There’s an unfortunate tendency I see all too often in some businesses: An inclination towards thinking that when it comes to data security, “good enough” is good enough. It really isn’t.
The reasoning is understandable: Companies think that they’re too small or too obscure to be noticed by hackers. Or they think that bought-and-paid-for security measures they took a year ago remain airtight. Or they reckon that threats are overstated, and are largely a means of selling security products or services they don’t really need. All of these arguments are great ways to put off investing in up-to-date security measures.
Unfortunately, none of these arguments are true. Tech 248, Oakland County’s program to support the growth of the technology industry in the region, understands that, and they take security seriously. Yesterday’s Tech 248-sponsored Sans Institute training session underscored the point that security threats are real, regardless of company size, and that organizations that take a casual attitude towards data security are at much more risk than they realize.
The session, open only to CIOs and others responsible for data security, shone a spotlight on some of the current and emerging threats that organizations face. The keynote speaker, Jeff McJunkin, has developed a reputation as a go-to expert for up-to-date assessment of security threats and the countermeasures needed to head them off.
McJunkin’s session began by discussin common-sense security measures that companies with a non-dedicated IT Security resource might perform within their environments. Then he took a deeper dive into exploring infrastructure pieces that are often forgotten. Organizations are often comforted by purchasing a piece of flashy-lights hardware or some superman logoed software that they believe to be a one-stop-shop for all their security needs. An IDS/IPS system, regular updates, anti-virus systems, and a firewall are all great preventative measures but security requires active resources in order to stay on top of threats and repel attacks.
McJunkin extended his somewhat terrifying but honest message by pointing out how quickly an environment can be breached. In many cases, it takes only minutes…. minutes! A jaw dropping question and answer followed: “How quickly does an organization find out it has been breached?” Survey says…weeks to months later!
McJunkin pointed out some disturbing facts. IT budgets are typically about five percent of an organization’s revenue; only five percent of the five percent is earmarked for IT security. This means that multi-billion dollar organization such as Home Depot or Target likely spend only a tiny fraction of their revenue protecting themselves – and protecting you, the consumer.
Partners can also pose as potential security threats. Your partners may work within your walls and have access to your systems; how do you know that they are sufficiently secure? McJunkin demonstrated a live attack in which he breached one fictitious company, which he then used as a launchpad to breach into a partner organization. This required only some extremely simple exploit script – and by simple I mean 7-10 lines of code in total. Bear that in mind the next time you’re doing vulnerability scans on patch Tuesday: seven to ten lines of code can quite possibly exploit your company’s infrastructure.
It all comes down to this: Hackers and saboteurs follow the path of least resistance, and look for the most inviting, easy targets. Advanced security technology and practices at many larger companies have prompted many hackers to look downstream at smaller firms they might have overlooked before – and they’re finding a lot of opportunities. CIOs need to constantly update their knowledge of security threats, as well as points of potential vulnerability within their networks; to do less just rolls out the red carpet for the bad guys — and opens the door to a lot of damage.