By Kevin P. Martin, Jr., CPA, MST
Olympic officials have confirmed that a cyber-attack took place on Friday during the opening ceremonies in Pyeongchang. While it appears that the Olympic website went down and television and internet access were affected, spokespeople have suggested that the attack had “not compromised any critical part of the Olympic operations.”
Who is behind the attack? Investigators aren’t telling. Some say it was North Korea, in that the Winter Games are being staged only 50 miles from the border with North Korea, which is technically still at war with the South since their 1950-1953 war ended in a truce rather than a peace treaty. Some say it was Russia, banned from The Olympics for doping. Regardless, nobody’s talking and international best practices suggest that you don’t talk about the source of attacks.
It is easy to think that cybercriminals are so busy focusing on big-time stuff – like The Olympics – that they are not interested in our much smaller organizations and businesses. The “not much to steal” mindset is common in regards to cyber security, but it’s also incorrect. In reality, the U.S. Congressional Small Business Committee found that 71 percent of cyber-attacks happened in businesses with less than 100 employees.
What are some cyber-attack best practices? Let’s talk about 8 of them, all of which KPM can help think through with you and execute.
One of the first lines of defense in a cyber-attack is a firewall. Firewalls provide a barrier between your data and systems and cybercriminals. If you are letting your employees connect from home, it’s also important that you install a firewall on their home network as well. This policy should consider requiring firewalls from home access and only allowing connections from secure networks. Providing employees with firewall software and ongoing support for home networks goes a long way to ensure compliance.
- Documentation of Cyber Policies
Most smaller organizations use word of mouth, long-standing employees and institutional knowledge to run their networks. Cyber security is one area where it is essential to document protocols. Protocols that aren’t documented? That’s the sweet spot for criminals, allowing for vulnerabilities that can be exploited. Good governance using a risk-based approach is more important than any cyber software in the security tool kit.
- Mobile Devices
Smart phones are a given and with the popularity of wearables, such as smart watches and fitness trackers with wireless capability, it is essential to include these devices in a good cyber policy. Norton by Symantec recommends that companies require employees to set up automatic security updates and require that the company’s password policy apply to “all” mobile devices accessing networks. Organizations should also consider the types of data it allows on mobile devices and have controls in place where they are able to lockdown or remote wipe devices if they get lost.
Like all best practices, education is key. In smaller organizations, IT professionals often wear many hats – all the more reason that it’s so important to have regular updates on new protocols. Ongoing training programs are incredibly important. And at baseline accountability, each employee should sign a document stating that they have been informed of the policies and understand the actions that may be taken if they do not follow policies.
I hate changing my password! It seems that at the exact moment I’ve got it memorized, it’s time to change it again…and maybe that’s the point. A Verizon Data Breach Investigations Report found that 63 percent of data breaches happened due to lost, stolen or weak passwords. The same report also found that the majority of organizations with password policies do not enforce them. Password vaults are becoming increasingly popular whereby all passwords are stored in a single, encrypted database and require only one password to open.
- Data Back-ups
While our primary focus is in preventing a breach, breaches still happen in good systems. That said, back-ups are important – documents, electronic spreadsheets, databases, financial files, human resources files, accounts receivable/payable files, and regulated data such as HIPPA files. Be sure to back up all data stored on the cloud. And…make sure that backups are stored in a separate location in case of fire or flood. Back-ups should be tested periodically. Many ransomware attacks are successful because the company’s back-ups were faulty and they couldn’t restore the data. And while back-ups are important, knowing what’s being done with your data by employees and vendors is just as important.
- Anti-Malware Software
How many of us have opened a phishing email? Too many of us! Since phishing attacks involve installing malware on the employee’s computer when the link is clicked, it’s essential to have anti-malware software installed on all devices and the network. And because malware detection software is not foolproof, so many best practices come back to training. One common best practice is to have clear policies that detail how confidential data will be requested and delivered. This policy will eliminate some phishing schemes that ask for confidential information to be emailed to someone impersonating management.
- Multi-factor Authentication (MFA)
Regardless of your preparation, many employees will make security mistakes that can compromise your security. We’re all human. MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target. If one factor is compromised, the attacker still has at least one more barrier to breach before successfully breaking into the target. Using the MFA settings on most major network and email products is pretty simple to do and provides an extra layer of protection.
Security is always going to be a moving target. And regardless of where the Olympic Games are held, regardless of whether a country is to blame, for garden-variety cyber criminals…it’s not a new sport and criminals are getting more advanced every day…and they’re always going to be looking to steal whatever they can from whomever they can.
While nothing is guaranteed, there are many best practices…including a good response playbook, periodic risk assessment and testing…and maybe that’s our most important reminder today. Looking for more? Follow us on Twitter @KPMCyberEdge @KPMAssociates @KPMCPA.