Plant.ca

Watch out for curiosity that could destroy your business

As you have increased your digital presence, unfortunately, so has the criminal element wanting to invade and capture your digital data.

December 23, 2021   by Richard Kunst

Photo: © Oleksii / Adobe Stock

Cyber awareness is more important than ever. It truly is not a matter of “if” you will be breached, but rather “when”.
As a result of COVID-19, most businesses have pivoted their digital presence or have created a digital presence, and ultimately increased your their vulnerability and risk to be breached.

They are sophisticated
Destroy the myth that these cyber-hackers are sitting in some remote little isolated area and playing games. These are very sophisticated organizations with multiple employees armed with fancy cyber programs to attack the fortress surrounding your data protection, looking for any little crack of opportunity to invade and take control and exploit your data. Remember, these cyber-hackers are focused on making money, just like any other organization.

As manufacturing companies continue to evolve with Manufacturing 4.0 using blockchain, suddenly, your machines can become vulnerable and even your I.P.

They are already invading company HVAC systems, so if your machine programs are resident and linked through your data system, then you are vulnerable. Yes, people. We are living in the Wild West of the internet and you just cannot have enough eyes and ears to monitor every nuance.

Advertisement

They are sneaky
The most common invasion step is the use of phishing e-mails, and here is where curiosity can be very costly. You need to constantly remind your team not to open any suspicious e-mails or even links that appear to come from a trusted sender, because once you have clicked, there is no turning back; you are infected.

We are hearing cases where cyber-hackers are copying a legit e-mail address and omitting a character, so as a recipient you may never suspect until it is too late. You may not be the intended target, but rather they will send this modified e-mail to one of your trusted e-mail connections requesting innocent information from them, and bang, they have been hacked, thanks to you. And once they found out, you can be sure the victim will be coming to you for recourse.

Many of the cyber-hackers are purchasing domain names similar to yours. You may own a .com or .ca, but they will purchase the .org or .net as an example to replicate you and your offerings, but sucking in innocent victims, so always check.

You think you are smart, but they may be smarter
You may feel that you are protected, having done all of the necessary trainings and warnings. You even have partitioned your data within your server. Most likely you have modified your data back-up protocols of daily, weekly and monthly. It is important that you always have one form of data back-up disconnected from your system, but even this may not be enough.

We are hearing about cyber-hackers installing time bombs into systems that only activate after a couple of months, effectively corrupting your entire data back-up protocols. Even having a random computer connected to your system that had been ignored after a breach can come back as a predator.

Once they get you, chances are they will be back
Indeed, as many of these cyber-hackers surf the internet for victims, they pause for only three seconds at a specific site to seek vulnerabilities and opportunities to penetrate. While if you are larger organization, or an organization with a ton of valuable and saleable intellectual property, their team will spend a ton of time and resources to get inside. Why? they are a for-profit organization and they have determined you can most likely pay the ransom, and in many cases, do not want to share to the world you have been hacked.

But once you have been hacked and paid a ransom, there is absolutely no guarantee they will stop the demands. Most likely the invasions will continue and the ransom demands will escalate.

How to increase your defence
Step 1: Assess physical security and workplace habits
A single cursory site visit can reveal an astonishing amount about an organization’s cyber posture. Even without sitting down at a computer monitor, our team can evaluate a wide range of security factors and gauge many of potential vulnerabilities, including:
Ease of access / quality of physical security: How easy is accessing common working areas and infrastructure? Are doors locked and functioning properly? Are employees consistently greeting, logging, and supervising guests or contractors while on-premises? Do team members frequently share swipe passes? Is tailgating a common practice?

Security education, awareness, and training (SEAT): Do employees consistently lock workstations when away from their desks? Do employees consistently share or discuss sensitive information in common areas? Are sensitive information and/or systems visible to visitors in common areas?

Network security and access: Is guest wireless access adequately firewalled and/or segmented from sensitive networks? Are there adequate restrictions and multifactor authentication requirements to access sensitively wired/wireless networks? How forthcoming are employees with passwords? Are employees accessing or disseminating information on unsecured guest networks? (e.g., smartphones, tablets, etc.)

Step 2: Test existing controls to understand efficacy and resilience
Leveraging both the information gathered in step one and the typical attack techniques used by cyber criminals, the team will then penetration test (i.e., attempt to breach) the organization’s information technology (IT) and operations technology (OT) systems. Some common areas we typically look to gain access to include:

Known vulnerabilities / patches: Have the organization and its employees been vigilant in updating software and firmware to take advantage of the latest security features? These so-called zero-day vulnerabilities are a common point of access for
many breaches.

Build / hardening standards: Has the organization taken adequate steps to configure firewalls, servers, switches, and routers according to the most recent standards? Has it changed default passwords, adequately encrypted stored passwords, and sufficiently restricted access privileges? Are disused or outdated hardware and software still connected to the network?

Encryption standards: Does all information that flows in, out, and through the network meet industry encryption standards? Do any gaps and/or shortcuts in encryption allow malicious actors to harvest information or access the network?

Social engineering: How effective are team members at identifying and reporting malicious emails? How many (if any) log-in credentials were harvested from a simulated phishing attack? Are current education and warning measures adequate to prevent a social engineering breach?

Step 3: Map potential spread and infrastructure vulnerabilities
Properly segmented IT and OT systems are essential for slowing and ideally preventing a breach from spreading to other high-value systems. Once the team accesses the client’s network, they attempt to spread the simulated attack and compromise as many systems as possible.

Organizations that work on the assumption that they will inevitably be the victim of an attack keep critical systems independent from one another to minimize the potential damage of a breach. This can also buy critical hours to action an incident response plan, contain the attack, and ultimately recover the systems.

Embrace cyber security and privacy as a core business objective. Today’s organizations are embracing more digital tools and collecting more sensitive data than ever before. At the same time, cyber criminals are continuing to evolve their tactics to take advantage of human and platform vulnerabilities, and global uncertainty in a changing world.

There is little that organizations can do to prevent becoming the target of an attack. But every organization can take meaningful steps to improve their preparedness and minimize the short- and long-term damage of a breach, including:

-Regularly assess key vulnerabilities and cyber risk exposures
-Ensure compliance with all industry and regulatory requirements is up-to-date
-Build cyber and privacy risk assessments into all strategic and tactical planning
-Provide frequent cyber security training for all employees
-Implement and update security and privacy governance programs
-Create and regularly practice an incident response plan

Ultimately, always check before you click. Curiosity may have killed the cat, but do not let your curiosity kill your business.
_________________
Richard Kunst is an author, speaker and seasoned lean practitioner based in Toronto, who leads a holistic practice to coach, mentor and provide management solutions to help companies implement or accelerate their excellence journeys. You can reach him at www.kunstsolutions.com.