Many companies do not have adequate cybersecurity protection on their website and systems. Why? Here’s some common misconceptions.
It won’t happen to us
While some attacks are targeted to particular companies, the overwhelming majority of attacks are targets of opportunity. That means that you are just as likely to be attacked as a Fortune 500 company. Realistically, smaller firms are an easier attack target because they do not have robust cybersecurity programs.
We Don’t Need to do monitoring
Marriott is the poster child of what happens if you don’t have adequate monitoring in place. That mistake, possibly including the mistake above, caused hackers to be able to roam freely inside Marriott-Starwood’s customer information for FOUR YEARS before being detected. You have to monitor. Everything. All the time.
Not implementing the basics
One of the biggest breaches in U.S. history, Equifax, happened because they didn’t patch a known vulnerability in one of their servers. Equifax also used a userid of Admin and a password of Admin for one of their servers. Implement the basics.
Failing to inventory where data is located
If you don’t know where it is, you can’t protect it. You have to know where your data comes from, where it goes to and how it gets there. That documentation must be kept current as well. Once you have it you have to look at it to figure out where the weaknesses are.
Not testing the security
Assuming that things are secure is a big mistake. We work with white hat (good guy) hackers. Often it takes them 5-10 minutes to break in to their targets. This includes physical intrusions as well as cyber intrusions.
One of the most important and least acted on testing is on applications that a company’s software development teams create.
Not making cybersecurity training mandatory and often
Users are the most common source cyber compromises. Many companies still do training once a year. Annual training is not very effective because people forget really quickly. Train early and train often.
Not addressing the risk from your vendors
Vendors represent a huge risk to most companies. A few really famous vendor induced breaches include Target, Home Depot and the Office of Personnel Management. There are many more and many that are never disclosed. Many of the recent retail point of sale breaches were the result of bad security on the part of vendors. Maybe you can sue your vendors to recover your losses. Maybe not. If you do sue, expect not to see a dime, even if you win, for years. And, your customers don’t care if one of your vendors caused the breach. It is still your fault.
While just doing the basics won’t make you bulletproof, it will make it harder and hopefully the bad guys will go elsewhere.
Information for this post came from Compliance and Ethics.