In a Wall Street Journal report entitled “Information Security” (April 20, 2015), staff reporter Danny Yadron highlighted 5 key steps companies can take to improve their “cyberhygiene” that have a lot less to do with spy-grade technology and a lot more to do with boring things that companies too often skip, like:
Step One: Keep up with the patches. Last year a third of new hacking tools discovered by security researchers at HP involved exploiting a flaw in Microsoft Windows that was discovered in 2010. Microsoft issued the correction patch years ago. Unfortunately, too many companies simply don’t keep their software up to date. As security expert Alan Paller notes: with patches “you’d stop most of these attacks.”
Step Two: Keep your online doors closed. The average family has five or more machines attached to the Internet (phones, tablets, PCs, TCs). Businesses typically have many more – and often don’t even know which are online. According to Verizon, last year nearly one-fourth of all breaches were the result of hackers getting into a machine that didn’t need to be online. The solution is simple: make sure that only necessary machines are online, and that they’re protected.
Step Three: Encrypt your data. For starters, be sure your credit card transactions are PCI Compliant. You should not be holding customer credit card numbers anywhere. Beyond that, internal encryption can get costly and can slow some operations down. Home Depot spent $7 million to ensure encryption for its 2,200 stores. The stolen data that makes headlines is always of the unencrypted variety, so companies must balance the cost against the public relations (and financial) debacle that ensues if a major breach occurs. This is much more of a concern for the Big Guys, but we’ve always found that whatever affects those big guys trickles down to us Little Guys eventually.
Step Four: Get rid of passwords. As the journal notes, “Users hate them. Security staff dread them. Hackers love them.” According to Verizon 25% of all breaches could have been stopped if the victim companies had required more than a password to enter its networks. Users often use the same passwords for networks, banking, password files and social media, to name a few. New technologies are emerging, like a tiny USB token that verifies a user’s identity in conjunction with passwords for an extra layer of security. In early tests, it’s been effective and well received by employees.
Step Five: Check out your vendors. About one-fourth of data breaches have been linked to hackers getting into a vendor or third party, and then backing their way into a larger target firm. Target, Inc. traced its infamous breach back to a heating contractor. Home Depot’s was linked to outsiders who had access to their corporate networks and were hacked first. The solution lies in careful oversight.
That may not be foolproof, but it will plug the obvious holes. And as you can see from the items above, most of the tactics that will increase your own network security are pretty low-tech. Basic “blocking and tackling” one might say. Start with the obvious. Your odds can only go up from there.