Jessica Merritt of Online Reputation Management recently asked the question — what are the biggest security threats facing companies today and how do they have the potential to effect reputation? In her article – click here – she identifies 9 tips to protect against security threats and compromised reputations. While one of my tips was included in her article, I’d like to add the following advice to help companies protect against a cyber attack:
When it comes to information security many organizations, no matter their size, lose sight of the basics. Performing the proper due diligence around the “basics” can provide a solid foundation for advancement in computer resources and protection against the hacks and breaches.
Paraphrasing Kevin Mitnick from his 2000 testimony to the U.S. Senate Committeeon Governmental Affairs (14 years ago), companies spend millions of dollars on the“solution,” to only ignore the weakest link in the security chain – the human factor.
Many of the hacks and breaches (social media, credit card, etc) I would surmise arefrom missing the basics, including security awareness and training for the end-user. It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out. Providing basic user awareness in a fun and positive way can go a long way.
The “basics” – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today. How we implement these items is relative to our business.
Implementing these “basics” takes resources and discipline, so it is not an effort to be taken lightly. Often these basics get swept under the rug and forgotten about – a server is built with extraneous services available and/or developer’s administrative credentials are left on that box when it goes into production. It’s these “basic” things that add up and present risk to an organization.
Located in Pennsylvania, Jason Rhykerd, CISSP, is a security professional with over 10 years of experience in assessing, analyzing, and auditing IT security risk. Jason has worked in multiple industries including healthcare, manufacturing, nuclear power generation, and government.