Do you have at least 1 smartphone or tablet or laptop or computer in your business? If the answer is “yes” then you have an IT network. And, correspondingly, you also have network security vulnerabilities – no matter what your size and no matter what sector you operate in.
Do you feel uneasy or indeed worried about what could happen to that network? Do you feel intimidated about dealing with the vulnerabilities? If you can answer “no” to both of those questions – and do so from a humble, honest and informed perspective – then well done. But many businesses are on thin ice – whether they are aware of it or not.
As an example of what can go wrong let’s look at what happened to Home Depot – the American DIY provider. In late 2014 they announced that their network had suffered a serious breach earlier that year. The effects of the breach included 56 million customer credit card accounts being compromised. And if that wasn’t bad enough, nearly as many customer email addresses were stolen.
Home Depot’s Chairman at the time, in an interview with the Wall Street Journal, said “We believed we were doing things ahead of the industry. We thought we were well-positioned”.
They obviously weren’t – and the breach has cost them tens of millions of $US.
Ok, you might not be at the same size as Home Depot and you might think that hackers would have no interest in your business. But you’d be wrong. Increasingly SME’s are becoming the target of these attacks and they’re not necessarily just interested in getting credit card details, they will happily take whatever they can for their benefit (online banking details, etc.). Furthermore, we’re seeing an increase in “ransomware” where these individuals can encrypt the hard drive within a computer so you cannot access the data unless you pay a ransom to them. Last week in such a case with a client of ours the culprit wanted €3,000 to give us the unlock code. Thankfully we were able to avoid the payment and break the encryption!
So what can you do to bolster your network security?
What about internet access? Can your employees freely access any website? What about passwords – does access to your network require a strong password? Or do you use the same login password for almost every website that you log into? In a recent survey 83% of people use the same password for more than one account online. Such habits are not good when it comes to security.
Imagine you have an enthusiastic employee who uploads some sensitive data to a 3rd party cloud app (OneDrive, Dropbox, Google Drive, etc.) with a view to later download it from that same app that night in order to do some extra work when they’re at home. Aren’t you lucky to have that dedication? That employee who’s taking ownership of a task to ensure its completion? And yet they’re exposing your network. It’s a balancing act for you – to facilitate your employees’ productivity while also retaining network security. Employees can be educated or even required by policy to follow certain procedures that will reduce the risk of them accidentally doing something that exposes your network to potential breaches. This educational and policy element of security is dealt with in more detail in this previous article.
The previous paragraph touched on how accidents by employees can happen. But in the real world disgruntled employees often become ex-employees and can sometimes have malevolent intent. As your employees leave your employment is their access to your network and computing devices being immediately removed? You need to ensure that they have zero access.
But perhaps you’re failing to do this – failing to close off their access. Perhaps it’s because you trust them absolutely. Or perhaps you’ve never even considered there to be a risk. Or it’s a task that you’ll “get around to”…
In addition, basing your decisions on the probability of a risk event occurring may appear to have merit but it’s actually misguided. Of equal importance is the impact of its occurrence. Do not neglect something just because you think the chances of it occurring is very low. You must also consider the potential downside of it occurring. (By the same token you should of course not focus all your preventative measures on something that will have only a negligible impact.)
However there are other risks to network security whether or not employees are trained, whether or not there are policies, and whether or not the employees are disgruntled. For example, are employees allowed access to parts of your network that have nothing to do with their day-to-day responsibilities? This is a very common vulnerability – particularly in a growing company where new employees typically tend to have increasingly specialised roles. The good news though is that you can put systems in place that restrict employees to those parts of your network that they need access to. It is also possible to have automated alarms triggered when someone attempts to access parts of the system that they are not permitted to (access).
Let’s look now at your network itself. As a whole is it protected by a firewall? And then there are its constituent parts – workstations, printers, servers, routers, etc. They all have hardware and software. Are you keeping the devices patched in response to emerging vulnerabilities? Are they patchable at all? For example, Microsoft are notorious for progressively removing support for their older operating systems. You may recall the July 2015 removal of support for Windows Server 2003 – discussed in detail here. What did withdrawal of support mean? It meant that Microsoft stopped making any changes to protect against newly emerging security vulnerabilities. Anybody continuing to use Microsoft Windows Server 2003 after July 2015 now has a network security exposure that by definition will only increase over time – thereby increasing their server’s vulnerability to attack.
Finally, it’s of limited use for you to audit or do root-cause analysis of problems after the event. Of course you should examine what happened. But it’s obviously much better for you to take more preventative measures. That brings me back to Home Depot. Do you know what their vulnerability was? Think Trojan Horse and you’ve got it. More technically, it seems that they used an outside heating, ventilation and air condition (HVAC) engineering company – perhaps to do monitoring of atmospheric conditions in their stores. That outside company was hacked – so that when that outside company logged into the Home Depot network they opened up Home Depot’s network to the same hackers.
As Adam Meyer of SurfWatch Labs put it in discussing the Home Depot situation, “it would seem that measuring cyber risk was not a recurring effort from an operations resilience view“.
Is your network resilient?
At BITS we offer a full security audit service where we assess the potential threats to your network from both external and internal sources and offer a variety of network security solutions. If you would like more information on how BITS can help you please fill in the contact form or call us on 056-7786882.