A few months ago, my phone rang unusually late. Somebody at a company where I had access to the intranet told me, with panic in his voice, thereíd been a hacker attack. It was difficult to see how much damage had been done, he told me, and so IT had decided to take the entire internal network offline.
Attacks like this happen in large companies every day. Sometimes they're the work of "script kiddies," who use brute force to try out different permutations of login information until something gives way and they gain a foothold. Sometimes itís an organized group of hackers, patiently looking for weaknesses in the security system in order to secretly access confidential data. No matter the cause, the economic loss can be huge. In the case of my late-night caller, the ultimate cost amounted to several hundred thousand euros.
Most companies are well aware of the dangers, but even innovative midsized firms frequently spend too little on their IT security. Too few of these enterprises have implemented full-scale security systems that encompass all possible risks. These businesses back up their systems and data, but few actively address protecting themselves from future threats. Itís the same problem with antivirus programs: Theyíre fine when it comes to known attackers, but these solutions neglect unknown threats.
Whereas large enterprises can afford to hire white-hat hackers and send them to regular security conferences, midsized enterprises simply donít have the necessary resources to follow this path. And thatís a problem, because these conferences are a great source of information about relevant patents, innovation, supply chains, and trends, especially since midsized businesses are increasingly attractive to cybercriminals. In the US, more than one-third of hacker attacks target companies with fewer than 250 employees, one study found.
But don't blame technology alone. Despite all the tools at companies' disposal, the biggest IT security challenge remains employeesí lack of understanding. One large German automotive supplier has set its security settings to "paranoid." Employees are not allowed to connect laptops to each other, USB drives are only recognized with the correct signature, and sensitive data is solely stored on drives that are not hooked up to the network. That's all well and good, but as the data security officer noted, staff were so annoyed by the tedious way in which data had to be moved about that they started bringing their own devices to work. Employees also began creating rogue Dropbox folders -- stuffed with that important, proprietary data-- to circumvent the rigorous security rules. The entire security structure was undermined because staff found the IT department's data restrictions too tiresome and burdensome.
Companies embracing BYOD are exposed to particular risks. Although these devices arenít allowed to join the internal network, employees can use specially developed apps to access the in-house network through a gateway. After all, workers must access emails and documents if they are going to work efficiently. The snag? Many employees arenít particularly conscientious about updates -- and this can rip huge security holes in the structure. One forgotten iOS update may create dozens of holes that every single hacker knows. IT security really ought to check each private device to make sure all updates have been properly installed -- but IT departments simply don't have enough time or personnel.
Many smaller companies give themselves a false sense of security. The classic ďHackers wonít be interested in usĒ is an argument I've heard repeatedly. But anyone whoís witnessed an identity theft and seen how fast scammers use login information to order goods that are then shipped to Eastern Europe knows thatís a poor argument. Fraud on this scale is an incident thatís easy to get over. But not even the president or his wife, Michelle Obama, are safe from attack.
Companies should, therefore, ensure their security philosophy is alert to all conceivable threats and also be prepared for new, unknown attacks. If they don't, precious corporate data will quickly end up in the wrong hands. And thatíll turn out to be far more expensive than paying a professional security expert.
— Charlotte Erdmann comments on a wide range of technologies from her base in Berlin. In addition to blogging, she is a media and communication consultant, organizing and managing large customer magazines and marketing activities within the IT industry.