Average Rating: 5.0
Your rating: none

Don't be naive

cyber security

by Scott Kososky

There’s an old saying: don’t leave the barn door open. This saying unfortunately applies to a lot of cyber security efforts by businesses. For many leaders, cyber security doesn’t become a pressing issue until something catastrophic happens, and this is wildly irresponsible. A barn door left open leads to nothing but trouble on the ranch. Being the victim of a security breach, in turn, is always devastating and often can be fatal to an organization.

Much like the year before it, 2015 was a lucrative year for hackers and cyber criminals. Last year’s news was littered with stories of organizations, from across a spectrum of industries, that suffered extremely high-profile and damaging cyber attacks. Whether it was Ashley Madison, Anthem, or the Office of Public Management, each month seemed to bring another noteworthy victory for black hat cyber criminals. In 2015 alone, more than 178 million Americans had their records exposed in cyber attacks. It appears that 2016 will be the same, if not worse.

Cyber attacks are embarrassing and expensive because they can end in a loss of critical data, the costly distraction of leadership, regulatory fines, or a forced payment to hackers to unlock frozen data. The shattering 2014 security breach of Home Depot may have a cost to the retailer that reaches into the billions of dollars. Most disturbing of all is the fact that these attacks erode consumer confidence, confidence that is all but impossible to regain.

It’s not a question of if you will be attacked but when. The best weapon organizations have against cyber attacks are to be proactive about their cyber security practices. There are important steps you can take today to help ensure that your company’s name is not added to the growing list of those who have suffered through a costly cyber attack.
First, let’s identify some of the major attack vectors of successful cyber criminals:

Delivery of Malicious Code:
Hackers will inject malicious code on to a public web page that identified targets are known to visit, such as those in a particular industry. This type of attack, sometimes known as a “watering hole” attack is intended to infect a computer and thus gain access to a targeted network.

Social Engineering:
Criminals will actively pose as company personnel, vendors or powerful authorities to gain information or resources which they can use to circumvent organizational security. These individuals are able to prey on the trustworthiness or inexperience of staff or exploit physical (as opposed to virtual) vulnerabilities.

Remote Access:
Hackers are able to identify open ports or, through the exploitation of web code weaknesses, use SQL injection to gain unauthorized access to a server.

The Inside Job:
Criminals are aided by the conscious assistance of an organization’s employee(s).

Phishing schemes are attempts to steal your identity or information (such as usernames, passwords and credit card details) for financial gain by using a fake e-mail disguised as one sent from a trustworthy entity to entice you to click on a bad link or file. These often come dressed as from a financial institution, like a bank.

In spoofing, an e-mail header is manipulated to look like it came from somewhere different from the source. An example of spoofing is business e-mail compromise scams or “CEO fraud.” The FBI has reported that between October of 2013 and August of 2015, $750 million was extracted from more than 7,000 companies using these scams, in which criminals fake correspondence from the executives of victim companies, asking employees to initiate unauthorized international wire transfers on the company’s behalf.

Access Through Intermediaries:
In late 2013, retail giant Target was the victim of a massive cyber breach. Initial access for this breach was accomplished through the use of a malware attack that successfully garnered the electronic credentials of Target’s HVAC vendor. This allowed the attackers to then exploit vulnerabilities within Target’s network. The attackers eventually stole 40 million credit and debit cards during the 2013 holiday shopping season.

Brute Force Attack:
This type of attack systematically checks all possible passwords or keys until the correct one is discovered. This method can be very fast in checking shorter passwords, but less so for longer passwords. The success of a brute force attack is dependent on the key length of the password versus the amount of computational power available to the hacker. It’s why a longer, more complex password is more secure.

Ransomware is a version of malware that restricts access to a computer until a ransom is paid. Often the attacks will threaten to erase the data if payment is not delivered, forcing organizations to either comply or lose critical data. The most famous type of ransomware is known as CryptoLocker, although on January 4 of this year a first-of-its-type ransomware based on JavaScript was reported to have been utilized. The ransomware, known as Ransom32, can, according to Computerworld, be used to infect Windows, Mac and Linux operating systems. It is capable of being downloaded from the dark web by anyone who supplies a Bitcoin wallet number. The developers then take a 25% cut of any ransom collected.

As you can see, the tools cyber criminals utilize are deceptive and adaptable. Yet there are steps you, as a leader of your organization, can and should take to help protect your invaluable security.

Your organization’s staff is both your greatest vulnerability and most valuable security asset. A staff that is well versed on the dangers of cyber attacks and is knowledgeable on the keys to preventing these attacks is critical. It is imperative for an organization to train its entire staff on how to spot and prevent a cyber attack. In 2016, cyber security training needs to be a cornerstone of your staff development. In fact, it should be a requirement for human resources. My company, Future Point of View, offers workshops that can educate any organization on preventative cyber security measures. We work with organizations large and small to help develop education plans surrounding cyber security.

Security Audits:
It is also highly advisable to have an outside organization run internal and external security audits. I recommend doing these audits at least once a year. These security audits will examine how your firewall ports are controlled, your packet flow, access and authentication to your network, your traffic control and much more. Audits are delivered with a comprehensive report typically followed by a remediation plan that an organization should use to repair any discovered security vulnerabilities.

When choosing a firm to deliver a security audit, it is important to do your homework. Make sure you are working with a firm you trust because you are allowing them access to your network, and that is far from a minor deal. If you would like more information on the value of security audits and choosing the right vendor, feel free to reach out to me at any time.

Along with educating your staff about cyber security best practices, it is necessary to create rules surrounding your security. This might be documented rules for passwords, role-based access control, rules for reporting potential security weaknesses and the requirements of applying security updates, patches and fixes.

Incident Response Plan:
Organizations tend to have Disaster Recovery Plans, yet many do not have documented Incident Response Plans. It is important to address, in advance, the protocol for every type of breach, depending on its severity, and the role that each key person will play during the breach. It is also valuable to practice these scenarios and get everyone involved. When a breach actually occurs, you want to do everything you can to ensure that the entire organization is working as a team to address the problem.

No one thinks cyber security is the most important thing until something disastrous occurs. After you’re hacked, then all of a sudden it becomes the most important thing. That’s not responsible leadership. That’s avoidance. Addressing cyber security within your organization is one of the most important things you can do in 2016. Don’t wait. Make sure you are taking every initiative to protect your company today.

Scott KososkyScott Klososky is a speaker, writer and consultant specializing in forecasting how technology can be leveraged to help organizations. He is the founding partner and principal at Future Point of View, a firm offering technology consulting, education and engineering to a diverse array of organizations across a spectrum of industries. For more information on Scott or Future Point of View, please visit

This article originally appeared in the Jan./Feb. 2016 issue of Industrial Supply magazine. Copyright 2016, Direct Business Media.


Post comment / Discuss story * Required Fields
Your name:
E-mail *:
Comment *: