When you really think about it, the amount of sensitive data that organizations are responsible for protecting is enormous. Not just company trade secrets, but client data, employee data and now even vendor data! PCI compliance aims to drag businesses “kicking and screaming” to minimum levels of protection, but many are reactive when it comes to security, not fully appreciating the impact to the business. For example:
True story: Recently, we came across a situation where an organization’s billing system was hacked. The hackers wrote-up several large PO’s (i.e. +$50,000 each) and issued them out to their vendors on file. The vendors (assuming the PO was legitimate) would ship out the equipment to the hacker’s desired location and add it to the company’s Net 30 payment terms. The hackers would make off with the equipment and the company was left holding the bag.
You have to learn to think like a hacker!
There’s lots of ways to monetize sensitive data and very difficult to apprehend skilled intrusion events. Furthermore, with the advent of Script Kiddies, even novice hackers can download sophisticated, pre-made tools to do the job. It’s important to get creative and think out of the box. Ask yourself, “How could this data be used to harm us?” Here’s another example:
True Story: A reputable construction company I know had recently started to notice that they were losing bids on projects. It’s common to not win every project in a closed bidding system, but they were losing by less than $100 each time! As it turns out, someone hacked their billing system and had access to all of their project quotes. The other construction company simply underbid them and won the projects, costing the victim hundreds of thousands in sales revenue until they figured it out.
It’s not just exposure of company data that could be crippling for businesses. Organizations have a responsibility to provide adequate protection of employee and client data as well. They may be held liable for failing to do so!
Flashback: Remember the 2013 Target data breach? According to SecurityWeek.com, Target has spent over $162 Million in cleaning up the mess that would have never occurred had there been simple network segmentation between the HVAC system and the LAN. “The $162 million spent so far by Target is just a drop in the bucket given the class action lawsuits by consumers as well as the recent court ruling that banks can go after Target to recoup their losses.”
“We cannot solve our problems with the same thinking we used when we created them.” – Albert Einstein
Don’t think this will ever happen to your business? Think again! Intrusion events for large organizations make headlines, but it’s far more common for small businesses to be “targeted” – pardon the pun. Many simply don’t implement basic security standards for their network because they don’t think they can afford it or overestimate their own obscurity.
As a Public Service Announcement, we urge small-to-medium sized business to implement (at minimum) basic security measures. Look for a product that provides a firewall, network segmentation options, gateway Anti Virus, SPAM & Web filtering and even Intrusion Prevention. All of that (and much more) can be achieved with even Endian’s entry-level appliances!