It’s Time to Go to Code Red for Business IT Security

By Mike Henderson

The threat has never been more real.

After 9/11, the Department of Homeland Security issued a color scheme to illustrate the potential of a terrorist attack on U.S. soil. It seemed like a good idea, but we never quite managed to get back down to terror-threat-level blue (guarded), let alone green (low risk). After months at yellow (elevated) and orange (high risk), the public got a bit jaded, and the color-coding system was dropped.

If we were to implement that same coding system for U.S. businesses to show the threat they face from cyber attacks, we would be at code red (severe risk) 24/7, 365 days a year.

Carl Wright, former chief information security officer for the U.S. Marine Corps, puts it rather bluntly: “This is the most dangerous time we have had as a country, specific to cyber. The reason is that we have senior leadership in corporations and government who are barely IT-literate. They are approving policies and making decisions they truly don’t understand.”

We hear a lot about the big data breaches: Sony, Target, J.P. Morgan Chase, Anthem—even the federal government itself. The list of major names that have been hit grows longer by the day. It’s tempting to think the big names present more inviting targets and that smaller organizations are less likely to become the victims of cybercrime. Nothing could be further from the truth.

Small and mid-size companies are actually more attractive targets because their systems are easier to infiltrate. They can’t afford to dedicate an entire team to system security, so they tend to rely on off-the-shelf solutions. Plus, with limited headcount, they are often forced to assign security management to team members who wear many hats.

According to the Solutionary 2014 Global Threat Intelligence Report, 59 percent of all security breaches are a result of the organization’s failure to patch application and operating systems. Think about your own IT environment. When your IT manager is in the trying to keep your VOIP running, is he or she really going to drop everything and install the new patch from your ERP vendor?

If you think you’re safe because you use the most reputable software vendors on the market, you might want to rethink your assumptions. Data from the U.S. government’s National Vulnerability Database shows that, for the last three years, the number of vulnerabilities has increased. Based on about 5,200 entries recorded as of September 30, the total number for 2014 could exceed the record set in 2006.

To be sure, the number of patches released is not the fault of application vendors. Like a real virus, cybercriminals are constantly adapting to efforts to deny them access to your systems. Major application and operating system vendors have teams of people dedicated to addressing new types of attacks as soon as they crop up, hence the slew of patches released every month.

It’s really not a matter of “if” your systems will be attacked. It’s more a matter of when, how, and by whom. In fact, many businesses right here in our community have been victims of a cyber attack. Thankfully, not all attacks are successful, but the odds are that right now someone, somewhere may be trying to breach your systems.

Make no mistake: The cost of a successful breach is higher for small and midsize companies than for larger counterparts. Not in absolute dollars, of course, but in relative costs. Many small businesses work on extremely tight budgets. Even minor breach remediation can cost tens of thousands of dollars in downtime, lawsuits, stolen property, and lower customer confidence. Sure, Target can bounce back as strong as ever—but can you?

Hopefully, your firewalls are secure, your employees are up to speed on your data security policies, and your systems are all patched. That’s a lot of hoping and hope is not a strategy.  So here are a few immediate software-related actions you can take to ensure you are protected:

• Install patches as soon as they are available.

• Fortify your firewalls against the newest threats.

• Keep your anti-virus software up-to-date, and make sure it is installed on every device that accesses your network.

Handling the human side of the equ-ation gets a little trickier. Even smart people can make poor choices. All it takes for a virus to enter your system is for someone to accidentally click a link while they’re multi-tasking during a meeting.

Keeping your anti-virus software up to date can help with situations like that, but there are other “human errors” that can’t be address with technology, e.g., an employee puts their password on a sticky note and attaches it to their monitor. It’s important to have an updated security policy manual and ensure all employees are adequately trained. These days, anything less than full compliance is risky.

  Today’s businesses must make security a priority. Given the number of breaches happening all around us, you’re no longer planning for what might happen. You’re planning for what will happen. And, as everyone knows, the best defense is a good offense.

About the author

Mike Henderson is regional vice president for Cosentry’s Kansas City operations, based in Lenexa.