Even if yours isn’t the largest corporation on the planet, the threats to cyber security are out there, they’re growing more advanced every day, they can’t be ignored, but they can be defended against with the right approach.
This is the perspective of Curtis Dukes, the executive vice president and general manager of the Security Best practices and Automation Group for the Center for internet Security (www.cisecurity.org), a non-profit group that advises companies as to best approaches for cyber security. Dukes is also the former deputy national manager for National Security Systems, a division of the National Security Agency, which handles classified information about military and intelligence activities.
Dukes, who noted that not a day goes by without news of foreign actors as well as criminal organizations developing malware to snag business information and secrets, or in worst-case scenarios, encrypt it and hold it hostage via ransomware, said that this can be avoided through knowing your environment, learning about the situation at hand and realizing that there will come a point when your business is attacked.
“I think if you have those three things to protect and prepare for the eventuality, I think you’ll actually be ahead of the game in that regard,” said Dukes. “I think size and scale matters. If you’re like a 20-person or less company, you might not be able to afford some of the cloud provider backup services. Then, you have to do a local backup (to an external hard drive). But, as you back up, make sure that that computer isn’t connected to the network. So, physically disconnect it when you back it up. … And that works.”
Dukes also said that some of the greatest unrealized threats come from social media as well as an increasing presence of internet-connected devices and overall extremely easy access to the internet, which are becoming more and more ubiquitous in our daily lives.
“For small and medium enterprises, I think the bigger risk is still around the social media platforms like LinkedIn, Facebook, Twitter, where trust relationships can be exploited and if you’re not careful, you can friend someone who’s really not a friend and that gives them the access point to potentially attack you,” said Dukes. “More and more, everything is internet-connected and that’s been a mixture of a greater use of Wi-Fi and greater penetration of internet service providers. … Our mini-components, now, are internet-connected, from thermostats to smart coffeepots to smart TVs, everything now is internet-facing and internet-connected and bad actors and adversaries are looking for an internet-accessible address to communicate with so they can download their telemetry.”
Where Dukes praised Apple, Google, and Microsoft’s recent work in keeping their security updated on the macOS, Windows, Android and iOS operating systems, he pointed out the weaknesses in legacy Windows operating systems. Dukes noted that there remains a large number of computers in the wild running vintage operating systems such as Windows XP, Windows Vista and Windows 7. Those computers are no longer being supported with security updates by Microsoft and presented easy targets for bad actors looking to manipulate or steal data.
“The bottom line is the biggest problem with Microsoft is around their legacy products and unfortunately, they don’t have a lot of control over that. Even though they ‘end-of-life’ products, users are still using those products and once they end support for that, it’s highly risky for them,” cautioned Dukes. “Microsoft is actually trying very, very hard, but they’re still hampered by a large install base using legacy products.”
Dukes recommends that if users or companies had been holding off, to make the jump to Windows 10 or Windows 10 Server, as Microsoft has offered a steadier stream of new builds for the operating systems, as opposed to large-scale service packs or entirely new versions of the operating system that need to be purchased and installed on their own.
As daunting as cyber security for a small or medium size enterprise might be, it isn’t impossible. Even if your company doesn’t have the resources that a large company may have and even if the information technology staff is also helping out with business development, they can be in good shape.
“Even if they’re spending $50 a month on security, they’re better than most,” said Dukes, who advocated that this amount could still secure good advice and a good plan from non-profit security outfits like CIS. “Everything I’ve talked about is freely downloadable from our web site and they just basically have to download it and that’s it.”
3 simple tips for cyber security
Curtis Dukes, the executive vice president and general manager of the Security Best practices and Automation Group for the Center for internet Security, suggests small and mid-sized businesses keep this in mind when planning a cyber security strategy.
Know your environment: “That means to know what hardware and software actually has access to your enterprise. You need to protect those assets and … base it off a secure baseline. We believe strongly in our CIS benchmarks.” (https://www.cisecurity.org/cis-benchmarks/)
Education: “There’s also an education piece and it’s not only for small businesses, it’s also for home users. I mean, … constant education as to what the threat is and how they’re attempting to exploit your networks.”
Realize there’s a threat: “Don’t think you’re not going to be attacked. You are, so you always have to be prepared. … Depending on what your business cadence is, either daily or weekly backups of your important data. Equally important, have an instant response plan.”