If you are charged with protecting customer data, whether you are an MSP or someone who handles your company’s IT needs internally, the word that should be on your mind this time of year is audit.
Yes, audit. It’s a word that strikes fear into the heart of every business owner. But relax; no tax reference intended! With winter waning, now is a good time for even the most tech-savvy of firms to do some spring cleaning of sorts with an audit of their firm’s enterprise/infrastructure. With the growing threat of cyberattacks there is no such thing as being too careful when it comes to a company’s proprietary and personnel data.
Those of us charged with protection the information of our clients are all too aware that, each day, more than 80,000 new variants of hacking are being released, with statistics indicating that hack attacks occur every 39 seconds. Tens of thousands of new hackers are leveling new hacks against businesses every day and these breaches become easier as hackers’ level of sophistication advances.
Small Business Trends has reported that 43 percent of cyberattacks directly target small businesses, and 48 percent of data breaches are caused by malicious intent. The remaining 9 percent are attributed to human error or system failure. I’ve saved the most head-shaking stat for last — just 14 percent of businesses categorize their information technology infrastructure as highly effective against cyberattacks and other vulnerabilities.
In the words of Warren Buffett, cyber threats are bigger than threats from nuclear weapons. Hyperbole, perhaps, but we all agree the problem is getting worse and when it comes to the safety, security and overall health of a company’s infrastructure, there’s no such thing as too much protection.
We advise companies that audits or risk assessments are critical and refer people to the NIST (National Institute of Standards and Technology) as a good reference point for providing the framework and definition of what should be included.
For those who are MSPs, it makes sense to counsel clients on the importance of selecting an expert in cybersecurity to lead a risk audit. And that, of course, includes a “vulnerability test.” Let the experts attempt to hack their way into a system to see what the weaknesses are.
Our experience is that virtually every infrastructure is at risk in some way — from multibillion-dollar corporations down to mom and pop shops. We have never found a system that is 100% impenetrable in all our years conducting infrastructure audits.
We need only remember the WannaCry ransomware cryptoworm, from 2017. It targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Microsoft had, months earlier released patches to mitigate the exploit that Wanncry took advantage of; still, much of WannaCry was spread from organizations that had not applied these patches or were using older Windows systems way past their end-of-life. In tech terms, WannaCry exploited a “known hole.” A vulnerability test would have prevented many companies from being infected with this costly and time-draining threat to their businesses.
Employee training is also essential, since so many breaches are due to human error or system failure. Basic steps, like training employees to “trust but verify” email that looks even remotely suspicious and implementing a policy whereby company data can’t be stored on any employee personal devices.
It can take decades to build a business to successful heights, but a mere few minutes to make it crash to the ground. A risk assessment or audit to ensure and maintain the safety of your organization’s infrastructure can go a long way to safeguarding against that painful fall.