Businesses often mistakenly believe they will not be targeted or that they will know when they are attacked immediately. These are deadly myths that will leave organizations unprepared for the threats out there. This week we discuss the fallacies of these beliefs and how businesses can transcend these old thoughts and prepare an adequate defense against attackers.
The common thought that attacks can’t happen to you can not be further from the truth. For small businesses, more than half of all small businesses are hit each year. Think about it. One in two. If those were Vegas odds you probably wouldn’t hesitate to take the bet but why would you ignore the virtual threat?
If you are a skeptic like me, you are probably questioning this statistic. But believe me those are really numbers. A couple of resources exist for hackers where they can search the entire internet for systems with certain settings or installed software. The results are essentially a shopping list for attackers to start targeting unsuspecting computers. To make things easier, self-made software allows them to target massive quantities of targets in a short period of time. This is why you see news reports of malware spreading quickly around the world, the attack is automated with software.
A second assumption that most businesses make, is that as soon as the attacker is in the system they will know. This is so far from the truth you wouldn’t believe. Industry leading statistics show this time frame of when the attacker is in a business network to when they are detected ranges from 6 months to 1.5 years depending on the maturity of their information security program.
Attacks are much more sophisticated than people think and often are not detected by anti-virus solutions. Most anti-virus products only detect known threats, but attackers are continuously inventing new attacks. Check out [this] attack against computer processors that has been in the news.
A good security program does not use anti-virus alone, it use various methods to stop, slow, and detect malicious activity on a network. For smaller businesses who do not have an in house specialist, they should rely on a 3rd party consultant to grade their security and help them plan for improvement. Many smaller organizations seem to rely on IT Management companies for security knowledge however, we always recommend using an independent third party. Because your IT company is so involved day-to-day in your computer systems, they may over look a problem that is readily apparent to a third party. For those businesses with less integrity, they may be hiding flaws from you. Independent parties are there to provide honest feedback.
Hopefully you found this information useful. If you have any questions about the information in this blog or would like to use Tandem as a third-party consultant, we would love to hear from you. Check out all of our other blogs [here].
Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.