Blog / Cyber security is not like the movies
Although it is fast-paced and high stakes.
Cyber security is a fast-paced business, and it’s important to keep tabs on current trends, tactics, and possible problem updates. That means I spend more time than you might think reading about about various breaches, and many of them read the same as all the rest. However, every now and then I run into a real gem.
It was while reading one such update that I came across that article’s particular pearl of a quote: “Attackers don’t break in. They log in.”
Frankly, it really hit home. Movies have given people the idea that an attacker is some “hacker” that rides the internet to battle on an electronic frontier, where they fight viruses and adware and other digital demons so they can bypass or disable the existing security and thus “break in” to your computers.
The Path of Least Resistance
As with most stereotypes, perceptions don’t actually reflect reality, yet they’re so pervasive that we look for (and ultimately find) the few examples that fit our preconceptions. But when you take a step back and look at the bigger picture, you realize the majority of attacks don’t fit the stereotype. And why would they? Most cyber-criminals aren’t going to waste the time and effort it takes to pull off intricate, cinema-worthy hacks. In the real world, they’re in it for the money and that means taking the path of least resistance. The faster and easier a job can be done, the better.
Obviously we’re not suggesting doing away with your firewall, but in addition to being proactive about hardware upgrade and software patches, enhancing electronic security is as easy as having solid policies and procedures when it comes to purchasing software and electronics. Set up rules for making hardware purchases, including:
- ensuring devices of critical importance (eg: firewalls) have certain features,
- requiring important software (eg: accounting, ticketing) to have certain capabilities,
- using a mechanism to monitor and apply updates for the purchase must be put in place, and
- any other similarly relevant rules for your organization.
As always, having these rules isn’t enough. If they’re going to be worth anything more than the paper they’re written on, they need to be adhered to. Having well-articulated rules clearly stated and followed will go a long way towards protecting you from “hackers.”
But what happens when it’s not about dollar signs?
The exception to the “fast-and-easy” rule is when an attacker is motived by something other than money, usually personal reasons. Political and religious conflicts can be one cause, though businesses may face attacks from disgruntled employees as well. Regardless, many organizations remain focused on the technical side of things when defending against these other kinds of threats, when in reality the weakest link usually isn’t the computers; it’s the people.
Improving your defenses against socially engineered attacks and the human element is accomplished the same way as above; have a set of clearly articulated rules and procedures for when employees interact with software and equipment including:
- Password Policies,
- Acceptable-Use Policies, and
- a well communicated Incident Response process.
These guidelines for employee behavior create a metaphorical barometer for what is and is not acceptable. Bad habits people pickup when using their personal equipment are often deeply ingrained, so employees may need an occasional reminder.
All these rules and regulations may seem silly and unnecessary at first, but not only do they improve your security, they smooth workflows and help avoid unnecessary disruption. For example, Home versions of the Windows operating system can’t be joined to a domain, which is a problem in most business networks. Having a policy that new machines run the Professional version of Windows will help avoid unnecessary disruption. They also don’t cost anything beyond a little time and effort to setup and regular follow up.
If you’d like to consult with one of our cyber security experts about your hardware and personnel security policies, contact TRINUS for some stress-free IT.
This week’s Shakespeare quote comes from Twelfth Night; “I say there is no darkness but ignorance.”
Be kind, courtesy your friendly neighbourhood cyber-man.