The simple answer? Hacking won’t stop. To paraphrase Willie Sutton, bank robber, “That’s where the money is.”
PBS, Sony, Lockheed, Amazon, IMF, US Senate, etc., all announced in 2011 that their systems were hacked. Security specialists are now calling 2011 the year of the hacker. Weak SecureID tokens, malware, password attacks, etc., have all been used. Foreign governments, terrorists, drug cartels and a “hacking collective” called Lulz Security have been accused. Recently, the DOD announced that cyber attacks can now be regarded as a military attack with the recourse being military ordnance.
So who is at fault? Well, there is enough finger pointing to go around.
- Software developers: Security has never been a key concern when releasing new operating systems and applications. Just look at all the holes in Microsoft Windows and even after all the patches, security is still a very real concern. And a Ponemon Institute, Dec 2010 report states that cloud computing providers do not view security as one of their most important responsibilities. How can this be?
- Silicon chip manufacturers: More security needs to be done to protect the back doors into microprocessors – the brains of a computer.
- IT Specialists: They have been burdening users with so many barriers to try to protect the data that they actually wind up making their systems less secure. Fact: People always circumvent security for convenience. Companies have been known to turn their back on sloppy security if it means higher short term profits.
- Companies: As with most things, it is all to easy to believe that a hack “will never happen to me.” Another commonly heard excuse for poor security practices is, “The cost of security is too high and no ROI can be tied to it.” Or this little gem: “I’m too small of a business for anyone to target.” Remember denial is not a river in Egypt.
- Users: Sadly most of the security breaches are due to sheer carelessness. Sloppy passwords & password management, clicking on email attachments, storing data in insecure places (think yellow sticky note in an unlocked drawer), not encrypting data, etc. In fact, InfoWorld writer Ted Sampson reports in the case of the Lockheed hack, that end-user ignorance was the critical security issue.
So what is a company to do? Well, we know that the hackers are not going away, so start improving your defenses.
Here are 5 key areas where you can make immediate improvements in your online security.
- Train your employees on security. Make them part of the solution and not part of the problem. Make security personal to them by ensuring that they understand that if your company is hit with a massive lawsuit because of sloppy employee password security, that their livelihood is very much on the line. Without proper security there is no company; no company means no jobs; and no jobs means no pay check.
- Add security technologies. Besides anti-virus and firewalls, be sure that company computers have attachment blockers, multi-factor password authentication, automatic data storage encryption, etc.
- Keep all software up to date. Even if you’re a small business, this is important because the software developers broadcast their own weaknesses when they release patches. For example, Microsoft of necessity will tell the world what their latest patch fixes, so cyber-criminals know what to target on those computers that don’t update.
- Before security is deployed think about the experience from your users perspective. Security that is not used is no security at all. You need to be sure that your employees will actually understand the need for the security and that they will USE it. If not, your company can be in danger.
- Set up Google alerts. Follow a few security groups just to keep abreast of the latest threats. Ignorance is not a defense!
Most business hackers are interested in getting the most information at the least amount of effort. So by placing enough barriers and road blocks, cyber-criminals will move on and target weaker companies. Online security needs to be made a key focus of every business.