Another day, another massive security breach, this time courtesy of hackers who somehow gained entrance into the systems of J.P. Morgan Chase, the biggest bank in the U.S. But if you’re thinking, “I don’t need to worry about my own business getting hacked, because I’m a small fish in a huge pond and there’s no reason hackers would ever target me,” that’s probably not the best line of reasoning to take.
According to statistics from the Privacy Rights Clearinghouse, a non-profit advocacy group that logs data breaches, 206 security breaches have been recorded so far in 2014 alone, afflicting organizations as varied as Dairy Queen, the U.S. Investigations Services (USIS), a UPS Store in Atlanta, Georgia and online retailer Backcountry Gear. As you can tell, you don’t have to be a massive financial institution or a government agency to be at risk.
That being said, there are some steps you can take to protect your business, and while these tips may seem pretty obvious, sometimes you just need a nagging reminder that security is a process.
Train your employees to be on the lookout for suspicious emails
Security tends to follow the 80/20 rule, in which the majority of potential threats a company might face are relatively harmless but the ones that aren’t pose huge risks, said OpenDNS CEO David Ulevitch. In order to concentrate on the big security threats, you need to remove the excess noise and that can be done by educating your staff on common security lapses.
Here’s an easy security tip you can pass along to mitigate the noise: Don’t click on shady-looking emails that have nothing to do with your work. These emails are most likely part of phishing scams, in which malicious links are embedded within crafty messages tailored to like legitimate emails.
Orion Hindawi, the co-founder and CTO of Tanium, said most of the attacks his company has been seeing comes from instances in which someone gives their password away when clicking through a misleading email that asks them for private information.
“Pictures of cute bunnies are probably not something you should be clicking on at work,” said Hindawi.
Of course, that’s easier said than done, but there are some tools out there that can help your employees learn about what a typical phishing email looks like. Ulevitch uses PhishMe for teaching his employees on what not to click; the service periodically sends out suspicious looking emails to employes in an effort to teach them what to look out for.
If you’re going to launch a new server in the cloud, make sure it’s configured right
Yes, the advent of the cloud has made it easier than ever to spin up servers and improve your efficiency. But you’re putting yourself in harm’s way if you haven’t taken in account the simple things like making sure the system you are replicating to the cloud is properly patched and doesn’t contain old software that hasn’t been updated in over five years, explained Carson Sweet, CEO of CloudPassage.
Sweet remembered a few years ago when an employee in a very large financial services organization once spawned thousands of Amazon images based on a “badly configured Amazon system,” thus exposing the firm to tons of vulnerabilities. Sweet said he and his team referred to the original server as “Typhoid Mary.”
From the organizations Sweet has witnessed, he’s seen roughly 50 percent of spun-up systems having vulnerabilities because services on the original server weren’t properly patched.
In these cases, it’s probably best to have a systems administrator with knowledge on how to properly set up servers establish best practices for the company to follow.
“This is the kind of thing people don’t think about,” said Sweet. “We are now taking systems and shoving them out of a firewall.”
Verify that all your network access points are covered
??Even though the advent of BYOD has made it increasingly difficult for companies to know who exactly is accessing their internal network from a given device or location, there’s no excuse for being completely ignorant of your network’s infrastructure.
Hindawi said Tanium works with a large, global telco whose execs once thought they only had 22 egress points–the parts of a network in which data can leave. After getting a security scan, the company learned that it actually had about 1,500 egress points.
After investigating the issue, Tanium learned that the company was not aware of how often people were accessing the network from outside its firewalls. In some cases, executives were connecting to the corporate network from Starbucks and in one instance, a branch manager ordered his own Wi-Fi to access the company’s system because the branch office’s internet was too slow.
“This is just as bad as leaving doors unlocked,” Hindawi said.
Although a company’s network can be vast and it may not be easy to know everything that’s connected to the network, you should at least know where your most important resources are stored and in this case you can use detection tools or analytic tools that can spot when things look problematic, said Jon Oltsik, an Enterprise Strategy Group senior principal analyst and founder of the firm’s information security service.
Understand how hackers attack organizations in your particular industry
It’s important to know the different threats aimed at different industries and to best arm yourself for the appropriate kinds of attacks depending on your area of business, said Oltsik.
For example, the Target hacking debacle involved a memory scraping attack that’s common in the retail industry but doesn’t occur very often in the banking or health care industry, Oltsik said. As security reporter Brian Krebs explained during the Target breach, the malware used in these types of attacks affects a retailer’s point-of-sales (POS) systems and can log credit card information after a user swipes his or her card.
“If you are in retail, you have to say ‘we have a risk of this attack, maybe we should lock down our POS system so they won’t execute software,’” said Oltsik.
In this case, Oltsik highly recommended nailing down all of your network connections in order to block them from accessing suspicious web servers from places like the Ukraine so that malware won’t have the chance to infect the system.
Patching can be annoying but you have to do it
While this relates back to properly configuring your servers to be deployed to the cloud, the idea of patching should pretty much extend to everything involving your company’s technology. It should be obvious that by not patching your software, you’re leaving yourself vulnerable to malware.
“This is not an advanced threat problem, this is a doing-your-job problem,” said Hindawi when asked about companies not patching or keeping their operating systems up-to-date. “We have literally billions of records in these companies that put ourselves at risk.”
Ulevitch acknowledged that even though patching is important, it can be difficult for some companies to keep track of everything that needs updating. However, companies can setup vulnerability scanners and configure them so they do a system check every couple of days; doing so will let organizations be aware when servers or software needs to be patched.
Post and thumbnail images courtesy of Shutterstock user Maksim Kabakou.