In mid 2014, a Pennsylvanian U.S. grand jury charged the Peoples Liberation Army (China) with 31 counts of cyber espionage. The charges were the end product of an investigation into security breaches at five U.S. companies and one U.S. labor union. The Chinese government denied responsibility, and after the President Xi Jinping and President Barack Obama met later that year to discuss trade and world affairs, China pledged to do more to help curb cyber hacking attacks.
Then in December of 2014, a suspected North Korean attack on Sony resulted in substantial breaches of emails and employee information. Again, the government denied involvement, and more promises to work to decrease cyber-threats.
You are on your own
I could go on, and recount the numerous other attacks based either from other countries (Russia, Nigeria, Iran, Syria, etc.) or from groups within the US. But I think the message is clear; you are on your own. If you don’t take your own security seriously you get what seems to be inevitably coming to you.
Common ways security is breached:
- Enterprise-wide, or regional networks were accessed while a company was building power plants in a developing country.
- Phishing emails were sent to company employees directly while the company was participating in trade cases with foreign steel companies. This allowed malware to be installed on corporate computers and thieves used to steal hostnames & descriptions of other corporate computers.
- Network access credentials stolen during a public trade dispute with a Foreign state-owned enterprise.
- Bulk quantities of emails were stolen while a company was involved in a public trade dispute with Foreign state-owned corporations.
- Three weeks after a joint partnership with a foreign company, phishing e-mails were used to acquire thousands of e-mail messages, attachments and other documents from the company’s computer network.
- A contractor (3rd-party vendor) hired to do IT maintenance was infiltrated by cyber-thieves and recorded thousands of credit card account numbers using modified devices that they had been hired to maintain.
- Disgruntled employee of “x” number of years, decides to sell secrets, or access to network of US company.
- Interns, new college hires from foreign lands, or foreign students graduating from US top-tier colleges, work within a company, gain access, remove information and then travel back to their homeland.
Given all these access points, what can be done?
Create a Code of Conduct
Create a Code of Conduct document on what is expected of employees, and the consequences of misbehavior. Update as necessary and make sure all employees, new and tenured have the current copy.
Schedule Frequent and Regular ‘Shred events”
Give employees the time and ability to remove old version and destroy extra copies of sensitive documents.
Conduct Audits on Regular Basis
Have designated team audit document storage, and electronic files of employees in a random order. Learn from each audit and make system-wide improvements. Don’t make the audit findings the fault of the employee, make them the fault of the system that fails to support the employee doing the right thing.
Upgrade all your software, and maintain its versions
This is not just for anti-virus software, but all communication software (mobile apps, cloud-based storage apps, legacy operating systems, lap-top based software used in sales, etc.)
Create Usernames, Access Levels & Tough Passwords
Very basic steps, yet many small to mid-sized companies that service the larger corporations fail to do this, allowing access to emails from the corporate customer. A tough password has at least 8 characters, a mix of numbers, symbols, letters, and upper and lower case.
Change Passwords Every 30 to 45 days
Change passwords on a regular basis and “Lock-Out” workstations when not in use. 65% of computer users use the same password across multiple accounts and fail to change it unless directed to by the software program.
Have Emergency Plans and Response Order
Develop a plan for each possible threat your company faces, such as robbery, theft, fire, hurricane, and violence in the workplace. Designate a response team or person and give them the authority and knowledge to act on behalf of the company in the event of the emergency.
Disconnect from the Web
Consider having dedicated computers connected to the outside world, and all others only connected to each other. This is common practice in highly secure organizations such as nuclear power plants, weapons facilities, utility grid control centers.