If you’re a CIO at a mid-market company, you know you’ve got a problem. It gnaws at you and keeps you up at night. You know that hackers, fraudsters and even organised crime are increasingly targeting your company’s systems and applications. They’re going after personal data, customer accounts and trade secrets. The bad guys are purchasing goods with stolen credit cards. They’re working hard (perhaps harder than you are to stop them) to get their hands on anything of yours that may be of value to them.
The truth is, you’re so worried about your security posture that you don’t even want to talk about it. But we know (because experts tell us) that compared with CIOs at large corporations, mid-market CIOs don’t have the budget, the sophisticated IT skills on your staff or the time to take away from core IT operations to build better defenses. You’re wide open, and right now you’re just hoping you’ll get lucky enough to duck something terrible coming at you from an unknown direction.
Increasingly, the neighbourhood you live and work in has become a dangerous place. A lot of attacks are being made on the mid-level companies because it’s a smaller hill to climb. This is a plain fact.
Big scary numbers
Mid-market companies across the world are extremely vulnerable. Annual spends of these companies have low security budgets and on top of that, mid-market companies typically don’t have a security expert on staff. A small percentage employ a CISO compared to large corporations. Finally, mid-market CIOs don’t have the tools to identify their weaknesses. Less than a third use vulnerability scanning software to find holes in their systems, while their larger counterparts do.
Until recently, the security gap between mid- and large-market companies hasn’t been an issue. The percentage of mid-market CIOs reporting successful cyberattacks last year was about the same as the percentage of large companies. But security experts agree that the number of cyberattacks on mid-market companies began rising last fall and continues to do so. The trend is clear.
Smaller corporations are where the problems are today. [Attackers] know these companies don’t have the budgets or expertise to have strong security.
But you’re not helpless. We have collected some security fixes and technologies that experts say will harden your systems without draining your budget or requiring you to extend the day past 24 hours. While these fixes and tools will not make your systems attack proof, they can make life more difficult for the cyberscum. And that’s what cybersecurity is all about. Like crooks of any stripe, cyberthieves are looking for easy targets. If they come up against a site that’s even marginally more difficult to hack than others, in most case they’ll move on to easier prey.
The changing threat
Last year was a relatively quiet one on the security front. No major viruses struck down entire networks, and the percentage of corporations hit by viruses has been on a steady decline.
But what that report doesn’t address, is the changing nature of the attacks and their targets. No longer are attackers trying to bring down large networks for hacker bragging rights; cyber attackers are now in it for the money. Hackers and fraudsters are deliberately staying under the radar now. They’re going undetected until they do what they want to do. And even then, sometimes you don’t know until the money is long gone. Consequently, many attacks go unreported.
End users will talk about getting hit by widespread viruses, but they won’t talk about how they got completely cleaned out by a targeted attack.
But now it’s time to talk about it before you’re a victim.
And here’s what you should be talking about.
Assess, then patch
Cyber thieves look for the path of least resistance. That means they’re looking for known vulnerabilities in applications and networks—those holes that have been published online and for which vendors may or may not have provided patches. That’s why security experts say patching known vulnerabilities is the most effective defense against cyberattacks, reducing your risk by at least half, if not more, they say.
We know, you’ve heard this before, ad nauseam. But the fact is, a large portion of CIOs simply don’t do it. Fewer than half of all mid-market CIOs say they have deployed some kind of patch management tool. No wonder hackers continue to find plenty of opportunities.
So why not patch, and patch often? Keeping up to date on the release of patches and determining which ones apply to your applications and networks is a time-consuming task. In addition, applying the patch, testing whether it affects the performance of the application or network, and then deploying it enterprise wide requires even more time and could slow your systems down.
To make patch management less cumbersome, it is suggested that mid-market CIOs keep up to date on patches that are specific to the applications and systems that provide access to sensitive information. Firewalls that allow access to systems and data through a Web server should get more attention than, say, those connected to operating systems. To know which applications and systems are most critical, you will have to do a risk assessment or a threat-modelling exercise. That means knowing your business and where the most sensitive data is. Talk to business unit leaders to learn where sensitive data is stored and what applications are used to access it. That list then becomes your “patch watch list” and should get a high priority in your weekly agenda.
How to fight retail fraud
Patches may be a good way to fend off hackers. But what happens when the fraudsters masquerade as legitimate customers to steal account information, credit card numbers or to make fraudulent purchases? For mid-market merchants, this is rapidly becoming an epidemic. This kind of fraud “is moving farther downstream to the smaller and mid-size online merchants. It’s becoming more sophisticated and organised.
But how you secure systems against it doesn’t have to be sophisticated or costly. Any company that stores sensitive data can follow some basic and inexpensive processes to scan for fraud. Here are some steps security experts say you can take:
Familiarise yourself with buying patterns.
An unusual increase in your company’s sales during a typically slow period could indicate fraud. But make sure you rule out other causes. Is the spike the result of an advertising campaign, the purchase of keywords on Google or some other promotion?
Know where the majority of your purchases come from.
If large orders are being sent to, or other places where you rarely, if ever, do business, that could indicate fraud. Fraudsters have advertised on Monster.com and other job sites looking for people willing to work from home, make large purchases on websites and then send the goods to their home address.
Check the quantity purchased.
If most customers purchase one or two of a particular item and you see a single purchase for much more, you may want to check out the buyer. Call the customer, and if he declines to provide information about the bank or credit card he used, it is advised that you decline the purchase.
(Scanning purchases doesn’t have to take a lot of time and can be done quickly by downloading the files into an Excel spreadsheet and then searching appropriate columns for unusual numbers or addresses or patterns. And you don’t have to buy an expensive artificial intelligence application to do so. It is recommended that mid-market companies hire a college student to sift through each order. This can be remarkably effective. Neural networks are no smarter than a smart college student.)
Compare the IP address with the physical address.
If the purchaser says he lives in Denver but the IP address is in Georgia, call the customer to verify credit card information.
Don’t be a pack rat.
If you don’t need to store credit card numbers or any personal information, then don’t. Keep the information for as long as you have to for business purposes, such as during a billing cycle, and then delete it from all databases. If you don’t have personal information in your system, hackers can’t steal it.
The enemy within
Employees account for about 90% of all fraud and data theft in a company. Two-thirds of the survey’s respondents also cited temporary employees, as well as disgruntled and terminated employees, as posing the greatest security risks.
By building a profile of high-risk employees, you can know what systems to monitor and thereby lower your risk. For example, focus on temporary employees (typically hired during seasonally busy times) who have access to sensitive data. These employees have less loyalty to a company and are more susceptible to being opportuned to steal.
Call centres are a prime target for fraud. CIOs can reduce their risk there by following a couple of simple and inexpensive rules. Benchmark what a typical call centre looks like and then periodically scan the database for calls that do not fit that profile. For example, if a typical call requires a rep to access one file, you may want to flag any call in which a rep accesses three or four files.
Pay less now or more later
Security experts want to make sure that mid-market companies get one clear message: Common sense goes a long way.
Mid-market CIOs should approach security much the same way, following some basic precautions that will do a lot in protecting your systems even if it doesn’t build an impenetrable wall. Any statistician will tell you a 50 % reduction in your risk is huge. These steps, if followed, can provide that reduction, security experts say. Not to do so, is irrational. Those who have been attacked and lost almost everything always wish they’d at least done something.
Anything.