When it comes to cybersecurity, companies sometimes fall into the trap of having a limited perspective. They think only of protecting their systems and data, without thinking through what they have of value and why someone might want to steal it. The best defense is to think about good offense. So, flip your perspective, and consider why and how a hacker might target you.
Here are eight questions to ask regularly:
- 1. What are all of the different ways that data could walk out the door? Think about how you would steal data from your organization, and document the scenarios to see how they match up with your defenses. Could a disgruntled employee download sensitive data to their laptop or walk out with a thumb drive? According to Verizon’s 2019 Data Breach Investigations Report, 34 percent of data breaches involve “internal actors.”
- Have you conducted employee training within the last six months? Best practices need to be constantly reinforced. Even the most conscientious employees can be tricked into clicking on an attachment. Email account compromises rose significantly last year. The FBI’s Internet Crime Complaint Center reported a 25 percent increase in such incidents in the United States last year, with losses totaling $1.3 billion.1 According to the Verizon report, 32 percent of all breaches involved phishing and 33 percent involved social media. And there are always new wrinkles. Users are more susceptible to attacks via mobile devices, according to Verizon.
- When was the last time you patched and updated systems and applications? Hackers routinely exploit known vulnerabilities. The 2017 Equifax breach, which exposed the personal information of 147 million people, was the consequence of unpatched systems. Attackers entered its system through a web-application vulnerability that had a patch available two months earlier.
- Do you back up data monthly (weekly?) and store it in a secure, non-networked location? If not, you’re a sitting duck for a ransomware attack, which more than doubled in the first quarter of this year.2
- When was your last penetration test? Have you hired someone to perform a red-team attack? Red teams are independent consultants that think and act like attackers. They are “good guys” who are experts in the techniques of the “bad guys.” They probe your systems as hackers would and conduct simulated attacks on your network.
- What did you do with the results? Did you follow-through to fix the most dangerous vulnerabilities? One of the most common problems we see, especially at small- and midsized businesses, is lack of time to follow up on fixing security issues. It’s not unusual for a company to pay for a test, learn they have serious problems, then fail to act to solve them simply because of a lack of manpower.
- Have you started to collect new types of data that might be particularly attractive to hackers or covered by regulation? Growing businesses enter new vertical industries and expand their geographic reach. Are you doing business with new financial institutions or medical facilities? Both could involve new requirements. Do you have customers in new regions of the United States? More and more states are passing their own data privacy regulations.
- Are you in sensitive contract or M&A negotiations? Hackers do their own due diligence to find and target companies that are holding sensitive financial or customer data. Attacks on law firms have risen, for example, as hackers target information about planned mergers and acquisitions. Such “insider information” can be used (illegally) to make profitable trades in advance of the sale of a company.
If you can flip your perspective, you’re likely to discover you’ve got more valuable data, and more ways for it to be stolen, than you imagined. If you’d like to hire some good guys to act like bad guys to help you find those holes, visit us at www.btbsecurity.com.