With 2017 just round the corner I’m sure you’ll agree with me when I say that we’ve had some big cyber attacks in 2016.

Here are the most well-known ones that were reported:

  • Hilary Clinton
  • Yahoo
  • TalkTalk
  • LinkedIn
  • Dropbox

What about all the others? Well, it’s fact that small and medium size businesses are getting hit all the time by various IT security and cyber threats. (They are just not reported)

In this article, you will learn what some of the most obvious weaknesses are in your own business, what practical steps can be put in place and lessons that can be learnt by the big hacks mentioned above.

That fake invoice in your email.

I’m sure you are well aware of the fake invoices and attempts to extort all sorts of personal and business banking information sent out in emails. The question is, are your staff? Who is the weakest link in the chain? It only takes one and that the consequences can be severe.

There’s obviously the fallout from a ransomware attack or someone fraudulently extorting money from the business but what about the HR fall out of that one person that opened that one dodgy email and thought it was real?

Putting the right IT security policy and processes in place when a new member of staff joins the team is key. Is that current IT policy that has not been updated since social media was a thing in the workplace? That’s so 2012 you need to update with the latest IT security processes.

We can take this one step further, what if that fake email does not look fake. What if it looks like one of your supplier’s emails? What processes do you have in place to check that the invoice is genuine?

The Trump victory hack.

We’ve discussed this one before (here) but Hilary’s top advisor John Podesta had his emails hacked:

Saturday, March 19, that appeared to come from Google. It warned that someone in Ukraine had obtained Podesta’s personal Gmail password and tried unsuccessfully to log in, and it directed him to a website where he should “change your password immediately.”

Podesta’s chief of staff, Sara Latham, forwarded the email to the operations help desk of Clinton’s campaign, where staffer Charles Delavan in Brooklyn, New York, wrote back 25 minutes later, “This is a legitimate email. John needs to change his password immediately.”

But the email was not authentic.

What’s the lesson here? Who’s doing your IT support?

Seriously what are their security processes and policies? Ask them.

Let me tell you a little secret that will make you question your current IT provider.

Ready?

Let’s say I was a hacker and I wanted to get into your email. I just happened to know who your IT support provider was.

Gave them a call imitating either you or one of your employees over the phone and stated to the 1st line help desk guy that was on the other end, “Hey I can’t get into my email – it’s saying the password is incorrect”.

What do you think would happen in this situation, do you suppose the 1st line helpdesk support are going to verify you are who you say you are?

Give it a try, you will be in for a big surprise.

TalkTalk’s insecure website.

This was an interesting case, a 17-year-old kid managed to hack TalkTalk’s website using SQL injection on their website. This gave them access to all customer records.

What is surprising about this case is the fact that the website was so insecure, SQL injection is a well known ‘hack’ and should have really not been a vulnerability on a company like TalkTalk as there are of course a technology company.

The other interesting piece to this story was the fact that 157,000 customer records were breached but TalkTalk’s fine was only £286,295 for having such an insecure website. That equates to £1.82 for every customer. I’ve got a feeling that all those personal details are worth a lot more than £286,295 in the hands of the fraudsters.

Shocking.

What’s the lesson to be learnt here? I guess the question is how secure is your website? Most businesses outsource website design and development to a Web agency (AKA Digital Marketing Agency). With the majority of websites now using a content management system (CMS) like WordPress or Joomla.

Most major CMS’s release periodic security updates when weaknesses are found in their systems and it’s usually the web agency to update the CMS with the latest patch.

There’s a big BUT.

The majority of web agencies are too busy chasing for clients and developing new websites to have the resources to update their existing customer’s content management system.

I strongly advise you ask the website agency or developer who built your website to report on what type of content management system you have and a report on when updates are performed.

You can get a list of when the latest updates were released here to cross reference against your web agency’s report.
WordPress
Joomla
Drupal
Kentico

Google Search “CMS Name + Release Date” if yours is not listed.

Let’s round this up.

Initially, this was going to be a mega post 3000+ words about IT security however I’ve probably done a good enough job of pointing out some of the most serious weaknesses in many organisations so going to wrap it up.

In summary, what can we conclude?

1/3 People

The weakest link in your IT security is not the technology you use or have deployed to help protect against cyber threats. The weakest like are your colleagues. Most likely the new start that does not have a clear idea of what risks are posed to the business by incoming emails or visiting the wrong website.

2/3 IT Helpdesk

Your IT helpdesk needs a kick up the backside. Yeah sure if you are supported by a major national IT provider they’ll run through security checks but local IT providers need to up their game.

3/3 Website Agencies

Again this is a 3rd party issue but make sure your website team are keeping on top of the latest threats. Get them to report on your hosting and patching they should actively be carrying out.

Finally

This is where IT Rockstars come in. We can act as a 3rd party and audit your businesses IT security. Point out where the weaknesses (the ones not mentioned here) are and formalise an action plan.

If you found this article helpful or insightful, maybe you just think it’s pure nonsense I’d love to hear your option below.

 

Credit to image source: https://www.flickr.com/photos/zeeyolqpictures/