"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." John Chambers, Cisco CEO at the World Economic Forum in 2015
The bad guys are out there and they want your data.
Who are the bad guys? Most of them can be put into a few categories. They may be amateurs (AKA "script kiddies") who buy pre-packaged attacks on the dark web, they may be black hat hackers with varying levels of skill, they may be employed by organized crime syndicates with high skill levels and funding, they may even be members of a nation-state with virtually no limits on funding or time.
With ransomware and other forms of malware on the rise, companies need comprehensive cybersecurity plans more now than ever. Firewalls, which rely on rules to allow or deny traffic, cannot stop the plethora of malware attacks being released at an ever-increasing rate. Intrusion Detection Systems / Intrusion Prevention Systems, which rely on signatures, cannot keep up with zero-day attacks. Likewise with antivirus and anti-malware programs.
The term "zero-day" means that the attack is not publicly announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds. There were 45 zero day attacks in the first quarter of 2017.
A cyber attacker only needs to infiltrate your network once to compromise, and maybe cripple, your data. Defense-in-depth is no longer just the industry best practice, it's critical. No matter how large or small your network is, you need several layers of defense. In addition to a firewall with deep packet inspection (DPI) capabilities, there should also be an Intrusion Prevention System (IPS), Authentication, Authorization, and Accounting (AAA) protocols, hardened server and computer configurations, a content filter, and endpoint security.
Another essential aspect is user education. Employees need to be educated about browsing the web safely, spotting a phishing email, identifying suspicious links, and when to avoid links even on legitimate websites or in legitimate emails. Additionally, password strength is paramount. In the past, it was thought that passwords of 8 characters or more with high complexity (i.e. upper and lower case letters, numbers, and special characters), implemented with regular password changes was secure. Current theory suggests that a long, less complex pass phrase that is rarely changed is much more secure.
The need for cybersecurity is now at a critical level. According to a study conducted by the Poneman Institute, once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusions on their network. In the retail industry, it's an average of 197 days.
Even with the highly publicized WannaCry and Not-Petya attacks this year, many SMB's don't see the need to invest in cybersecurity. The three main reasons seem to be:
- My company is too small to be a target.
- My company doesn't have any information anyone would want to steal.
- Since my company is small, what I have in place is good enough.
While attacks on big businesses make headlines, many more attacks on SMBs are successful. To make matters worse, many businesses who suffered a successful cyber-attack in 2016 will not make any changes to their cybersecurity plan in 2017.
What is your company doing to protect its data?
If you want to learn more about cybersecurity and how to protect yourself and your business, lean on the IT consultants at PCS for answers. We're available at (865) 273-1960.