I am sure that many of you have read articles or heard on the news about cyber attacks against some of major companies. Cyber attacks or “data security violations” are becoming more prevalent as our society is becoming more and more digital. In fact, according to the Privacy Rights Clearinghouse, there have been more than 2,500 data breaches involving more than 600 million records that have been made public since 2005. That is nearly one a day for the past 5 1/2 years.
Now I am sure that you may be thinking that all these digital records and computers may be a bad thing, but one of the reasons for the rise is, simply, there is more data and records in digital format than there 5 1/2 years ago.
These cyber attacks against companies include various types:
- Intellectual property theft – US based companies are known throughout the world for developing cutting edge inventions, design and other intangible assets. These assest are vulnerable to online theft
- Fraud – Most commonly seen is stealing of credit card information which is sold
- Attacks on Infrastructure – For businesses this can include viruses & worms that affect servers and workstations. For countries and municipalities, it could include attacks on power grids or water supplies.
- Telecommunications – many times telecommunications systems get broken into for variosu reasons. The two that coime right to mind are the ability to force the network’s failure and to intercept communications.
There are ways for companies to combat cyber attacks and a lot of them are simple and require educating people about the ramifications of not adhering to policy. Though the digital world can be complex and many companies have detailed sets of information on policies and procedures to protect data and business information, the bottom line for me it is your people that are the best defense.
I say people are the best defense, but they need to be educated on the policies and required to know what they are and adhere to them. I like to say that people know the speed limit may be 55, but if there is no one there to make them adhere to it, they will drive faster. One way is to test employees on an annual basis to assess their knowledge and understanding of the company’s information security policy & procedures. This is one thing that I intend to do with my accounting firm, Fuoco Group, and all companies that I consult with. One thing to ensure compliance with testing and knowledge of the policies and procedures it to revoke system access to those not completing the testing. Watch how quick you get called when someone does not have access to the company network.
Here are some things that a company can do and should make clear in their policies to help prevent cyber attacks:
- Login credentials – No matter how much people may complain about needing to know passwords, make it a requirment that at a minimum they need to change passwords every 90 days. Also make sure they are informed how to protect their passwords. (taping it to their monitor just does not cut it)
- Software being installed without approval. Many times commercial software can icnlude security flaws that provide hackers an “open” door to the rest of the network. By using group policies to prevent installation of software on company computers, can prevent these open doors. There should also be Anti-Virus installed on every workstation, laptop and server in the organization and it should be updated regularly.
- Phishing emails – These are emails that appear to be sent from a legitimate organization but are really coming from people looking to steal your employee’s credentials to the network. This is something that employees need to be educated on as well as the general public.
- PERSONAL USE: I capitalize this one because more often than not this is one of the most abused things by employees and in my opinion the number one opening for attackers. Each company needs to make it clear to employees regarding the personal use of the company’s network, be it email, the internet or personal smart devices used to access the company’s network. (see next)
- Use of Company equipment – Employees need to be educated that it is YOUR workstation NOT THEIRS. You need to enforce company policy when it comes to the workstation, thumb drives, PDA’s, external hard drives and unsecured WiFi networks
Protecting your company’s assets against cyber attacks is not easy, but employee awareness, policies and procedures that are enforced and the knowledge that these attacks are out there may make it a bit easier for you to sleep at night knowing you have done what you can. Now go put the alarm on so you can sleep!