series, subscribe below.