“Which firewall should I use?” is a question that I am frequently asked when I meet businesspeople at conferences and networking events.
While it may sound innocuous, this inquiry is, in fact, indicative of a disturbing trend found among both businesspeople and consumers vis-à-vis the security of their valuable and private information: investing too much attention and money (from limited budgets) in areas in which they already benefit from relatively solid security, and, therefore, have disproportionately low returns on improvements, while all but ignoring various gaping holes.
Here are four areas that often are given insufficient consideration, but which you should be thinking about – and investing in – before it is too late:
1. Defenses For Once You Have Been Breached
To date, most cybersecurity budgets have been primarily focused on preventing breaches by keeping hackers out. People are used to securing their homes and offices by locking the front door and having the doors and windows alarmed; it is not surprising that they would do the same from a digital perspective. But, for some reason, the digital equivalent of the standard practice of placing interior motion-detectors inside a facility in case it is breached is often neglected.
The terrible truth -- that pretty much everyone in the information-security industry recognizes -- is that if competent, well-funded hackers want to penetrate a specific organization, they will succeed at doing so. In nearly two decades in the field I have never seen an environment that I believed could not be breached by hackers with sufficient resources. Remember, to remain breach-free an organization needs to fend off all attacks, but hackers just need to successfully execute one attack in order to break in.
Most security breaches are crimes in which there is no specific target – and, if an organization has decent countermeasures, hackers may decide to go elsewhere. The people who breached Home Depot, Target, and Staples, for example, likely wanted large volumes of credit card data, not to harm these specific organizations. They may have even targeted other retailers first, and decided to move on after encountering delays or difficulties due to better security measures in place. Last year’s megbreach of Sony, however, exemplified a different situation – the goal seems to have been to harm specifically Sony. If your organization is being targeted in such a fashion by a sophisticated party, the odds that a breach will ultimately occur are probably close to 100%.
While many believe that Sony was the target of a brutal dictator angry about Sony portraying him in a negative light and showing a fictional account of his death, your organization may be targeted by far less high-profile parties: unscrupulous competitors, disgruntled employees, bigoted activists, and others far less conspicuous than governments are all potential risks. You should be prepared.
Implement technologies not only to fend off hackers at the perimeter, but to detect and defeat attackers if they manage to penetrate. There are multiple types of technologies that can help and they range in price; some are offered as services with some software running within the organization, some as appliances that are installed within a deploying organization's network. In either case, they typically work by detecting anomalous activities; if, all of a sudden, your CFO's computer is transmitting all of its files to a system overseas, for example, that should raise red flags. Obviously encryption is also a key ingredient of protecting against hackers who have successfully breached an organization; if data cannot be deciphered it (usually) cannot be used.
Despite the obvious need for reactive businesses to implement such technologies in addition to preventative measures, my experience is that many organizations who need them still focus far-disproportionately on prevention, a sentiment that I experience at networking events and the like, and which I have also heard in recent months from other CEOs in the cybersecurity field including Neal Creighton of CounterTack, Mike Potts of Lancope, and Eyal Gruner of Cynet.
2. Defenses Against Human Issues
Of course, as I have mentioned in prior articles, it is important to invest in addressing the human vulnerabilities that so often are exploited by criminals to pierce organizational defenses. Why would a crook expend effort to hack your umpteenth-generation, time-tested firewall when he or she can go right through it by impersonating an employee? Why would he or she try hacking the routing information for your systems (i.e., the DNS data for your domains) when the information needed to authenticate to the relevant management systems in order to make the changes can be found in social media or by social engineering your employees?
Training is important, but, on its own, it will not sufficiently address the human problem. It is important to invest in human-facing technologies; systems that help employees not fall prey to spear phishing and alert them if they are leaking data via social media can be incredibly valuable in preventing a massive breach. Addressing human risks not only makes it far more difficult for hackers to penetrate an organization undetected, but also increases the odds that they will attempt to utilize attack techniques that can be detected as suspicious activity by intrusion detection systems.
There are a variety of products and services that are intended to reduce organizational exposure to human mistakes; if your business is large enough you may wish to consult an expert in the human factors of information security for help selecting products, if not, exploring options in conjunction with whomever is handling your information security is likely to be worthwhile. Keep in mind, however, that when it comes to some risks -- for example, data leaking via social media posts -- defenses must be able to work even when employees are not in the office.
3. Defenses Against Mobile Risks
While there have been many advances in mobile security, many businesses – especially smaller ones – do not adequately leverage them.
Remember, your employees are now carrying so called “smartphones,” which, in reality, are a lot more than just smart phones; they are full-blown computers that possess more processing power, and likely house more sensitive data, than desktops of just a few years ago. Think about the potential risks of people walking around with computers that are constantly connected to the insecure Internet, have a far greater chance of being stolen or lost than machines that weighed tens of pounds and never left our offices, and yet which remain, in many cases, unprotected against hackers or thieves.
Mobile devices are computers, and need Internet security software, encryption, and remote wipe capabilities to be enabled. If you let employees use personal devices for work, make sure you also implement appropriate plans for your BYOD approach.
4. Defense Against Denial-of-Service Attacks
If your business relies on your website then you should take action to prevent someone from launching a Denial of Service attack against it. You may be hosting your site with a major provider that already provides sufficient protection when compared with your risk level. On the other hand, you may be defenseless against a barrage of traffic or manipulation of your DNS settings. Find out – and, if necessary, take appropriate action.
Denial of Service attacks are real, and can be executed with various techniques. Last week, hackers briefly took the information-security news site, SecurityWeek, offline. Interestingly, after SecurityWeek was back online I checked the DNS entry for its domain and its history; it appears that as part of its recovery efforts the publication began leveraging Incapsula, a service by cybersecurity firm,
In a future article I will discuss other steps that business should take to ensure that their information-security dollars are well spent.
Please follow me on
