Interview with Scott Youngs, CIO of Key Information Systems
Companies are turning to service providers with more frequency to improve the efficiency and reliability of their IT operations, but they don’t want to have to pay an enterprise-grade data center price. Enhanced security is also high on the list of reasons why organizations are turning to managed service providers (MSPs) for their IT needs. Many security problems are the result of internal human error. With an MSP, businesses can enjoy the peace of mind that comes with a dedicated outside team to provide extra levels of redundancy, improved oversight on sophisticated IT challenges, and effective backup during fire drills.
What are some of the main concerns that MSPs are hearing from their clients?
SY: Many companies just want to put a firewall in place and hope for the best. They have little to no understanding of how large the security issue is and the amount of work and dedication that goes behind securing their IT. In fact, planning all the levels of involvement – the firewall, antivirus, anti-malware, DDoS protection, data encryption, etc. – this can all be overwhelming for IT teams. Security comes up in almost every data center conversation these days, especially given the amount of data breaches we see in the news every day. Hackers are getting sneakier and more advanced all the time.
What is social hacking and how can social hackers gain access to information?
SY: Social hacking, or social engineering, occurs when hackers gain permission for data without the proper authorization by manipulating human nature. In other words, this type of hacking often sidesteps the company’s IT department. These malicious actors can invade companies by using false credentials to mimic an individual of trust or importance, such as a CEO or a partner. For example, employees may receive requests from seemingly familiar vendors, but with slightly misspelled addresses, requesting confidential information. If stakeholders don’t realize that the credentials are a letter off or so, the hacker has achieved his goal once they share the information. Since it’s hard for people to say no to trusted figures like established vendor relationships or even members of the C-suite, hackers know that they are pretty likely to give out information.
Social hackers can even disguise themselves among social connections on networks like Twitter and Facebook, allowing them to research personal information from profiles or interests. This could be an aunt or a dog’s name – or even where the victim lives or goes to school. The hacker then uses this information to gain the individual’s trust, which ultimately enables them to gain access to a password or information they have no business knowing. Most people move so quickly, they may not even take the time to realize these queries are from strangers, and then it’s too late.
What industry suffers the most cyberattacks?
SY: Social hacking and ransomware are in all types of industries, but lately there’s been a lot of press on the medical industry being victim to these types of attacks. In 2015, data from more than 120 million health records had been compromised in more than 1,100 separate breaches since 2009, according to the U.S. Department of Health & Human Resources breach report. That is unacceptable, and scary. These types of breaches not only pose harm to sensitive information, they affect human lives. What if a doctor can’t view a CAT scan image because it is encrypted by ransomware? He can’t make a diagnosis if the image or his notes can’t be accessed.
How can companies educate employees on the dangers of social hacking and other cyber attacks?
SY: You cannot ignore the social side of security. It’s just as important as your IT and security vendors. Security should not fall solely on the shoulders of the IT department – it is the responsibility of the entire organization that business data is secure. Ask yourself these questions when it comes to evaluating the effectiveness of your cybersecurity:
- How often do you back up your data? Do you feel like it’s frequently enough? The more recent your backups, the less likely you are to have to pay ransoms for data to recover it at the point it was compromised. Make sure you test that these backups will work in an emergency, or you can even automate the process to cover you in case you miss a turn.
- Do your employees have a sense of what confidential information is? Teach them to question EVERYTHING – even if they are familiar with a source or process. It’s surprising how many cyberattacks occur because of this oversight. Consider giving a “pop quiz” of sorts by sending an email announcing an unexpected raise. A health organization actually tried this once, by sending an email to all of its employees, asking them click a link and give their employee ID number and zip code to receive their check. An alarming two-thirds of the employees completed the request. Sure, they were probably angry once they found out it was only a test, but you can bet they probably will not give out information like that again.
- How does your company dispose of its data? Does the entire company follow the same protocol for clearing out all of its data? Not only is it best practice to make sure your team follows the same process for data destruction, but requiring employees to sign something stating that they understand the process and agree to follow it closely is also beneficial.
MSPs are also a great resource for educating non-IT employees within an organization on cybersecurity best practices. Nine in 10 companies are now requiring cyber security training to assess or improve security knowledge among its employees. Many professionals have no idea about the implications of a breach, and many believe that it’s not their responsibility to help watch for vulnerabilities since they are not a part of the IT department. Consider having an outside party who is skilled and well-informed help your company do this – an outsourced service provider with expertise in security safeguards.