WannaCry, Petya, the Kaspersky scandal, the Cloudbleed data leak, the Shadow Brokers group activity… these are just some of the cyber-scandals of 2017. Therefore, the key question is not whether there will be an attack on the digital resources of the company, but when will it happen and to what extent is the company prepared to face it?
From this article you will learn:
- how important is the security awareness in a world full of digital data,
- why you should have a limited confidence in your own security measures,
- what additional security measures you can invest in.
Digital security awareness
For example, according to the 10th edition of Data Breach Investigations Report from 2017, 81% of the data breach incidents were caused by a stolen and/or weak password. At the same time, the report commissioned by Intel IT security in large companies in Poland in 2016, shows that as many as 62% of Polish companies use only a password for authentication. It is known that in 62% of cases, the data breach incident was caused by "hacking" –gaining an unauthorized access to user data (2017 DBIR), while 40% of Polish companies do not have a scenario prepared for such an event (IT security…).
But enough about the statistics! Imagine that this is happening to your company. One morning you realise that your website has been attacked and criminals have gained access to the data you collect through it. Unfortunately, this is not a science fiction story. It’s very likely that this has already happened to you, or you know someone who has experienced it. Attacking the security of digital resources, contrary to appearances, is not so difficult. The Internet is full of guidebooks and courses for beginners, while entrepreneurs too often forget that they are responsible for their website and for the IT security of its users, unfortunately. In addition to the loss of reputation, in the case of a successful attack the damage can be much greater:
- hackers can cause harm to the users of your site, e.g. through phishing,
- they can collect confidential data through the forms available on your website,
- they can run scripts in users' browsers and use the computing power of their computers, e.g. for cryptocurrency "mining",
- they can install on the website a software that attacks vulnerable browsers of users, so that they can take over their computers (e.g. the attack on the Polish Financial Supervision Authority),
- they can block your application and demand a ransom…
…there are a lot of scenarios, and some of them assume that for a long time you might not even be aware that such an incident occurred, while the danger threatens all who visit your website!
Don’t trust your own security measures
As the entrepreneurs, we are exposing ourselves to such incidents by ignoring security issues when creating and sharing our web and mobile applications. Fortunately, it is becoming a good practice to verify their security of digital resources through penetration tests and security audits. They resemble a real hacker attack, but they are based on finding all existing vulnerabilities, not just using the first working one. After this test/audit, you obtain a report on the vulnerabilities found, the threat level, the potential possibilities of exploiting them and the ways of patching them. The penetration test and the security audit are primarily raising the awareness of one's susceptibility to an attack – it's a basic knowledge allowing to minimise the risk.
Another fundamental mistake made by the entrepreneurs is the omission of aspects of security dynamics. The company's ongoing activity is almost always associated with changes that affect the security level of IT resources. These can be, e.g.:
- employees, both new and leaving the company,
- changes in individual accesses to resources,
- changes in the way the specific devices are being used,
- vulnerabilities in the installed or used software,
- new versions of malicious software,
- new attack techniques and tactics.
The software is often a key part of the IT security in the company. Employees use the software on company equipment, often without the knowledge of the associated risks. Usually several dozen different applications are installed on an average computer. The most popular of them receive patches on the day of finding a vulnerability. Not all programs, however, notify the user about new updates. Therefore, it is important to keep up with current updates (uninstalling unused applications and checking for available updates). Threats also await the users who would like to download updates, though. Most of us know the story about the update for the trusted CCleaner program, which infected the operating system of any user who downloaded it.
How to further secure your resources
In connection with the above, the security of digital resources of the company resources should always be treated as a process – not as a state, and it should be monitored on an ongoing basis. Understanding this fact allows for the introduction of adequate preventive measures, such as active security monitoring, that is – regularly performed vulnerability scans, verification of the integrity of the website, the status of services, and checking the validity of the software components. Active monitoring is a type of a constant protection over the security of resources, even in the face of major changes in the company.
Due to such high dynamics, it is not possible to achieve a state of a complete security. The best example are successful attacks on companies dealing professionally with IT security (FoxIT wrote about such an incident on their blog). At the same time, only 60% of large enterprises in Poland have an emergency scenario implemented in case of a cyberattack or a similar event (the Intel’s report). In such cases, the services of experts are often used. They help not only with completing the appropriate procedures, but with "taking control of the situation", collecting the evidence and repairing the damage.
The above threats apply to basically every entrepreneur, regardless of the size of their business. From a business point of view, the risk level has increased to such an extent that it can no longer be ignored. We are now faced with the challenges of ensuring the constancy of resource and critical information security, and developing a scenario for data breach incidents. Fortunately, our awareness regarding this topic is growing (half of large companies in Poland are planning to increase investments in the area of the IT security in the next two years – according to the Intel’s report). We can only hope that the trends related to the development of security tools and services, as well as the awareness of entrepreneurs regarding the current threats will continue and allow for efficient business operations.