Kompromat. A year ago, we never would have imagined that a relatively obscure Russian term would be dominating news coverage and the subject of a months-long investigation. In the last year, however, we’ve heard so much about election hacking and the notion that bad actors are out there using the techniques of kompromat — the collection of compromising information about people and organizations popularized by the K.G.B., called the FSB or Federal Security Service these days — to use later for blackmail or ransom schemes.
In fact, an expert Russian operative who was recently in the news has said that “nothing is secure,” and he should know. Far from being over, the Russian spy drama has reached the highest levels of U.S. and international governments, and the consequences are still unclear. As the CEO of a cybersecurity vendor, however, I am gratified that people are actively thinking about making their systems, networks and devices more secure.
The publicity around kompromat contributes to an environment of paranoia. The notion that literally nothing is safe from the bad actors is slowly seeping into the public consciousness — but this is a good thing, because too many individuals and organizations haven’t yet accepted the new reality of an insecure world and have not taken proactive measures to thwart hackers and ensure data security. Facing the facts when it comes to the possibility that one’s data may fall into the wrong hands is the first step to avoiding the devastating consequences, both financial and to one’s reputation, that can result from a security breach.
In some cases, practitioners of the “art” of kompromat are looking for economic and/or political advantages, and, in some cases, they are also looking for information that can be used for blackmail, according to published reports from security experts. But no matter what they’re looking for, these bad actors are disciplined and effective and work through a very methodical process to uncover information that most people would not want exposed.
It is against this backdrop that some basic preventative actions can make your world more secure and help to overcome the fear and paranoia. The first step is having a security plan and identifying a CISO (Chief Information Security Officer) in your organization. For small businesses that may not have the IT resources to designate a CISO, working with an outsourced provider to develop a security plan and “posture” may be the best option. As an individual or sole practitioner, that means making security a personal priority. But no matter what form it takes, one must establish a “chain of command” for security. The next step is to arrange a security audit designed to reveal areas that require attention. The audit and the chain of command are the foundation for an overall security plan, designed to work in concert with hardware, software and network fixes, and should not be ignored by even the smallest companies.
After a security plan is put in place, basic execution begins with rigorous attention to physical, device and network security – the true front lines of defense against cyberattacks that spread malware, spyware and ransomware that provide an open door to sensitive information for kompromat or other nefarious uses. All companies and individuals will need a firewall that defines what kind of network traffic and information can enter and leave various systems, and current, regularly-updated anti-virus protection is absolutely mandatory.
Encryption of data is the next priority for protecting the data on devices, including PCs, laptops, tablets, smartphones and USB memory sticks. Leveraging encryption technology will help ensure that unauthorized users can’t get into machines. An encrypted laptop is a “bricked” computer which provides only useless data to those who are unable to provide correct login details. An encrypted hard drive also mitigates the possible threat of unauthorized entry to networks and cloud applications, in case the user has saved the login credentials in the browser. This is particularly important given the number of cloud-based services that are frequently used, which require registration and login information that can be easily hacked – everything from systems of record in the enterprise and online fitness trackers to banking, finance and healthcare websites and apps. This is why each laptop in the organization should also be backed up by multifactor authentication as an extra layer of protection for network access.
Finally, point-to-point network security should be considered. Encrypting data in transit with a VPN (virtual private network) helps prevent theft of data as it travels across networks, making it resistant to packet sniffing attacks and indecipherable to thieves who might steal it during the process of executing a transaction.
With all of the talk of spies and skullduggery around us, implementing security fixes may seem like a daunting task. But organizations can utilize resources that won’t overtax budgets or IT departments when pursuing a broad and deep cybersecurity strategy. Vendors of cloud-based security solutions, as well as systems integration partners and consulting firms, can be tapped to handle the challenging and frequently tedious work of securing laptops, tablets and network connections. These firms can also help companies manage their overall security policies and develop an approach so that a laptop or a smartphone lost in an airport, for example, becomes “no big deal,” as opposed to an embarrassing and potentially expensive crisis. What’s more, a managed cybersecurity strategy procured through a vendor or consulting firm can not only help companies thwart kompromat and corporate espionage, it can also help them achieve compliance with regulations such as the European Union’s General Data Protection Regulation (GDPR), new and important privacy requirements that will govern all companies doing business in the EU.
Yes, it is scary out there, and each alarming news cycle seems to peel back and reveal a new layer of the kompromat “onion.” And because kompromat can be highly effective for bad actors, there is no sign of it slowing down or being abandoned. But the good news is that there are basic and easy steps to take to make your world more secure. In the era of kompromat, focusing on security fundamentals and replacing fear with action is the best and safest way forward.
Ebba Blitz, CEO of AlertSec
Image Credit: Methodshop / Pixabay