4 Easy Ways to Boost your Cyber Security in 2016
In the Information Technology world, Cyber Security is on the tip of everyone’s tongue. And as the calendar turns to 2016, now is a perfect opportunity of sorts to ensure that your company is prepared and to learn from the lessons of the Hacks of 2015 (if you need a recap, see here, here, and here). So, set a corporate New Year’s resolution to secure your data and information exchanges, starting with the points outlined below.
Before you can fix the leak, you need to know where it is coming from
The default, knee-jerk reaction is for a manager to slam his/her fist on the table and scream at the IT guy wearing the pocket protector and thick-rimmed glasses “WE NEED TO MAKE OUR SYSTEMS MORE SECURE!!!” However, often the issue is not with the systems, it is with the people logging into the systems. Humans are as susceptible to being hacked, if not more so, than any IT system. And while nobody falls for the “Nigerian Prince” scam of yester yore, it does not mean that we are safe.
Many hacks require first getting access to your company’s network; however, that is not always as hard as it sounds. Below I’ll address a few common ways a hacker can get access.
Yes, you require that your employees change their password every 90 days, but “Password12345” is not much more secure than “Password1234.” Fix: Require minimum password lengths, Capital and lowercase letters, numbers and special characters – but, most importantly, limit the number of guesses allowed before requiring a password reset or locking the user out. Allowing unlimited password attempts allows for brute force hacking attacks, where someone runs a program that cycles through every possible key combination until the password is “found.” As these algorithms are getting smarter, “Password12345” would be cracked in a matter of minutes…if not
Simple “Password Hint” Questions
It is not overly difficult to find email addresses online these days. With Facebook and LinkedIn, as well as Google and every other major IT corporation tracking your every move, you no longer need a business card to find how to contact someone. Couple that with the fact that most companies use a formula when they are generating their employee’s email addresses, once you have one email address, it is fairly easy to find the email addresses of anyone else in the corporation you’d like. But, an email address is only half the battle, you still need their password to log into their account. Well…technically, that’s not true. The hacker could always choose the “Forgot Password” option. Then, if the user chose an easy question, such as, “What year did I graduate High School?”, “What town is my High School in?”, or “What is the mascot of my High School?” – then the hacker is a simple Social Media/Google search away from knowing that information. Chances are, if the hacker met you in person, that information was given up in person as it isn’t normally something that people are worried about guarding (not like their Social Security Number or something more private). Fix: remove the “Forgot Password” option and force a password reset to take place online, from a form that is only accessible from a link that is emailed to your account (or a personal backup account). You could also force people to login with usernames that are not associated with their email address. That way, when someone gets my work email account, they wouldn’t have a username or password to start with. All they could do is spam my email to death. Come to think of it, I think I’ve had ex-girlfriends try that approach on me…
Network devices aren’t updated
OK, so this one is actually on the system. However, it does not require a wholesale change. Simply make sure that devices that are on your network are required to install the latest Microsoft/Apply/Google updates. If you want to push back a little, as updates can often cause previously working systems to crash, then setup a test bed where your IT department can install the updates first. However, these patches were issued for a reason. Someone found a vulnerability and they were able to exploit it. Now that the secret is out, don’t make it easy on them to do it to you. Install the patch (again, after your IT department does some initial tests). Fix: Install OS and vendor patches in a reasonable amount of time – for most corporations, that should be within the week they are issued
Sensitive information in your database isn’t encrypted
Don’t be those guys. Don’t have information laying around, unencrypted in your database. Even when your systems are secured properly, if someone gets a hold of that database, your clients shouldn’t have to suffer. Fix: Encrypt any sensitive data, and keep the encryption key in a separate drive. For you .NET developers out there, I’ll talk through how easy it is to do this leveraging Partial Classes in a future post, but for now, step one is encrypting anything that could be valuable. This includes passwords, email addresses, mailing addresses, phone numbers, and credit cards. Be prepared, this will slow down the responsiveness of any web or phone applications that are reliant on that information; however, it is worth it if it prevents your company from becoming the next Ashley Madison.
Cyber Security is a hot button topic, and rightfully so. However, you cannot lock down your systems to the extent that your employees can’t complete their work. There has to be a happy balance there, and if you apply the steps above, you’ll be well on your way.