Bar none, your employees and data are your organisation’s most valuable resources. As such, a data breach can bring devastating, long-term financial and reputational repercussions.
The 2019 Cost of a Data Breach Report, conducted by Ponemon Institute, estimates the average total cost of a data breach in the U.S. is close to $4 million, and the average cost for each lost data record, is around $150.
Hackers are becoming more sophisticated. The days of securing a computer, application, or website with a basic username and password have long passed. According to Verizon’s 2019 Data Breach Investigations Report, weak, default, or stolen passwords are the reason for 80 per cent of hacking-related breaches.
IT systems security must be done right, using a holistic, multi-faceted approach.
Multifactor Authentication (MFA) is becoming the norm as it adds an extra layer of security to the standard username and password. Authentication previously just meant typing in a simple username and password, but MFA requires the user to provide an extra step of authentication (combining a variation of something you know, something you are, something you have, or your physical location). MFA can be crucial for not only protecting data, but also complying with strict government regulations—such as HIPAA and PCI-DSS.
We recently asked a few industry professionals how they go about protecting their organisations’ – and, in some cases, their clients’ – IT systems and data. Here’s what they had to say.
What’s the best way for a company to manage attacks on their IT systems?
“Make sure you get expert advice, even if that means you train someone in-house [to be that expert],” says Benjamin Grant, founder of Lapidux, a UK-based cybersecurity consultancy. “Besides that, proactively check for indicators of compromise, whether that may be strange processes taking RAM/CPU, or unusual ports being used. Post-compromise, always airgap the affected hardware and preferably reimage it (or perform a factory reset), but not before investigating what data could’ve been stolen and whether the attackers had an opportunity to pivot in your network.”
Ilan Sredni, CEO of Fort Lauderdale, Florida-based Palindrome Consulting, an IT services and support company, says backups must be reviewed and tested as often as possible, because “without a good backup, there is no way to return to a certain level of normalcy.”
He also suggests having “a strong process by which to monitor the network for any unexpected visitors or changes to the infrastructure,” and he strongly recommends employee training.
“As the saying goes, ‘a chain is only as strong as its weakest link,’” Sredni explains. “With proper training, an organisation can expect passwords to be handled safely and properly control access management to the network.”
Has your organisation been breached, and if so, how did you respond?
“No, but several clients have,” Grant says. “The response I see from clients is always a mix of panic and secrecy. No one wants to admit to a breach. However, it’s important to be realistic about the situation and to reach out for help, as well as inform the appropriate organisations, so your customers are protected and informed. Actual incident response is different on a case-by-case basis.”
Tim Uittenbroek, founder of VPNMash.com, a company dedicated to online privacy education, says: “A large number of login failures were detected once by the CSF (ConfigServer Firewall) to our organisation’s landing page. The login attempts were made from the same IP address. The CSF immediately blocked the IP address from all services on our server. […] The CSF also allows you to manually whitelist or blacklist IPs in your firewall.”
How should organisations respond to threats from hackers?
“As a managed service provider, we have this conversation with clients quite often,” Sredni explains. “There isn't one protocol that can be vetted and implemented since the threat is constantly changing.”
Uittenbroek says system firewalls "are necessary to secure outgoing and incoming packets of data," and the CSF Firewall has "served the purpose for data inspection and incident prevention" for his company.
What do you see as the most overhyped security protocol facing the industry today?
Mike Gruen, VP of engineering and CIO for College Park, Maryland-based Cybrary IT, Inc., a community where people, companies, and training come together to revolutionise the cybersecurity educational experience, says, “Requiring staff to rotate complicated passwords every so many number of days" was "proven ineffective many years ago, but we still see people swear by this [method] and enforce [it] heavily. This is the type of thing that forces users to write their current password down on sticky notes or use guessable patterns."
“Anything blockchain-based is an immediate buzzword indicator,” Grant says. “Furthermore, anything that claims to be ‘unhackable’ is simply a lie. However, perhaps the most overhyped protocol [is] password requirements. Forcing a user to follow certain requirements does nothing to help. A strength indicator or [checking] to see if it’s a commonly used password are much better defences against brute force and credential stuffing.”
So, how does your organisation handle password and access management?
Max Sviechnikov, a software architect for Palo Alto, California-based Litslink, an award-winning app development company, says, “The password and access management process is highly dependent on the project conditions: development time, customer needs, total budget, and monthly cost of the resource. In most cases, we use turnkey solutions like AWS Cognito, Google’s Firebase, and similar resources, depending on system requirements. We also work with the projects where we store passwords on our [backend] side, pre-encrypting data with the help of cryptographic algorithms for one-way conversion of classified information.”
“We use a single sign-on provider with multi-factor authentication required,” Gruen says. “For shared secrets and credentials that do not support [single sign-on], we use a business-grade password/secrets manager. […] In my opinion, these are the bare minimum requirements for any organisation.”
“At Lapidux, and at several client sites, we use KeePass to handle our passwords,” Grant adds. “It’s open source and free, and the portable database which is stored offline is convenient to carry on an encrypted USB or even secure cloud service. There is no middleman you must trust, and there are several forks (KeePassXC) that are also great. Access management is generally through a private key or secure, generated password. Two-factor authentication is enabled wherever possible, but not SMS due to SIM swapping risks.”
Tom Mowatt, managing director, Tools4ever U.S.