We have seen from the front lines of this cyber war the cunning threat actors, as well as well-meaning employees and vendors who don’t have any malicious intent but make big mistakes.
Most businesses grossly underestimate the true risk and exposure they face from cyber-attacks.
Here are some rarely considered areas to consider in your own business to uncover your potential exposure and risk.
The Devil Inside
A not-oft discussed risk is insider threats. An insider threat is internal to the organization such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
It seems that many businesses want to dismiss insider threats because it sounds like something that only happens in large, publicly traded companies. A thing that is planned out, premeditated, complex or elegant.
In reality it doesn’t have to be any of these!
Consider the incident at a small Pennsylvania law firm in 2013. A former employee of Pittsburgh-based law firm Voelker & Gricks LLC and her husband were caught and found guilty of federal charges that they hacked into the firm’s computers in conjunction with a supposed member of the international hacker network Anonymous.
The employee was fired, and whatever transpired during and after the firing caused her and her husband to team up with the infamous hacker network and break into the firm’s computer systems.
This was a small law firm, not some huge name. I bet you’ve never even heard of Voelker & Gricks (and outside of this book and news articles you won’t since they don’t exist anymore). Any business of any size that has anyone working for or with them is at risk.
The Keys To Your Kingdom
Do you ever think about how your IT vendor has the keys to your kingdom?
In order to perform their work you pay them for, they require access to the network (often times remotely) and also accounts that have administrator-level privilege.
Most of these firms work with small businesses who don’t have an internal IT department. If they don’t have an internal IT department that means the MSP has complete control of the network. They probably designed it. They have remote access to it. They hold all the passwords…. Who are they?
These third-party companies literally hold the keys to your kingdom.
Do you know what THEIR internal security is like? Do you know who is working for them? Did all their employees have background checks?
IT Vendors are the perfect hunting ground for threat actors who are looking to attack networks. One MSP alone can have trust relationships with hundreds of different businesses, and access to tens of thousands of computers.
Threat actors could attack businesses directly one by one, but if they breach ONE MSP, now easily dozens of businesses are ripe for the picking.
Go to your IT Provider RIGHT NOW and demand to have WRITTEN information about their internal security practices, their Information Security Policy, their Information Sensitivity Policy, their Errors and Omissions Insurance, and their Cyber Liability Insurance.
If they don’t AT LEAST have these in place, fire them and hire a company that does.
This also goes for mid-market firms who contract IT vendors for configuration of software, hardware or IT security products. Since they are playing in a bigger space you have a better chance of those providers being more serious about their security and policies, but NEVER ASSUME.
My CPA Did What?
Another business associate overlooked in the IT security process is your CPA or accounting firm. These vendors often have remote access to your network to audit or update your books and access data to file your taxes.
I can pretty much bet you that you haven’t asked them how they are storing the passwords to your network and accounting software.
In my opinion if you have access to a privileged account of any kind you should be required to understand how the credentials you use are stored securely.
I recent spoke at a continuing education session for CPA’s on access controls and information security. Some of the questions I got during the Q&A part of the talk surrounded encryption technologies and password management.
Afterwards I was approached by a CPA who bragged to me about his ‘secure encryption software’ and ingenious password schema for the bank clients he did audits for.
Then he proceeds to let me in on his (no longer) super-secret schema for the passwords which encrypt the banks’ files in his possession: the banks’ initials in all caps, then a space, then the word ‘secure.’
He was so happy such a simple method was secure (according to his encryption software’s little box that popped up and told him it would take 1,000 years to crack) and told me he was pretty sure it was because the software allowed him to create a space in the password.
I’m not sure if he picked up on my wide eyes and gaping jaw as he told me how to break into every single one of his clients. Seriously. All I would need is his client list and if I asked him that, he probably would have divulged that to me, too!
The moral of the story is to not only have stringent IT security policies and procedures for your own business, but to also know and demand at least the same practices from your vendors and business associates. And for heavens sake, please get a thorough idea of your risk and exposure. After all, the chain is only as strong as its weakest link.