In 2019, a survey of 1,200 small business owners was conducted in the United States. It found that the percentage of small businesses reporting cyberattacks has tripled since 2015, with nearly 80% of respondents saying they “find it difficult to keep up with the ever-changing cyberspace.” Thus, 12% of small businesses, more than 20% of medium-sized businesses, and almost 33% of large businesses are subject to cyberattacks.
Looking at the constant growth of the trend of cyberattacks, these are very dangerous and slightly depressing numbers. Depressing, first of all, because these attacks are often not the result of deliberate actions of the most powerful hacker groups, but the natural result of general carelessness, tight-fisted management, greed of employees and meanness of competitors. And the most interesting thing is that this situation is applicable to almost all regions of the world. These words are confirmed by another fact from the study: every fourth respondent did not believe that his business would ever be subjected to a cyber attack. And it’s true: why would a small or even medium-sized company need international hackers, and who would think of introducing malware into the IT infrastructure of such a company?
The fact of the matter is that modern cyber threats are not only alive by hackers, viruses, worms, and other malware. At the very least, there are ransomware and social engineering, which is difficult to protect a company against when all virtual entities and human constituents are closely connected. Attackers (and sometimes competitors with their help) build complex schemes of interaction with company employees and thus achieve an almost voluntary transfer of all the necessary information.
So what could threaten cybersecurity in 2021?
Not taking cybersecurity seriously
You can pour a lot of money into the information security system and not get any effect. There are two reasons for this problem: the management of the company and the business processes. It often happens that managers invest in the information security system and wait for results: scandals, intrigues, investigations, revelations. They believe that at the end of the month the heads of hackers will be brought to them, the most vicious cybercriminals will be brought in and reports of attacks will be provided. It is often extremely difficult for them to explain that if nothing happened, it means that the system is working perfectly and it is not in vain that it eats up the investment resource: it reliably protects the company and does not let intruders go beyond the information security circuit.
As for business processes, here the key problem of companies lies in the field of fragmentation of departments and other divisions of the company. That is, the security service or system administrator does everything to protect the company, and employees of other departments write passwords on stickers, enter work systems with Wi-Fi in a favorite or random cafe, have one password for an office CRM, access to the corporate knowledge system, work mail, personal mail, Facebook page and Instagram. That is, the work of one department can go down the drain due to the carelessness of individual employees and the human factor.
In general, the idea of creating a security service is more and more criticized, especially in the IT field. Indeed, employees responsible for security in a company must make sure that basic security rules and regulations are followed in every department within every business process. This comprehensive approach will help minimize vulnerabilities.
Reactive, not proactive cybersecurity
If an employee in charge of the company’s security is able to repel an attack, prevent data theft and fraud from the side of employees, this is a Superman. But not the Real one. Real one is that (or those) employee who is able to ensure security in such a way that attacks and data leaks are simply impossible or stop at the approaches to the information systems of companies.
Preventing is much easier and cheaper than fixing. It is worth remembering that security breaches are the most expensive economic, legal and reputational risks within any business. Therefore, everything should be safe, as with human health: prevention decides and wins.
Passwords, passwords, passwords …
It’s very funny, but passwords still cause a lot of problems for companies – simply because a person with a compromised database is already a cool hacker. It’s easy to miss with passwords: standard sets of top 10 cracked passwords, guessed values (birthdays, names, etc.), passwords from social networks on corporate systems, general passwords for the entire company, admin passwords for all users. And of course, all this is stored in exactly three places: on stickers on the monitor, in notebooks on the table, and – especially securely – on an overturned piece of paper under the keyboard. Of course, office workers have a super-secure way of storing passwords: they are in a separate .txt file on the computer desktop. Well, there is no question of regularly updating passwords – here the brain of an accountant or salesperson can overflow and give out a full-stack overflow.
The password problem is far from a phantasy: this is the most accessible security hole that can be exploited not only by attackers, but also, for example, former employees or employees who are ready to leave the company along with commercially sensitive data.
Maybe it works by itself, no one has hacked us
The problem of the overwhelming majority of companies of any size is the lack of security testing, and it is not available both from internal services and employees, and from external agents (professional penetration testers). This is fraught with the fact that expensive (and any) security tools may work incorrectly and/or defectively, and some parts of the infrastructure turn out to be vulnerable. And if for a small company this can end up with a simple data leak (customer base, operational indicators or employee base), then for a large enterprise or plant the lack of an adequate security audit is likely to turn into a disaster (and not the fact that it is not on a country or even planetary scale) …
Professional penetration testers look for unprotected vulnerabilities in your company’s security loop, conduct deliberate and controlled attacks, test phishing, work with SQL injection on all web resources, and legally break the infrastructure in a way that could be broken illegally. External security auditors are not only professionals, but also people with a fresh perspective on your business: sometimes they see obvious problems that lie on the surface, but go unnoticed due to the fact that employees are used to them. Moreover, sometimes it happens that a company habitually bypasses a security hole with some kind of temporary work-round, which was created a couple of days five admins ago, but is still alive. And of course, it is also important that external penetration testers are completely impartial – they have no one to cover in your company. And this greatly minimizes the human factor: alas, the most serious security problems can come from employees.
Insider threat: a stranger among friends
The insider threat is one of the hardest to detect and most difficult to prevent. It can come from company employees, officers and partners associated with the company. Moreover, they may be former employees, auditors, lawyers, customers and others who have ever gained access to confidential business information. At the same time, internal employees provide most of the leaks – external agents are much more sensitive to the signed agreements with NDAs and value the reputation of their organizations. The worst thing is that such threats cannot be detected and prevented by conventional methods.
