Anyone working within or for the legal sector know that legal professionals today are under a lot of pressure to be more responsive, more efficient and more cost-effective. This is all set against a backdrop of rising security threats and more technology options than ever before.
It’s no secret that contracting with an outside party to take care of certain tasks instead of hiring new employees is becoming more widespread in the modern business paradigm. Today we’re talking about outsourcing. The reason more and more businesses are getting on this bandwagon is that and it can help your business grow and save money when it's done right. This blog is the first in a series of articles to highlight the many advantages of building outsourced resources into your business model.
Wake up call
It may surprise you that up to 80% of IT security breaches may originate in the supply chain. Some of the most high-profile hacks were at Target, Home Depot, Sony, Sears and JP Morgan Chase. The scale of the hacks are staggering. The Home Depot hack involved the compromisation of 65 million customer accounts and JP Morgan Chase had an impact on 7 million businesses. Perhaps the most interesting was Target, not only did the hackers gain access to the personal information of some 70 million customers but the manner in which they did so is illuminating. They breeched security by stealing network credentials from Fazio Mechanical Services, a provider of heating, ventilation and air conditioning (HVAC). How did they steal them? By stealing credentials from a supplier to Fazio. So at two removes Target was compromised through its supply chain. The other noteworthy point was that this was a HVAC supplier, what could have been stolen if it was a firm of external auditors doing work in Target, or a management consultancy – a corporation the size of Target surely had a few management consultants working on something at any one time. Or even more lethal, the law firm(s) used by Target.
Many SMEs don’t realise it, but the path to some grand cybercrime score of a lifetime may go right through their backdoor. SMEs are commonly vendors, suppliers, or service providers who work with much larger enterprises.
Unfortunately, they may be unaware that this makes them a prime target for hackers. Worse yet, this may be costing them new business. Larger companies likely have their security game in check, making it difficult for hackers to crack their data. They have both the financial resources and staffing power to stay on top of security practices. But smaller firms continue to lag when it comes to security. In many cases, the gateway to accessing a large company’s info and data is through the smaller company working with them.
Exposed vulnerabilities in security can lead cybercriminals right to the larger corporation they’ve been after. Cybercriminals Target Companies with 250 or fewer employees. In 2012, Symantec research confirmed that cybercriminals are increasingly targeting smaller businesses with 250 or fewer employees. Attacks aimed at this demographic practically doubled from the previous year. This news has made larger enterprises particularly careful about whom they do business with. This means that any SME targeting high-end B2B clients, or those seeking partnerships with large public or government entities, must be prepared to accurately answer questions pertaining to security. This requires an honest assessment of the processes taken to limit security risks.
View Security Measures as Investments
CIOs must start viewing any extra investment to enhance security as a competitive differentiator in attracting new business. Adopting the kind of security measures that large enterprises seek from third-party partners they agree to work with will inevitably pay off. The payoff will come by way of new revenue-generating business contracts that will likely surpass whatever was spent to improve security.
Would-be business partners have likely already asked for specifics about protecting the integrity of their data. Some larger entities require that SMEs complete a questionnaire addressing their security concerns. This kind of documentation can be legally binding so it’s important that answers aren’t fudged just to land new business. If you can’t answer “yes” to any question about security, find out what it takes to address that particular security concern.
Where a Managed Service Provider Comes In
Anyone who isn’t yet working with a Managed Service Provider (MSP) should consider it. First, a manual network and security assessment offers a third-party perspective that will uncover any potential business-killing security risks. A good MSP will produce a branded risk report to help you gain the confidence of prospects to win new business. A MSP can properly manage key elements of a small company’s security plan. This includes administrative controls like documentation, security awareness training, and audits as well as technical controls like antivirus software, firewalls, patches, and intrusion prevention. Good management alone can eliminate most security vulnerabilities and improve security.
Not too long ago, the New York Times’ website experienced a well-publicised attack, which raises the question – how can this happen to such a world-renowned organisation? If this can happen to the New York Times, what does this bode for the security of a small company’s website? What’s to stop someone from sending visitors of your site to an adult site or something equally offensive?
The short answer to that question is nothing. In the New York Times’ attack, the attackers changed the newspapers’ Domain Name System (DNS) records to send visitors to a Syrian website. The same type of thing can very well happen to your business website. For a clearer perspective, let’s get into the specifics of the attack and explain what DNS is.
The perpetrators of the New York Times’ attack targeted the site’s Internet DNS records. To better understand this, know that computers communicate in numbers, whereas we speak in letters. In order for us to have an easy-to-remember destination like nytimes.com, the IP address must be converted to that particular URL through DNS.
Therefore, no matter how big or small a company’s online presence is, every website is vulnerable to the same DNS hacking as the New York Times’ site. The good news is the websites of smaller companies or organizations fly under the radar and rarely targeted. Larger targets like the New York Times, or LinkedIn, which was recently redirected to a domain sales page, are more likely targets.
There is no reason to panic and prioritize securing DNS over other things right now. But there is a belief that DNS vulnerability will be something cybercriminals pick on more often down the road.
Here are a few ways to stay safe
Select a Registrar with a Solid Reputation for Security Chances are, you purchased your domain name through a reputable registrar like GoDaddy, Bluehost, 1&1, or Dreamhost. Obviously, you need to create a strong password for when you log into the registrar to manage your site’s files.
Nonetheless, recent DNS attacks are concerning because they’re far more than the average password hack. It was actually the security of the registrars themselves that was compromised in recent attacks. The attackers were basically able to change any DNS record in that registrar’s directory. What’s particularly frightening is the registrars attacked had solid reputations. The New York Times, along with sites like Twitter and the Huffington Post, is registered with Melbourne IT. LinkedIn, Craigslist and US Airways are registered with Network Solutions. Both had been believed to be secure.
So what else can be done?
Set Up a Registry Lock & Inquire About Other Optional Security
A registry lock makes it difficult for anyone to make even the most mundane changes to your registrar account without manual intervention by a staff registrar. This likely comes at an additional cost and not every domain registrar has it available.
Ask your registrar about registry locking and other additional security measures like two factor authentication, which requires another verifying factor in addition to your login and password, or IP address dependent logins, which limits access to your account from anywhere outside of one particular IP address.
While adding any of these extra safeguards will limit your ability to make easy account change or access your files from remote locations, it may be a worthwhile price to pay.