Your Biggest Cyber Security Questions Answered
One of the biggest mistakes a company can make is believing that they are not at risk for a cyber-attack. The decision to implement or strengthen the resilience of cyber security at a company can be pivotal for success and save your company millions. It is vital that you are well-informed of the different topics and techniques circulating this industry. Here are a few common questions that people have surrounding cyber security and their company:
My company is not a well-known brand and doesn’t collect a lot of “sensitive” data like credit card information. I’m not a target, am I?
The market for stolen data follows the general economic principle of supply and demand. Because there are so many stolen credit card numbers, some studies show that they fetch $1 or less per number. On the other hand, identity-theft kits that consist of a package of personal identity information such as name, address, date of birth, and social security number can fetch hundreds of dollars each. Every organization has data that can be used by an attacker to create identity-theft kits that can be acquired through employee or customer information that might be housed in your HR records or customer databases. This is the type of data that attackers are after because they typically can get more for their effort.
In many cases, however, attackers may not really care what kind of data you have. If you have any data that your business relies on, you are a target. Take ransomware such as Cryptolocker for example. If a user clicks on a link and downloads ransomware, it will start encrypting data not only on their machine, but in shared network drives that the user has access to. At that point, the attackers have taken your data hostage and will demand that you pay the ransom. In these cases, it does not matter what the data is and whether you are a name-brand or not. The data may not be valuable on the open market, but it can be vital to your business. Attackers know that the lifeblood of most organizations in this digital age is information. If you have information, you are a target, period.
If I have a good spam filter, I’m protected from phishing emails, right?
SPAM filters are an important part of the controls against phishing. It is important to note, however, that many filters are signature based and they are only as good as the signatures that are available. Attackers routinely create phishing emails that will circumvent the existing signatures. This is why a layered, in-depth defense approach is so critical. In addition to well-configured and updated SPAM filters, you need to consider other controls such as point-of-click analysis, malware sandboxing, link verification, and command and control callback blocking. Additionally, advanced email controls such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) or Domain-based Message Authentication, Reporting and Conformance (DMARC) are also important considerations.
However, the most important control to consider is the human element. We recommend that you test your users’ susceptibility to phishing emails through social engineering assessments and provide cyber security awareness education on a regular basis as threats evolve and change to circumvent your defenses.
My organization hasn’t invested much toward cyber security and I’m concerned. How do I start?
If you recognize that your organization’s security posture is weak, the first place to start is with a comprehensive security assessment. The assessment should look at the current state of your organization’s administrative, operational, and technical controls protecting the assets. The results of this assessment can give your business decision makers insight into your true risk, as well as where to start to mount your defense – because it’s not a question of if you will be attacked, it is a question of when.
A well-designed security assessment should include a review of security operations, security architecture, policies and procedures, testing of social engineering and phishing, internal and external network vulnerabilities, and application vulnerabilities. We also recommend including penetration testing as part of the security assessment to see what an attacker could actually do by exploiting the uncovered vulnerabilities. When performed correctly and effectively, penetration testing is a great way to show the business decision makers the real world risks that the organization is facing. The assessment report should be comprehensive, easy to understand, and provide actionable recommendations and a roadmap for you to start improving your security posture.
These questions just scratch the surface of what you need to know when it comes to making the right choice for your company’s cyber security needs. We invite you to attend one of our upcoming events or contact us to dive deeper into one of the most trending topics in today’s business world.