Do you imagine that your website and network are as safe and secure against external cyber attack as those of the IMF, the CIA and the US Senate? Are you likely to have spent as much on cyber security as Sony, Nintendo, Sega, Fox, PBS and the rest? And do you think that, because you’re not a high profile organisation, you are immune to cyber attack?
If your answer to the first two questions is ‘No’ but you’ve answered ‘yes’ to third, then I have to tell you that you are deluding yourself: all organizations, irrespective of size or sector, are at risk of cyber attack. The organisations that make the headlines are those with a high media profile – the multitudes of smaller hacked organisations do not make interesting front-page news and therefore get to suffer in silence. Absence of press coverage does not mean absence of cyber attack.
The first part of a cyber attack is usually automated: an free-standing, web-based ‘sniffer’ programme seeks out web security vulnerabilities (remember, security vulnerabilities are all publicly listed) and, in many instances, the subsequent attack – aimed at stealing information or simply taking over computers to use as part of a zombie botnet – is also automated.
Sometimes the attack comes by means of an increasingly carefully crafted ‘spear-phishing’ email and, increasingly, the attack is made possible when a member of staff downloads malware from an infected site – malware disguised as something important.
Every organisation has to take adequate steps to protect itself against external cyber attack. There are two practical ways of doing this. The first is to have quarterly ‘hackerguardian’ vulnerability scans run to check the security of your websites and externally facing IP addresses. PCI-compliant organisations already do this, but this is a basic security step that all organisations should take. The second is to have six monthly penetration tests carried out. Pen tests look for opportunities to exploit vulnerabilities and security weaknesses that might have been missed. Sensible organisations will do both of these things, and will also take steps to ensure that they have a tried and tested incident response procedure to deal with those instances where front line defence fails.
Unless you take action today, you may be tomorrow’s cyber victim.