Today’s security landscape consistently shows data breaches, compliance failures and other security weaknesses for businesses of all sizes.

Hackers make headlines every day and consumers have started to care about online crime because it’s a reality, and no company or individual is immune.

So why, then, do some executives continue to be in denial about the state of their company’s cyber security? Let’s outline and debunk a few fatal flaws in their thinking:

“Sophisticated hackers don’t care about us.”

No business is too small for cyber thieves — in fact, according to the 2018 Verizon Data Breach Investigation Report (DBIR) 58% of victims in 2017 were categorized as small business.

The idea that only the big guys like Hyatt, Hilton and Home Depot are being targeted is obsolete — hackers see that SMBs are acting lackadaisical when it comes to their security, making for an easy target. They’re also using SMBs to gain access to the larger, more lucrative company hacks.

“Some level of breach is inevitable.”

As devices and technologies continue to evolve, so do cyber threats. More devices, more data, more network traffic means more insecurity. And shortages in savvy security talent are not helping.

While it’s accurate to say that most businesses today, no matter the size, have been or will be targeted by online criminals, some executives think it’s simply the cost of doing business online. Thinking that security measures will never stack up is a lazy mentality and one that will likely eventually cost someone his business.

“We can recover.”

Eighty percent of top execs don’t equate compromised confidential data with the loss of revenues. Reality check: The average cost of a data breach is $3.62 million globally, $141 per data record according to the Ponemon Institute. Which constitutes a reduction on the average cost compared to 2016, but the average size of data breaches has increased. That is no small fee, especially for an SMB.

“Cybersecurity is too costly.”

There’s a perception that securing data is both expensive and challenging, possibly causing a barrier to business operations. This is no longer the case. As outlined in the numbers above, prevention is cheaper than clean-up.

However, there are steps you can take to save, such as taking a look at your existing security portfolios: Are your current tools already failing you? Are they suited to the current security environment? Can those dollars simply be moved into what attackers are currently after, which is data?

If the cost issue is around staffing, consider whether your in-house team is savvy enough to keep the business up to speed. And, if not, or if they need guidance, consider working with a third-party managed security provider to assist.

IT teams will need to take the lead in educating senior leadership about preventative planning and security measures to address vulnerabilities and manage risk. If this doesn’t happen, businesses will begin to crumble. By working with top managed security service providers, internal IT teams can begin a concentrated effort to maximize their IT systems and processes.

Everyone enjoys a great employee horror story or two. In the last 20 years of working in the field of Information Technology and Cyber Security, I have watched first hand as many untrained employees have done things to jeopardize their company Cyber Security.

When it comes to the security and protection of your network, there is only so much that can be done from a cyber security standpoint. Employees play a key role in helping to protect your corporate network and security and if not properly trained can contribute to the majority of your breaches and loss of data. Educating them on the proper procedures and standards is paramount to ensuring your network information stays safe and secure.

Our story today shows what happens when an employee is not aware that their actions may cause a severe data breach at this local insurance company.

The Story

We see it every day on the news; Lowe’s, Target, Home Depot and Sony to name a few. Companies are getting hacked daily, resulting in the loss of income, privacy breaches, stolen credit card information and tainted reputations. The demand on the internet black market for private information is huge with huge financial gains for anyone able to provide this type of information.

A long term employee (we will call him John) for a local insurance agent was outside sitting down, eating his lunch one day. It was a typical day for John; as he was just finishing up his lunch, he happened to see a USB flash key sitting on the ground next to the trashcan. Picking up the key, he thought nothing about what could be on the key or how it came to be there.

Later in the day, John remembered that he had found the key and was curious to see what was on it. Inserting it into his system, John was surprised and maybe a little to happy to find that the drive had been empty. Taking the drive out of his machine he threw it into a desk drawer to be forgotten.

While this sounds like a rather boring example of a guy finding a USB drive, and discovering it was “empty.” It is just that kind of tale until roughly ten days later, in our secure operations center something quite serious was happening.

One of our Senior Analyst started to get alerts that the insurance client’s network was being accessed from an out-of-country computer system repeatedly. The attack took the form of a large number of failed network login attempts. This type of alert was indicative of a system breach and demanding our immediate attention. Our Senior Analyst was able to send out an alert to the customer, and we dispatched a Senior Engineer to the site. After comparing system monitoring reports with some “old fashioned detective work” by our Senior Engineer, we were able to determine the source of the intrusion … it came from malware placed on a USB key, discovered “accidentally” by an employee.

The USB Key was planted where it was found by hackers, hoping someone would come along and find the key loaded with malware. Thankfully the insurance company had our monitoring and intrusion detection software in place, and were able to quickly respond to the threat. Several hours later, we were able to remove the malware and secure the network from the external breach attempt. Our Senior Engineer then took a few moments to speak to the operations head at the insurance company and explain to them what caused the breach.

Image for post
Be aware of any USB keys you cannot identify.

The unsuspecting employee who triggered the breach learned two valuable lessons:

  1. Never pick up stray USB keys off the street and insert it directly into a system without some sort of protection in place to prevent malware installation.
  2. Hackers will rely on a combination of human nature and sophisticated malware to breach corporations to access proprietary data.

