Security is never far from the top of the agenda and a couple of stories that caught my eye recently brought this into focus.
Firstly – Associated Press (AP) who recently had their Twitter account hacked. The hacker then tweeted that there had been an explosion at the White House and that President Obama had been injured. This was rectified reasonably quickly but not before the US stock market took a dive based on this misinformation. AP managed to regain control of their twitter account in fairly short order, and I’m sure you’ll be pleased to know that the stock market also recovered, and the world didn’t implode on itself in the mass panic. The only real lasting effect of this as far as I can see was a significant amount of egg on the collective face of AP.
The hack is believed to have happened as a result of a phishing email going to AP. Apparently is was a more sophisticated phishing scam than the usual ones that drop into your inbox saying “I am from your bank, click here and enter your password” but the principle was the same.
The second was an article about security breaches on small businesses in the UK. Statistics show that as many as 80% of small businesses in the UK have suffered a breach in the past year costing the unfortunate SMB between £35,000 and £65,000. The security breaches they refer to cover a whole multitude of sins which will include the phishing scam that AP fell victim to. The headline figures of cost to the business do seem a little arbitrary and although I am sure they were arrived at scientifically, rather than taking a random number and multiplying it by your shoe size, they do highlight the undeniable fact that clearing up the mess following such an incident does have a monetary cost.
So what does this tell us?
This shows us that regardless of whether you are an internationally renowned press agency or a small business in the UK you are not immune to breaches in security. The fact that your small business may not be a household name does not mean that no one will bother trying to break in. It’s easy to be blasé about this and take the approach of “I have an IT Support company taking care of my IT stuff so I don’t need to pay attention”. If only it were that simple.
We install and set up our customers systems to be secure to best practice and industry standards. I am happy to say that some customers have insisted on independent penetration tests of our systems to ensure that we know what we are doing and we have not been found wanting. Security patches are applied when they are issued and Antivirus software is always being updated. Similarly I am sure that AP’s systems have some degree of resilience and structure and are not haphazardly thrown together, yet despite this they still found themselves with a very public breach of security.
Security of a system can only be deemed as strong as its weakest point and in many cases the weakest link is a human. You may congratulate yourself on the state of the art military grade lock that a reputable security firm installed on your front door but if you leave the back window open to allow the cat in and out then the Fort Knox style front door isn’t really going to be a great deal of help.
Some degree of vigilance and common sense can mitigate many of the problems and associated clean-up costs. It’s easy to say “don’t click on any dodgy links” but in many cases these dodgy links are innocuously disguised. A group policy of removing local admin rights and stopping you from installing any software yourself can help prevent this from happening but this well-meaning restriction may hamper you in other ways in your day to day job. It has to be a balancing act of keeping you secure but not tying your hands in the process.
My final word of advice is to not leave your system or email password set to the default that your IT support company or department set up for you. Or setting it as “password” or “qwerty” (if you’re feeling clever) is again being a little cavalier about security. It still surprises me how many people do not change their passwords from the default after so many years. Here at Virtual IT we have our own failsafe against this, anyone who starts working here and doesn’t change their password within a couple of weeks has their email mysteriously ‘hacked’ and silly emails sent around the department from their account.
Sadly you will never be able to put your feet up and say “my IT security is sorted and I don’t need to worry about it anymore” regardless of what steps your IT Support company or department takes – security has to begin with you!