21 August, 2019

The Importance of Addressing Security

The Importance of Addressing Security
Kevin Johnson
Author: Kevin Johnson

Why do we need to worry about security when we’re not a target?

This is a common question, especially from smaller companies. Often it comes from organizations that have been told they have some vulnerability or that they need to pay for a particular security service. Usually, it’s followed by other statements such as “I’m too small,” “I don’t have anything of value,” or “We’ve never been hacked before.” While these statements may be true, they’re generally misleading because they’re founded on a misunderstanding on the motivation of attackers. Let’s break down each one of these flawed ideas:

I’m too small / No one knows about me.

I grew up in small-town Kansas, so I get the idea of security by obscurity. There is some security in being relatively unknown to the majority of the world. That doesn’t make you more difficult to attack, just less likely to be attacked. The entire insurance industry is built on the idea of actuarial tables that demonstrate likelihood. And if you’re a small organization, it’s easy to assume that no one knows about you.

But in reality, with the Internet, you’re not as obscure as you think you are. As soon as your systems are connected to the Internet, they become accessible, to some degree, to the entire world. And though an attacker may not directly target you intentionally, they will use automated tools to attack millions of people at once. You don’t have to be known personally to represent a valuable target, which leads us to the next point.

I don’t have anything of value.

This belief may even be more prevalent than the last. Many folks only consider certain types of data, like payment card data or health records, as worthy of protection. If that data doesn’t exist on the network or is sufficiently protected, then additional controls seem unnecessary. But the truth is that criminals can find a number of reasons to attack you that you may not have considered. Here are a few examples:

  • Other types of data - Most organizations have a wide range of data from intellectual property, to customer records, to proprietary internal processes. All of these can have value to the right person, even data that you may not consider particularly valuable.
  • Access to your clients - Attacking 3rd parties has become a very popular attack vector in the last several years. Target is a great example after they were breached because of their 3rd party HVAC vendor that surely thought they had nothing to worry about.
  • Ransomware - How will your business operate if all of your data is suddenly unavailable? Ransomware attacks cost unprepared businesses billions of dollars per year.
  • Botnet members - Managing large botnets gives bad actors the ability to perform a number of attacks with impunity. This includes sending spam, DDOS attacks, and stealing users’ credentials while browsing the web. If your systems are compromised, they could be used by these attackers without your knowledge.
  • Competitors - In 2015 an executive with the St. Louis Cardinals baseball team hacked into the email and databases of executives at the Houston Astros in order to steal scouting information and details on upcoming trades.
  • Pure maliciousness - Some hackers still have no goal other than to create a scene and cause destruction. These attacks can cause significant impacts on your ability to operate your business.

Regardless of the potential, sometimes people still struggle to accept the likelihood. Another comment that often comes up in those conversations is that…

We’ve never been hacked before.

This thought is insidious because the logic is clearly fallacious. We all recognize that the lack of something happening in the past doesn’t prevent it in the future. And yet human psychology classifies risk based on experience, so until we see first-hand the impact of an attack, it’s very hard to accept the potential risk. Fortunately, or unfortunately, the news is full of examples of breaches and compromises. It doesn’t take much reading to realize that without a plan, you could be next.

Other Considerations

While we’re on the topic, there are a few other points to consider.

  • Scanning - The internet seems like a really big place; there are nearly 4 billion public IPv4 addresses. But it’s also very easy to scan that entire space. A number of scanners constantly scan the entire internet and catalog every host and service. If you happen to be running a service that is found to be vulnerable, you become a target almost instantly.

  • Compliance - Legal and contractual regulations have become a significant driver of security. This includes government requirements such as HIPAA, contractual relationships such as PCI, and often legal arrangements with clients. In order to continue operating, many organizations must comply with some set of standards or face crippling penalties.

Hopefully, this article has helped clarify why it’s important to consider the security of your organization. If you have questions or would like to discuss the particulars of your situation, we would love to talk further.

Join the professionally evil newsletter