The State Department’s unclassified email system became the latest victim of a cyberattack last week, right around the same time as White House systems were breached. The State Department breach follows intrusions also detected at the White House, the Office of Personnel Management and the U.S. Postal Service and National Oceanic and Atmospheric Administration; all in the past few months. This begs the question, “how safe are the systems and procedures we use everyday”? Surely, if these hackers can breach the systems in place in these large federal agencies they can get into your companies systems and mechanisms, right? If that’s the case, is there anything any of us can really do?
The answers to these questions may surprise you. Truthfully, it’s not overly difficult to design, build, and construct systems and processes to protect your companies systems and infrastructure. It’s actually relatively affordable and not as complex as you might expect. The problem usually lies in the humans that inhabit all of our buildings everyday. In the same way that you could build an impenetrable fortress – yet leave the gate unlocked allowing enemies to access your vulnerable interior – humans unknowingly leave gates unlocked on a daily basis allowing opportunities for potential breaches.
Think about it like this: every e-mail, facility entrance, digital download, and laptop or client could be a potential entry point for a cyberattacker. Now consider that just about every single employee inside your organization is a gatekeeper for one or all of these items. It’s pretty easy to imagine the risk this creates. A simple slip up in security procedure; an unlocked door, opening a spam e-mail, or downloading a hidden virus could potentially expose your entire company. However, with the right systems in place and proper training for all employees, this risk can be reduced exponentially.
So how does an organization properly establish that they have the right procedures and systems in place, and most importantly, how do they properly and effectively train all of their employees? Step one usually includes a meeting with your IT staff to determine their understanding and knowledge of current system setup and information security. They can usually help you determine how prepared, or unprepared, your organizations current plans are. Once these parameters are established, it only makes sense that you would test these protocols. It’s at this point that organizations should consider conducting a penetration test – a specific information security test that attempts to simulates a system breach to determine overall effectiveness. There are many different types of penetration tests, and depending on your company’s primary enterprise you may need only one type, or a combination of several. These tests should include analytics, reports, and training for employees upon completion. This information is vital to the improvement of your organizations information security.
Ultimately, it’s vitally important that your organization have these tests performed by true professionals and experts that have a proven track record of performing this kind of work. The industry is scarce with experts, so be wary of singular resources performing the work with little background work.
The reason why we continue to see large entities like the State Department and Apple continue to experience troubles in this area is simply due to the large volumes of risk points each organization possesses. Through proper testing and training, your organization can effectively reduce your risk to this sort of attack, and stay out of the media for all of the right reasons.
For more information about penetration testing, security training, and IT services relating to information assurance, use our contact form below.