What is the moral of the story?

IT Cyber Security is an important part of your company’s daily operations, having a lax security system can result in a breach that could financially impact your company. Hackers are getting smarter, and using methods that take advantage of human behavior, and typical business rules. The only way to prevent suffering from a data breach is to have a layered approach (monitoring, reporting, and analysis) to dealing with intrusion attempts.

It’s no secret that today’s cyber security breaches are happening with unprecedented sophistication and boldness. Just last month, the FBI issued an alert that everyone should reboot their routers in order to prevent a compromise that may have affected hundreds of thousands of home and office routers and other network devices. In more mundane cyber news, a MyFitnessPal was breached, exposing the private data of 150 million app users. Even Mark Zuckerberg, the undisputed king of social media, had his Twitter and Pinterest accounts hacked. It seems no one, from high level Democratic movers and shakers to those simply parking to go to work, is safe from the threat of a security breach.

When will it end? The answer, sadly, is not any time soon. Black market users are willing to pay handsomely for sensitive personal information. As long as the opportunity exists to make money, intelligent and determined hackers will continue to exploit poor security practices to get at the content they want. Barbarians? Not by a long shot. The skill, expertise and motivation of elite hackers should not be underestimated.

Expect the problem to get worse. Hackers pride themselves on staying a step ahead in tenacity and intelligence, treating each successful hack as a badge of honor. As we take more advantage of the benefits that connectivity provide, we create more opportunity for the hacking community to get at our private information. According to Cisco, 2016 was the year when more devices will be connected to the Internet than people. This burgeoning Internet-of-Things revolution will dramatically increase the potential attack surface of any give network — if you have more doors, that’s just more chances to find a way in. Simply put, the more things you hang off your Internet, the more opportunity you provide for a breach.

What to do? Go off the grid? Not so fast. Today’s online experience is already transformational compared to life just a few years ago. Could you imagine giving up the convenience and availability provided by your business or personal network? Improvements in user experience, network reliability and speed, and content availability and quality have brought online experiences far beyond indispensable. And yes, despite the growing number of breaches, there have been major strides made in network security.

In reality, the benefits afforded by the IoT revolution in terms of lifestyle, safety, and efficiency far outweigh the drawbacks. So don’t expect IoT to go away anytime soon.

Two years ago, I wrote the first iteration of Barbarians at the Gate, you can still find it on medium.com at https://medium.com/@gmatt.johnson/barbarians-at-the-gate-11b324a04459 Unfortunately, the Barbarians, amongst others, are still at the gate, and it does appear that they are setting up for a long-term siege of your business. The year 2020 has seen its share of high impact security breaches ranging from Twitter to a small Managed Service Provider that Ironclad Cyber Security worked on a few months ago.

The first quarter of 2020 has shaped up to be one of the worst quarters in history with an estimated 8 billion records exposed. These records consisted of credit cards, home addresses, phone numbers, and other personal and sensitive information. Information that not only exposes your private information but could easily put your company at risk for lawsuits and other regulatory actions.

Are there really barbarians at your gate?

The answer to this question is based on how you define a barbarian. Wikipedia defines barbarians as a human who is perceived to be either uncivilized or primitive. By this definition, we would assume that hacking is uncivilized and primitive with no real sophistication.

In contrast hacking attacks portrayed in the media are often perceived as sophisticated, elaborate, and multi-layered. The key to that portrayal is that as stated by Chris Scott of IMB’s X-Force IRIS incident response team, “No one is going to say they were breached by average hackers.”

Are there barbarians’? Sure, there are, unsophisticated attacks that happen all the time. Often these barbarians rely on persistence instead of sophistication to attack your business. Think of a kid with a laptop attempting to login into your network continuously. Given enough time and attempts, they will eventually gain access to your most data and resources.

On the reverse side, the skill, expertise, and motivation of elite hackers should not be underestimated. Elite hackers often used layered attacks and strategies to gain access to your business. These hackers often work in groups or can even be state-sponsored. These groups often are working towards specific types of business or information to gain the most valuable data.

When will it end?
The real answer, sadly, is that it will never end. Ransomware, Phishing attacks, and other hacks while they may change the type of attack the basic idea of persons or organizations attempting to access your business information will not end. If black-market users and criminal organizations are willing to pay handsomely for sensitive personal information. There will always be those who seek to gain access to that information.

What can I do in this ever-changing world of barbarians and non-barbarians?
Often good cybersecurity is less about keeping out attackers 100% but about keeping attackers out long enough that they realize their time is not worth attacking your system. At Ironclad Cyber Security we always recommend a layered (think of an onion, you peel off one layer and there is another.) approach to your cybersecurity strategy which can be built by Ironclad Cyber Security and our team of security consultants.

Ironclad Cyber Security can assist in developing your cybersecurity strategy today to create a layered approach to protecting your assets. The Ironclad Cyber Security layered approach starts with our Pulse Network and Asset monitoring service that allows our SOC team to monitor your network and assets for security events and incidents. Ironclad Cyber Security combines this service with our professional security consulting and security endpoint monitoring products to create your layered cybersecurity platform.