Vince Lombardi said, “Football is two things. It’s blocking and tackling. I don’t care about formations or new offenses or tricks on defense. You block and tackle better than the team you’re playing, you win.” As a Green Bay Packers fan, I am prone to using quotes from Coach Lombardi and fortunately, Cybersecurity Awareness Month falls squarely in the middle of the NFL season.
To be sure, Vince Lombardi did not have Cybersecurity in mind when he spoke about ‘blocking and tackling’ and while this may be a bit overused as a sports metaphor, it really does describe the first line of defense small to midsize businesses must use to protect their IT security in light of today’s threats.
Security can’t be an afterthought
When speaking to small business owners and executives about their cyber risk, I often hear a common theme of “why would hackers come after us, we’re a small company?” If this is how you are thinking, you are clearly not alone. In a large survey of small businesses, 87% said they do not believe they are at risk for an attack. Yet, according to the U.S. Securities and Exchange Commission, half of small to midsize businesses experience cyber-attacks. Why? Small businesses are usually easier targets.
Here are some findings from the 2018 Verizon Data Breach Investigations Report:
- 58% of breaches are small businesses.
- 36% of breaches are personally identifiable information (PII) like name, social security, birth date, place of birth…
- 49% of malware was installed by email.
Don’t be an easy target
Most hackers are motivated by money. Their goal is to steal and sell your data and they’ll take the path of least resistance to get it. Are you making their job easy and essentially handing hackers the keys to the store?
Security breaches happen quickly. In those 93% of cases where data was stolen, systems were compromised in minutes or less—and in most cases, victims didn’t find out about the breach for months. In other words, by the time a business is hacked, it is too late to start thinking about prevention. That’s like remembering to get the flu shot after coming down with the flu.
Know your risks
Think about your own organization, where are you most vulnerable? How do the vulnerabilities impact your products, services, or regulatory position? Do you have enough measures in place to shrink the threat surface hackers can exploit? In other words, how would a hacker see your organization from the outside and how would they get in?
“It’s no longer enough to be content that things are secure. Systems must be robust and able to withstand glitches in the infrastructure,” says Gene Fredriksen, chief security strategist for PSCU, the largest credit union services organization in the country. “If we look at recent breaches…the one thing we cannot afford to do is forget how to block and tackle. We’re not just talking about security anymore; we’re talking about resilience.”
As threats get more complex, resilience requires more ‘complex’ defenses
Storage of much larger amounts of data, increased use of mobile devices, and the need for anywhere and anytime access to data are just a few of the technology issues that add to security complexity—and bad actors thrive in complexity.
What’s more, hackers use methods that are not always obvious or easy to detect. And, they are very resourceful. They use press releases, social media, and company websites to learn information to craft emails that employees are likely to open. Personal information like schools attended, favorite movies, pets, family members, friends, birthdates, job history, and hobbies can be found in simple searches that help hackers break passwords.
Blocking and tackling—stay strong on doing the basics
Back to knowing where you are vulnerable as an organization, can you answer that question? Most companies don’t have IT security expertise, so don’t feel bad. As a result, more and more small businesses are relying on managed security services to compensate to help supplement their in-house skills. In addition, most businesses should be investing more in preventative IT security than historically has been done. This brings us back to our ‘blocking and tackling’ metaphor.
Due to the increasing complexity of hacking methods, there is a temptation to look past the basics to newer, and typically more expensive, security technology. While there can be value to these products, before any company looks at them, managed security experts continue to ring the warning bells on the importance of maintaining basic system security. Many breaches are avoidable with well-known security measures such as:
- Prompt Microsoft and Third-party Patching that when done well, will render most attacks via malicious email links and malware-infected attachments (such as ransomware) useless. Most of these attacks use well-known exploits that have already been addressed, but only if patched.
- Password Policies require rules such as password complexity, expiration dates, length, and lockouts so that passwords are difficult to crack.
- Encrypting Sensitive Data at rest and in transit to make data next to useless if stolen.
- Two-Factor Authentication for critical systems to limit the damage of lost or stolen passwords.
And while it technically is not a security measure, ‘blocking and tackling’ also includes having effective backups in place in case all security measures fail, and your system needs to be restored from a backup.
Get everyone involved in keeping your organization’s security safe
Last, but certainly not least, is employee training. Technology can’t do it all and even the best technology can be evaded by the actions of one careless employee. Don’t assume that your employees know what they should look for in malicious emails, our experience is that most don’t, and keeping everyone up to date requires regular training. Fortunately, there are informative and cost-effective tools now available to both educate your employees, as well as to test how well they have learned the material.
It takes commitment from people at all levels of your organization to keep bad actors from knocking on your system doors. Lombardi said, “The achievements of an organization are the results of the combined effort of each individual.” Like football, security is a team effort!
