Getting breached is more a matter of “when” than “if.” Companies should take an attitude of learning from their cyber mistakes by gaining greater understanding of threats and how to respond next time.
Not that this should surprise anyone but according to cnet.com, online criminals are going to get even more aggressive in the coming year.
Last year, Equifax was hacked and 145.5 million Social Security numbers became exposed. The WannaCry ransomware attack locked up computers with ransom demands to be paid in bitcoins. The US government even banned Kaspersky Lab software over concerns about Russian government connections. And experts made us doubt the trustworthiness of our devices connected to the internet via WiFi.
For the past two Decembers, the Ukraine’s power-grid has been hacked. A new strike could have major implications for cybersecurity in the US.
The U.S. power grid belongs to a diverse set of mostly private-sector owners, and much of it is heavily regulated. It would be more difficult to attack a grid of this complexity. At the same time, the U.S. grid is more digitally dependent. Where Ukraine was able to restore power within hours by reverting to analog operations, a heavy reliance on automation in the United States limits this recovery option.
The vast majority of companies are more exposed to cyberattacks than they have to be. In an article, “Cybersecurity’s Human Factor Lessons from the Pentagon”, one key lesson is that while technical upgrades are important, minimizing human error is even more crucial.
Companies need to address the risk of human error too. Hackers penetrated JPMorgan Chase by exploiting a server whose security settings hadn’t been updated to dual-factor authentication. The exfiltration of 80 million personal records from the health insurer Anthem, in December 2014, was almost certainly the result of a “spear phishing” e-mail that compromised the credentials of a number of system administrators. These incidents underscore the fact that errors occur among both IT professionals and the broader workforce. Multiple studies show that the lion’s share of attacks can be prevented simply by patching known vulnerabilities and ensuring that security configurations are correctly set.
But more training won’t reduce your cyber risk
The human is indeed the weakest link in cybersecurity. But all too often organizations’ approach to mitigating that risk — other than taking the wise step of ensuring that they have the state-of-the art technological protection in place — is more training. That is not good enough with today’s cybersecurity threats.
There is one area where more training would pay off: for CEOs and other senior managers — the people who are least likely to take training or take it seriously. Forty percent of respondents to a BAE Systems survey of senior managers in various sectors said they lack understanding of their own company’s cybersecurity protocols. But if you’re the boss, you’re an attractive target for crooks and spies.
When it comes to everyone else in the organization, however, the answer is not more training; it is to not trust humans in the first place. There are simply too many chances for us to accidentally hurt ourselves or the networks on which we operate regardless of how much training we receive. What we need to do is to help users and customers keep themselves and their households and organizations out of trouble.
Most companies with large IT Organizations are already aggressively controlling their user’s access and limiting the number of users with admin and system privileges. Although maintaining these controls are vital for securing the enterprise it is a costly, manpower intensive and as stated above error prone process.
The work load on enterprise IT security staff is at an all-time high and is increasing with each new threat and even if the budget was available to hire additional staff, finding qualified IT Security personnel is incredibly difficult. There are a number to tools out there that can be used to automate and simplify enterprise IT security tasks and we have no choice but to find the tools that fit our organization’s needs.
The ZoneRanger is one such tool that can be used to consolidate TACACS, RADIUS and other access control systems significantly reducing licensing, maintenance, and management costs. The ZoneRanger can also reduce the insider threat by restricting management access to only those workstations in the NOC/SOC.
There is an old adage, “work smarter not harder,” and it is certainly needed in our IT organization given the challenges we are currently facing. To keep our organization safe, secure, and out of the headlines, it is imperative that we do everything we can to automate and simplify IT security processes.
To learn more about how the ZoneRanger can save your company both time and money, give us a call at 919-654-1231.