Cyber Security – One size does not fit all
Cyber Security – One size does not fit all.
Cyber attacks are more sophisticated than ever before. And they’re causing more and more damage. Cyber security is therefore becoming a priority for businesses, and not only because of the new laws passed in February 2017 making it mandatory for Australian businesses to report data breaches to customers. In the US, Yahoo announced that hackers compromised the details of more than 1.5 billion user accounts in separate 2013 and 2014 attacks. In October 2016, DNS provider Dyn suffered a distributed denial-of-service attack that rendered popular websites such as Reddit, PayPal and CNN temporarily inaccessible. There have even been allegations that cyber criminals tampered with the 2016 United States presidential election.
But in cyber security, one size does not fit all. Cyber criminals don’t attack systems indiscriminately. They exploit specific weaknesses in specific systems. In today’s world of integrated marketing, CRM and e-commerce systems, no two businesses have exactly the same needs or vulnerabilities. So an off-the-shelf security solution isn’t enough to protect your crucial data.
The ideal security solution is one tailored to your business’s needs: one designed to protect your most important data and fortify the areas that hackers are most likely to attack.
Customer-owned devices cause security holes
The movement to bring your own devices (BYOD) means that many companies allow employees to bring their own computers and phones to work. The idea is that if an employee can perform tasks on a familiar device, they’ll work more efficiently. It might be a good idea for productivity but it’s a bad one for security. Each time you allow an employee to connect their own device to your corporate network, you create a potential security problem. Some employees jailbreak their devices to allow pirated apps to run – and many pirated apps contain malware. Employees can even end up with malware on their devices from normal web browsing.
Employee-owned phones are equally serious security risks away from the workplace. If an employee connects to a public wireless access point, for example, a hacker in the same location could use software to intercept and decode any data transferred. Or if an employee loses a phone that doesn’t have full device encryption, a thief could steal the phone and access all of the data on it.
Integrated systems cause security holes
A large corporation typically has many different systems that interact with one another. Your business may have any or all of the following systems:
- An IP-based telephony system
- Windows or Mac computers with internet access for employees
- A CRM database containing customer information
- A marketing system to manage your pay-per-click, social media and other marketing campaigns
- A CMS system to manage your web properties
- An internal server to manage your corporate intranet.
It’s likely that your business has integrated many of these systems. There are great reasons for integration. Integrating your network reduces hardware and infrastructure expenses. Integrating your CRM, CMS and marketing platforms helps you acquire new customers and provide better service to your existing customers. However, an integrated system also means that if a hacker penetrates one service, they could potentially gain access to every connected service.
Hackers target users – not servers
Because corporate servers almost always have some form of security software, hackers often avoid them when they want to penetrate systems. Instead, they target the users. If a hacker penetrates an employee’s device or gets an employee’s network credentials, they gain access to everything the employee can access – and possibly more. It’s far easier to penetrate the deepest levels of a corporate network when you already have the access level of an employee.
Here are just two of the ways in which hackers can penetrate corporate networks through employees:
- Malware: Many websites, computer programs and mobile apps exist for no reason except to deliver malicious software to vulnerable devices. Hackers that use malware to infect devices are often opportunistic; they pursue every possible lead that they discover on infected devices.
- Social engineering: Often, the best way to penetrate a corporate network doesn’t require a computer or an internet connection. It simply requires a single trusting individual. In a social engineering attack, a hacker initiates contact with an employee by phone, in person or via an online chat. The hacker might pose as someone from the target company’s IT department and ask for the employee’s network password because they “need it to troubleshoot an issue.” If the employee gives up their password, the hacker obtains access to the corporate network – just like that.
Identify your crucial data to understand your risks
Just as different businesses have different security risk factors, they also have different needs. If your business is in the retail sector, for example, it’s likely that you store customers’ private information – such as names, addresses, phone numbers and credit card numbers – on your servers. If a hacker breaches that data, the results would be catastrophic for your business. On another server, your business may store corporate secrets about research and development, future business plans and other proprietary information. Your security measures should focus on protecting your business’s most crucial data.
Assessing your company’s risk profile is an important part of constructing a customised security solution.
Our cyber security by design framework is the best approach
Our cyber security by design approach recognises that all customers are not the same. Cyber security must now, and into the future, be built around a framework that provides structure and processes to manage changing cyber security requirements.
Cyber security is constantly evolving. Criminals are becoming more sophisticated and are very clever at finding new ways to access sensitive data. You would be foolish to think that your business is safe simply because it’s small. Our design framework gives you the tools, systems and processes to manage cyber security within your business – and the opportunity to develop a cyber security program that meets the unique needs of your business.
Cyber security by design
At Stickman, we conduct holistic assessments on your cyber security by using the “by design” methodology which encompasses the implementation approach recommended by NIST.
If you’d like to know more about our cyber security by design framework, just get in touch today.