There are two types of companies: those that have discovered security breaches and those that don't yet know they've been breached.
Most of us hadn’t even had time to violate our New Year’s resolutions when, three days into 2018, the bombshell news broke of a major security flaw found inside Intel processors, affecting millions of computers. As CEO of a software solutions company supplying corporations and government agencies alike with on-premises and cloud-based solutions, I took notice.
Four independent research organizations had just revealed that 100 percent of my clients faced a new security risk. And the bad news was that such risks had become the new normal.
On one hand, this Intel security flaw could be considered a demonstration of thebenefits of cloud computing. Specifically, our cloud service provider had already been aware of the Meltdown and Spectre flaws and was prepared with a fix. And, the implementation of that fix, throughout our four cloud instances serving thousands of customers worldwide, was completed within 48 hours, and with no down time.
Protecting this many individual customers so quickly and completely would have been impossible had the servers been on site.
But the Meltdown and Spectre flaws remind us that security threats can emerge from unexpected places and that they can have far-reaching impact. Hackers and data thieves are adept at finding creative entry points within the expanded attack surface that our digital world creates. So, while special training, data encryption, multifactor authentication and strong passwords have become a priority these days, risks persist.
And organizations may still be overlooking key weak points in their network. The reality, then, is that there are two types of companies: those that have discovered security breaches and those that don't yet know they’ve been breached.
Why protecting your data is so critical
A data breach can cause you to lose your customers’ trust. According to a study by Gemalto, 66 percent of consumers surveyed said they wouldn’t do businesswith a company that had had sensitive information exposed due to a data breach. After all, the costs of such a breach can be extraordinary, as the recent Equifax cyberheist demonstrsated. But that’s not the only problem.
The other problem is that, just as they are finding unique ways to steal data, hackers are also finding ways to use it against business owners. If your competitors get their hands on your stolen data, or if hackers hold it for ransom, you can lose valuable proprietary information. This was demonstrated by the Sony Pictures attack in 2014 and the more recent WannaCry ransomware virus. So, there is a strong business case for improving every aspect of network security.
Of course, the threat isn't limited to large enterprises. Entrepreneurs and business owners can learn a lesson in security from patent trolls. Medium-sized businesses are the ideal target: They’re big enough to be worth the effort, yet small enough to lack the resources to protect their patents and to fight flimsy but effective infringement lawsuits. Security follows the same pattern.
Three attack vectors that are often overlooked
Some aspects of network and data security receive more attention than others, such as mobile and internet of things devices, making it easier for hackers to gain access through lesser-known avenues.
Here are three attack vectors you probably haven't considered, along with ways to mitigate the risks they pose.
1. Monitor your company’s social media accounts.
Every organization should be vigilant about protecting its brand’s social media presence. A study by Proofpoint revealed that social media phishing scams increased by 150 percent in 2016, making them the fastest-growing active threat to social media accounts.
In one high-profile example, Russian hackers breached the computer of a Pentagon official through a tweet about a vacation package from a robot account. Hackers use social media because employees, while often trained to watch for suspicious emails, aren’t as cautious about social media activity.
That's why you should always be on the lookout for fake accounts; and why, if you find one, you should report it immediately. Consider writing a post or tweet to alert customers and contacts. This will help establish your business as a trustworthy company that prioritizes security. Also, limit the number of people with publishing rights on your official social media channels, just as you do with server admin rights.
2. Secure your printers, the forgotten entry point.
Data-loss prevention solutions put a digital wrapper around a business, but paper can sometimes escape that wrapper. Office printers are not only potential sources of data loss and confidentiality issues, but attack vectors that hackers can exploit.
Last year, for example, a hacker called “Weev” accessed “every publicly accessible printer in North America,” including those on several college campuses, and printed anti-Semitic and racist fliers, the New York Times reported. The exploit was possible because many printers ship ready to “plug and play”; this makes them easy to integrate into a network, but they’re not secure. Modern printers are essentially advanced, specialized network hosts, and as such, they should be given the same level of security attention as traditional computers.
Lock down all network printers by using firewalls, changing their default passwords and disabling any unnecessary protocols. Also, be sure to keep up with firmware updates when manufacturers discover and report security flaws. Check back regularly to ensure that any “hard resets” haven't reintroduced open ports and default passwords.
Finally, implement secure pull-printing technology. In a secure pull-printing environment, employees print to a secure queue and then use their ID card or log-in credentials to release (or “pull”) their documents at any network printer. The old way is to send print jobs directly to a specific printer for immediate output,but that introduces risk.
How many “confidential” documents have you seen left unattended near a shared printer at work? There’s too much at stake to allow documents to be printed and then forgotten. Don’t let sensitive information fall into the wrong hands: Secure your printing workflows.
3. Educate your employees -- continually.
Protecting against data breaches isn’t just your IT department’s concern. Employees pose both the biggest risk and the best defense. Train all employees about security risks and best practices, and empower security staff to make decisions to improve your IT infrastructure. Educating employees about the massive damage a data breach can inflict should convince them to take their role in company-wide security efforts seriously.
You can also work with security services to test employees with fake phishing attempts. Verizon’s 2017 Data Breach Investigations report showed that employees studied opened approximately 30 percent of phishing emails, even after they had been warned about them. Showing how many employees opened even a fakephishing attempt can prove that the company is susceptible to an attack if employees aren’t vigilant.
Training should entail more than bulletins or informational emails. Make every department aware that security is a top priority, and make sure everyone understands the company’s security policies. As the world continues to progress toward an even more digital society, choosing not to prioritize security in all its many facets is risky business. You don’t want to lose your customers’ trust or let valuable information fall into the wrong hands.