The mad dash to work from home during COVID-19 has cast a spotlight on the security and privacy of the cloud. Organizations that were reluctant to jump into hosted applications to work from cloud solutions were dragged into the deep end of distributed computing. With the past twelve months featuring a who's who of top-tech vendors suffering security breaches, businesses have to be left wondering, "How secure is this?"
Recent data breaches at Twitter and Facebook have created much of the doubt about cloud security. Some ask, "If these big names are unable to protect client data, what chance do I stand?" There is some solace in the nature of the breaches that took a bite out of Facebook and Twitter. The nature of the threats against these web services differs from what an ordinary business must face on the web.
Facebook is an aggregate of user contact information. It is also a meeting place for scammers and bad actors looking for intel. With a big target on its back, Facebook lost user data through a vulnerability back in 2019 that allowed automated software to be used to collect over half a billion users' worth of information.
Twitter fell victim to social engineering where a few bad actors called into Twitter support and bamboozled Twitter reps into resetting passwords and giving out digital authentication codes. With account information in hand, the Twitter bandits executed a scheme to scam Bitcoin via prominent Twitter accounts.
Cybercriminals targeted two of the world's largest digital companies because of their huge repository of personal data and their direct connection to millions of users. And while it may be true that most organizations have a much smaller target on their back, it's also true that the old strategy of hiding by being small doesn't work anymore. The same types of automated attacks used to scrape Facebook data and the social engineering used against Twitter are employed at an industrial scale on every company connected to the Internet, but applying best practices helps to reduce the possibility of breaches.
Protecting from Remote Access Breaches
Most businesses don't know what they've exposed to the Internet. Over the years businesses just get in the habit of running firewalls and routers with undocumented changes and modifications which are then able to open up ports and allow access to internal devices. Often by not applying manufacturer-recommended firmware and security updates, businesses allow additional vulnerabilities creating unwanted remote access.
Protection from unwanted remote access connections comes down to:
- Documenting and reviewing open ports
- Changing from default ports when possible
- Requiring encryption for all Internet-facing connections
- Disabling or renaming default user accounts
- Subscribing to manufacturer firmware updates
Following these five guidelines will keep remote access vulnerability to a minimum and reduce the likelihood of unauthorized data access.
Stop Social Engineering Attacks
Social engineering attacks are often thought of as digital attacks in the form of phishing. Despite security experts publishing guides to stop phishing attacks, like this one from Sophos, 30% of phishing emails are still opened by employees. Since phishing threats change daily, protection from phishing is more about user training and administrators fostering a healthy and persistent skepticism among their teams.
But what happens when employee skepticism comes up against their desire to deliver a positive customer service outcome, as it did with Twitter breach? The pressure of a convincing "customer" or "vendor" combined with a well-meaning service representative who wishes to positively represent their brand can create an opportunity for a bad actor to gain access to passwords or systems, just like they do using a digital phishing attack.
Limit exposure to social engineering attacks by:
- Creating and strictly adhering to solid policies and procedures for password management and system access
- Requiring approval for deviations from solid policies and procedures
- Hosting regular in-services to strength-train customer service representatives against bad actors
- Alerting employees and users to the latest social engineering methods
Like phishing attempts, verbal and in-person social engineering can be just as damaging to organizations and require training and guidelines to mitigate risks.
Cybersecurity is a complex topic. Empowering employees with enough access to effectively do their jobs while also establishing sufficient protections for company data and personal user data represents a constant business challenge. While it can be discouraging to see big names with huge security budgets suffering breaches, these incidents allow smaller businesses to analyze, learn, and take the necessary steps to help avoid experiencing such misfortune themselves. Small businesses are a smaller target, but they must be proactive and wary to avoid a breach since one of any size might prove too big to overcome.