Let’s talk about threats.
The weakest points in any security system are the people who use it. That’s why cybercriminals are starting to go low-tech. It’s much easier to trick a human than create a virus. Hackers don’t have to break through your firewall, because employees are letting them in the front door.
There are plenty of proven tools to keep bad guys from breaking into a network. But attacks from the inside pose an entirely different kind of danger. And most businesses are completely unprepared.
How it Works
Hackers have a host of methods for conning their way into a network. Email is still a very effective method for delivering malware. (You’d be surprised at how many distracted executives will open a file called “Q1 Past Due Accounts.”) Messages may use techniques like baiting or phishing (pronounced “fishing”) to trick people into handing over passwords and account numbers.
Some hackers target employees’ personal computers, which tend to have weaker security. Then they sneak into the company network when the employee logs in remotely or brings a corrupted USB drive into the office. Mobile devices can contract malware through apps and unsecured networks (such as the free WiFi at airports). All of these methods give cybercriminals a way to slip past the company firewall without raising an alarm.
Worse Than You Think
Here’s the real problem: Most business networks have weak or nonexistent internal defenses. The emphasis has always been on external measures like firewalls. Good anti-virus software is expensive, and executives didn’t see it as a huge priority (“because we have such a good firewall”). Essentially, people put giant locks on their front doors and called it good. Which means if a hacker can sneak past the firewall, there’s likely very little to stop him from stealing your data, crashing your system, and bringing your business to a screeching halt.
This is why the discussion about cyber security needs to change. Businesses have to look beyond keeping the bad guys out and consider what happens once they get in.
Don’t assume your current IT staff can take on this threat. Searching for and responding to internal breaches is more labor-intensive than maintaining a firewall. System administrators don’t have time to run counter-hack operations and support the company’s IT needs.
If a fulltime cyber-security specialist isn’t in your budget, then you need to consider other methods for improving data security. Good strategies include using the best anti-virus software that management will buy, putting more user restrictions in place, prohibiting USB drives, and teaching employees good cyber ”hygiene”. Perhaps the most effective strategy for protecting your data is to move it from your private server to the cloud.
The Cloud Bank
The building materials industry has been very slow to adopt cloud-based solutions, in part because many executives don’t trust them. Letting a third party manage their data at a separate location feels risky. Keeping everything in-house, on their own servers, in an environment they control feels safer. But unless your company has a fulltime cyber-security specialist, using a private server is significantly riskier than using the cloud.
A good way to think about it is to compare your data to money. Keeping your data on a private server is like keeping your money in a shoebox. You have direct access, but so does anybody who breaks into the building. It’s easy for them to grab that shoebox and walk out the door. When hackers get past your firewall, they can potentially trash or steal anything on your network. Accounting records, operations data, and customer information are up for grabs.
Using the cloud, on the other hand, is like keeping your money at a bank. The funds are still available, but if a thief breaks into your office, there’s nothing for him to steal. He can’t get to your money because it’s at the bank. And breaking into a bank is an entirely different matter.
Still Not Convinced?
Some people are skeptical that the cloud is safer. After all, if a corrupted laptop can infect your entire network, what’s to stop that virus from spreading to your hosted data.
This is a fair question. The simple answer is the cloud is different from traditional networks. It offers multiple layers of security, far beyond what most businesses can afford on their own.
The first line of defense has to do with access. A local network typically has many points of entry, because it’s used by many different software applications. When employees check email, create sales orders, track inventory, or enter payments, they are storing all of those records in the same place. Applications on a local server are sort of like offices on the same hallway. Applications in the cloud are more like guarded buildings on separate roads.
Let’s say a hacker gets past your firewall. If you store all of your data locally, he can walk up and down the “hallway”, from your email to your accounting records to your customer files, because everything is connected. If you store your accounting data in the cloud, however, he can’t crawl from your email to your billing records because they are in separate locations. In order to get to your accounting data, he has to leave the hallway, exit your building, find the right “road”, and then get past all of the guards. This brings us to the next line of defense.
If data is stored in the cloud, it’s on a server (or multiple servers) at a data center. Data centers make sure your information is accessible to you and only you. These facilities invest heavily in sophisticated security tools and anti-virus software. They also provide 24-7 monitoring by cyber-security experts who constantly walk the (virtual) perimeter, checking for weaknesses and scanning for suspicious activity. (All the things system administrators don’t have time to do.) Let’s go back to the shoebox vs. bank analogy. Your only way of protecting that shoebox is to lock your front door. The bank, on the other hand, has locks on the door, cameras in the ceiling, and German Shepherds patrolling the lobby.
Unfortunately, there aren’t any security patches for human behavior. No matter how many rules a company puts in place, somebody will inevitably slip up.
If you want a sobering conversation, ask your IT manager what defenses your network has against an internal attack. Find out which parts of your operation would be affected, and how long your business would be down. Take a hard look at the worst-case scenario, and start planning the best possible response.
This article originally appeared in Building Products Digest.