If you missed our last post, we explored what IT customers may not know about their own cybersecurity and the effect it can have on your risk. We reached out to industry experts for their thoughts and opinions, and below, we continue that discussion with three more things your clients aren't likely to know. They run the gamut from password strength to employee policies.
1. A Password, Even a Strong One, Isn't Good Enough
Nick Espinosa (@NickAEsp), CIO of IT consultancy firm BSSI2, says the days where a simple password protects one from intrusion and theft are gone.
What many don't realize, says Espinosa, is that hacking is not quick. "Hacking attacks are slow and methodical, with hacking utilities often times just running for months on end, cycling through various password lists as well as other vectors for attack," he explains.
Espinosa recommends frequently changing passwords and keeping them strong. But be realistic: Oftentimes, there are ways around passwords.
"We do quite a bit of white-hat hacking for client security, and one of our favorite attack vectors is to set up what is known as an 'Evil Twin' attack," says Espinosa. They broadcast free WiFi in a local coffee shop, often with the client's own wireless broadcast name, and watch as employees filter in and connect their devices. The “hackers” are then able to collect data from employees as they browse the Internet.
Espinosa says it shows the importance of encryption and the lack of awareness surrounding it. "Even those companies that fall under government compliance like HIPAA, SEC, or PCI, we have found a lack of even the most basic protections for their data. Everything should be encrypted!"
2. Mobile Devices Are Vulnerable
There is a common misconception that mobile devices are safe from malware. Espinosa says this couldn't be further from the truth. "In the last two years, the rate of infected apps and devices has skyrocketed," he says.
The problem extends to Apple as well as Android devices. Espinosa says there's a sizeable gap between the time an infected app goes sale on the App Store and the time it's removed, and that the Android marketplace is highly unregulated. (See "Apple's XcodeGhost Reminds Us that Even Developers Get Hacked" for an example.)
What's the solution? If employees are using phones to connect to company networks, Espinosa suggests there should always be some kind of scanner and filter on mobile devices. If a scanner is not possible, a Mobile Device Management (MDM) system to filter which apps can and cannot be installed into the phone is recommended.
3. An Employee-Inclusive Cybersecurity Policy Is Essential
Ultimately, the security of a company largely depends on the actions of all its employees – not just those in the IT department. This means developing comprehensive polices that everyone in the company can follow. Unfortunately, businesses are neglectful in this area.
According to Tiffany Tucker, a services engineer for Chelsea Technologies (@ChelseaTech), companies often view security policies as a nuisance as opposed to a layer of protection.
Tucker offers the example of removing local admin rights from a client's account. "It is looked upon as an inconvenience because clients no longer have free reign over their machine,” she says. "However, they must be reminded that if their machine were to be exploited, that free reign now belongs to the attacker."
Creating informed policies that employees know and follow is just as important as any technology. "Focusing solely on the perimeter leads to a neglected internal environment, which is enough for an attacker to get their 'foot in the door,'" Tucker says. "It's not just technology that keeps their organizations safe, it's the people that keep it safe as well."
What You Need to Know about Cybersecurity Risk
As we've stated, the biggest risk to any IT professional when dealing with cybersecurity is the potential for a crushing lawsuit if anything goes wrong. Clients can make it more than easy for criminals to steal data, even if you've been busy working behind the scenes to prevent that very threat.
Before you agree to protect your client, take a minute to protect yourself, and consider carrying Errors and Omissions Insurance to help pay for legal costs if the client decides to blame you and seek damages.