Insider’s methods are also quite sophisticated: from standard leaking and copying to entering stakeholder groups and logic bombs (when former employees leave various … um … software “surprises” in the IT infrastructure and data warehouses of companies). Moreover, the goal can be either profit or banal revenge. Moreover, sometimes an employee does not even know that he is participating in an insider scheme.
It’s hard to say how to deal with insiders. All measures are good here: from “moles” in divisions to total control of suspicious employees. The problem is that often the quietest and tidiest employee becomes the main threat. And this is scary, because in pursuit of such a person you can smash the whole company to pieces. Be vigilant and careful, analyze insider channels and act on them in a targeted manner.
Insecure corporate systems and business software
Alas, even the most expensive corporate programs can be compromised and do not guarantee complete security, moreover, it is just small software developers who manage the security of their programs effectively due to the fact that they have a “dense” development, a smaller team and they devote a lot of time to refactoring and designing systems and algorithms (but this is not accurate, more precisely, not for everyone). Problems can be associated with both the architecture of the programs, and with the cloud provider-partner of the vendor, and even with the human factor, when the employees of the developer company are the risk factor.
Therefore, you should not blindly trust your software provider, protect yourself by asking questions and taking action: pay attention to the reputation of the developers, find out everything about security measures and ways to protect data, find out the frequency of backups, the possibility of distributing access rights. We recommend that you do not use the provider’s cloud provider (no one knows what he saved there and how he stores data), choose your VPS provider and upload your software to its server or even rent your own ones (expensive, but with a good sysadmin it is as secure as possible).
Also, look for patches, minor and major software updates. If a software developer releases them, be sure to roll them to ensure the software is up to date and safe.
By the way, about cloud providers and hosting. Do not store your data in a bag behind a shed: be careful when choosing a cloud service provider, clarify in which jurisdiction their data is stored. Always check with a potential cloud provider where they host their data. Good hosting providers should offer to host in different jurisdictions and should be able to educate you about the laws in each jurisdiction so that you can knowingly and motivatedly choose where to store your data.
One for all
As of 2021, the range of information security tools is so large that almost all threats (including force majeure due to a fire in the data center) can be prevented. Here is just a small list available to any company: firewall, antivirus and antispam, VPN, monitoring systems and ITSM, systems for monitoring the digital activity of employees (of course, there is evil), functions for distributing access rights within business software, security tools for operating systems, etc. … Their complex use can reliably protect a company from most types of attacks. But companies often prefer only one method for reasons of economy, carelessness and the phrase “it is ok like that.”
The approach to security should be extremely multidimensional and include both software tools and employee training, monitoring employees’ compliance with security requirements, and even training on information security in the company.
Cost of error = life of the company
You don’t need to be the best hacker in the world to attack small and medium-sized businesses – you just need to provoke employees’ mistakes or take advantage of those already committed. Phishing emails, social engineering, bribery, employee fraud are the simplest and most effective set of tools that help you get closer to corporate data and use it. Unfortunately, such situations are repeated in companies from time to time, and attack scenarios are constantly changing, albeit slightly.
There is only one way out: to train employees and literally send mailings with each new attack method. But there is no guarantee that tomorrow there will not be a fundamentally new method that you will not have time to warn your colleagues about. For example, there was a case when the Minnesota police decided to buy software from a company with international sales – they asked for 120 licenses, sent a letter of guarantee that they would pay for the received keys within a month. Everything was as serious and formal as possible. The keys were handed over, no one paid for them. Yes, this is just a lost income for the company: a virtual key. But alas, no one can imagine how they will be used or resold. Until they found out, while they checked, while they blocked it, it was possible to cause a lot of problems – it was lucky that it was most likely some stupid hooligans.
Security management just for visibility
The company may have the most expensive security tools and the most advanced security guards at a high salary, and then in the morning on the website, someone will write a post about how your system was hacked. And the reason for this is a tangle of greed and inattention. But this is half the trouble: we had a fight, contacted the author, thanked him (right?) And closed the vulnerability. But if no one writes such things, but will exploit the vulnerability every day and use your business data to their advantage, this is a real disaster.
Therefore, it is necessary to change the attitude of employees to security: they must know that security in the company is monitored, enforced, and each of them is responsible for the information security components in their place. At the same time, it is not enough to sign additional agreements and voice goals; it is important to include security controls in all business processes and systems so that employees can see that the problem is not nominal. By the way, rewarding employees for compliance with information security rules is a good motivation: you can implement this in the format of gamification, KPI systems, regulations, etc. Most importantly, employees must see the deep and sincere concern of management about corporate security.
Sometimes security threats arise out of nowhere. Old IT wisdom says, “You are as secure as your weakest link.” Do you know exactly where this link in your company is? For example, the author of this article worked for a regional company and was sitting at a city bus station, waiting for a bus. A man was sitting next to him, who on the phone loudly and indignantly told the scheme of rolling back and working with a supplier of rather exclusive products. Coincidentally, the author was a competitor’s employee. A more epic drain of information is hard to imagine. Nobody used the information, but it was already a matter of principle. So, talkers, lovers of selfies on the background of a work monitor or inside the infrastructure (if we are talking about production), random screenshots with the address and port of the admin panel in the address bar and other accidents such as lost laptops and phones, left papers, can create a security hole. forgotten flash drives, etc.
Therefore – observe the hygiene of information security and teach your colleagues and employees about it.