From experience I can say that the most destructive disasters come when you aren’t expecting. Before we were able to understand weather patterns, big storms or hurricanes took us by surprise. With little preparation, no one was able to evacuate, protect their homes, or mitigate effects. In many cases, some of the worst natural disasters occurred because we either did not think anything could ever happen that bad or we simply had not taken precautions to confront such possibilities.
While cybersecurity by no means requires the same steps of preparation like a hurricane, cyberattacks can wreak equal if not greater impacts on our businesses if we’re not careful. And like many natural disasters, many of us aren’t prepared or even thinking about preparedness until it’s too late—until the last loaf of bread or gallon of milk is getting fought over in the barren store during the blizzard.
The reality of cybercrime is that we don’t understand it like we might a hurricane. Many of us don’t know the terminology—because it frankly isn’t in our vernacular. We don’t know the equivalents to boarding our windows, making sure our generators are working and evacuating if the conditions require it.
The realities of cybersecurity is that our preparedness completely depends on a few “experts”—people that we put our faith and businesses with to protect our data, our clients, our staff and our livelihoods. And the big problem in doing this is a lot of the time we don’t really understand why. Why are we doing this? What risk are we taking not doing anything? What are the consequences? Can I really trust the people protecting my network?
Let me give you a little history on network security
In the good old days, security was relatively simple. We were mainly concerned with keeping track of laptops and desktops assigned to your employees. And we wanted to make sure they were using those machines to get their work done. Servers were locked up and behind some firewall. Check in the box. Your security was complete. There was no worry about other things affecting your network because those other vulnerabilities did not exist. They weren’t exploited and they certainly did not affect your business continuity.
As technology became more agile—more flexible to your modern workplace, your security risks started to increase. Remote workers accessing your network from dispersed locations. Devices coming on and off network could carry malicious code with them. Email scams and attacks injecting code onto user machines. All sorts of devices moving around, some of which may now be critical pieces of your IT infrastructure. Too many devices to count or even track (especially to track vulnerabilities).
The modern workplace has become one that inherently has more security risks. Even if we didn’t change much with your technology stack over the last 5 years, criminals have been hunting ways to compromise your networks. You see, big technology companies regularly release vulnerabilities in their platforms. The older your platform, the more identified vulnerabilities you have. Simply not changing your technology does not make you safer (it actually makes you riskier).
Can’t you just build a higher fence?
Unlike more traditional security, where building a taller fence or thicker wall could nearly eliminate the chances of a criminal physically penetrating your office, barriers in cybersecurity are much easier to penetrate because technology has bugs and many of those bugs are security risks. Builders know how to make a strong wall—they’ve been building walls to defend against intrusions for millennia.
But firewalls? Those were invented in the 90’s. A smart firewall can make a difference in protecting your business from malicious hackers, but only if it is configured correctly and is part of a bigger security strategy.
Good first steps to make sure your wall is impenetrable?
Conduct an inventory of all of your devices and systems. Make sure you know what you have to look into. By maintaining an inventory list, you will be able to better maintain all the devices on your network.
Monitor those devices for security vulnerabilities. Hardware and software companies are constantly looking for defects in their devices. Many release software updates monthly, quarterly, or at least semi-frequently. Make sure your team is tracking any updates, applying those updates and testing them to ensure you are not letting any holes go unplugged in your network. Believe me, hackers are looking for the easy ways into your networks that don’t require the technology equivalents of battering rams if they don’t have to.
Monitor your network for suspicious activity. Cybercriminals shouldn’t know the ins and outs of your network the way your security team does. Most often, they are sending out bots or searching in the dark for signs of how large your network is. They will likely try to ping devices on your network to figure out its scope (and how large a pay day to expect when they initiate an attack). If your security team is monitoring your network, they will know when something like this is happening and can nip any malicious traffic in the bud before you confront a serious breach or attack.
Pay attention to data that should be encrypted. Many criminals are looking for incriminating data on your network to hold for ransom or extort in some way, shape, or form. By ensuring sensitive data is encrypted, you make it nearly impossible for them to easily crack or decode it. More often than not, they’d rather find another network that is easier to exploit than waste valuable time and resources on yours.
One final message: you cannot protect against what you cannot see.
If you and your security team cannot identify your weaknesses, you will be none the wiser when attacked or breached. Modern IT networks are difficult to navigate, not to mention protect. Your biggest concern with data security should be visibility. Simply the problem of cybersecurity into the most basic of problems. Make sure you have a light shining on every piece of your network to expose any risk. Consider a ransomware vulnerability assessment if you aren’t sure you and your team understand where all your security risks lie.
