As we move towards the information society, it becomes more and more important how we treat information and what we do in order to secure it.
From the 90s and early 2000s a lot of people are accustomed to getting pirated versions of software and then not updating it. Also in many small businesses it is considered normal to invite the system administrator only when something goes wrong. As a result, it can be difficult to find a company that has never suffered from malware activity.
What is “security negligence”?
For an ordinary user, it is just a set of minor oversights, for instance, the use of the same passwords for different resources, non-compliance with corporate rules, excessive trust in the aggressive external environment.
For an IT specialist, it is a deliberate or non-deliberate refusal to follow the best practices that are present for nearly every IT service. Compliance with them often requires a little more careful thought, time for set-up and closer attention to detail.
For the CEO and CIO, security negligence means insufficient attention and neglect to the process of information security. It is the management of the organization who must set the tone for careful handling of information resources for everyone – from users to system administrators.
Consequences of security negligence. Several examples from life.
Imagine getting a job in a company that doesn’t consider it important to use encrypted messaging. In work correspondence, you share personal data and secrets of clients who have no idea that they may become someone else’s property. You connect to a public Wi-Fi network in a hotel – and the hacker gets all this data in clear text. Imagine what happens next if he knows what to do with it.
Obviously, security negligence goes beyond digital hygiene and safety fundamentals. The more complex systems require more special measures to reduce various risks. And here cyber protection services come to the rescue, from hacking and intrusions (WAF, IDS / IPS), from data leaks (DLP) and other classes of solutions. Cutting costs on these tools, of course, is dangerous. However, no amount of tools will protect a system that is initially poorly thought out in terms of information security.
Example #1. Last year’s Twitter hack, which resulted in fundraising posts on the accounts of about 50 celebrities, including Bill Gates, Barack Obama and Elon Musk. You can install dozens of security systems, intrusion detection, but this will not save you from the fact that an ordinary employee has access to user accounts.
This hack is one of typical cases of security negligence, where the management did not think over and implement a system for protecting internal data from the employees. After this case became known to the public, the following question arises – what if Twitter employees have access to the personal correspondence of their users?
However, security negligence can backfire on a company even if there is nothing wrong with the security process and the users themselves are guilty.
Example #2. Several years ago, dozens of celebrity iCloud accounts were hacked and thousands of private photos were stolen. Despite the fact that the hacking was carried out from the side of the users, and not the service itself (that is, the accounts of specific people were hacked), Apple’s reputation was significantly affected.
In this case, there is security negligence on the part of the users themselves, who did not take care of protecting their data and, most likely, used simple passwords, did not use two-factor authentication, and stored personal pictures in the cloud.
Example #3. In June, an even more frightening story of an unprecedented scale took place – all services, call center and production of Garmin, who makes smart watches and navigators, completely stopped due to a cyber attack – the WastedLocker virus encrypted the entire corporate network. To eliminate the consequences of the attack, the company had to work for days. It even had to send a part of its employees to a production site in Asia.
Why did it happen? Most likely, the company had poorly built security processes – the software was not updated, different segments of the infrastructure were not isolated, the protection against threats (such as hacking and viruses) was poorly built, there was no reliable backup system, etc.
The story is not unique – several companies fell victim to WastedLocker and similar malware, and each of them was demanded by cybercriminals to pay from $500,000 to $15,000,000 for decryption. Among these was a large ISP, Telecom Argentina, where hackers encrypted data on 18 thousand computers on the internal network.
The frequency of such incidents is growing; at the end of July, another one occurred, in my opinion, quite instructive.
Example #4. Meow attack. It’s no secret to anyone in IT that server software is actually updated much later than the security updates become available. Now hackers have many tools to automatically search for vulnerable software with the aim of further destructive actions. During the late incident, more than 4,000 databases based on ElasticSearch and MongoDB were automatically scanned and deleted – regardless of which companies they belong to, and without any commercial interest (the attacker did not ask for a ransom for data recovery).
In this case, security negligence was in the fact that the victims of the attack did not update the software and did not close the databases from external use using firewall.
Based on all the above examples, it becomes evident that the damage from cybercriminals can even be a result of someone else’s negligence. Moreover, it sometimes happens completely out of the blue.
How to avoid security negligence
One must conclude that in modern society, the utilitarian approach to information security, when funds are invested in security only to compensate for possible material and reputational losses, becomes insufficient.
Moreover, the fight against security negligence must take place at all levels – from the elimination of the illiteracy of ordinary people and separately – developers and suppliers of information systems, to government regulation of the issue and instilling in the population the values associated with the administrator of handling information.
In fact, there are millions of ways to fight negligence. I would highlight the following:
- Think about security from the very beginning of the IT infrastructure design – from the moment of its implementation to operation and decommissioning
- Update software in a timely manner
- Set up reliable backups
- Train people inside the company on information security. This applies not only to technical specialists, but also to ordinary employees. The entire workforce must be aware of digital hygiene.
Of course, for any owner or business leader, security is becoming a top priority. And this is good, because if today you can pay for informational negligence with money and reputation (your own or someone else’s), then tomorrow it will be the health and lives of people – think of smart cities, unmanned vehicles and smart implants.
Ramil Khantimirov is the CEO & co-founder of StormWall, an international cybersecurity company. He has a PhD in Computer Science.
Before co-founding StormWall in 2013, Ramil had vast experience in both IT architecture and management. In his previous role as Senior Systems Engineer, Ramil created IT infrastructures for Russian industrial enterprises. Before that, he was within IT leadership of one of the largest Russian universities pioneering E-learning.
Ramil is a recognized expert in the field of cybersecurity. He is the author of many articles on protection from DDoS attacks and the speaker on many professional conferences, where he was the first to research the topic of protectability from DDoS attacks and the ways to improve it.
He aims to use the maximum of his knowledge and skills to improve safety and security of the Information society by creating the technology to protect against hackers and malefactors.
Pingback: Security Awareness: walking the line between technology and teaching in part time - Cyber Protection Magazine
Pingback: Who ya gonna call? The true problem of cybercrime - Cyber Protection Magazine