By Megen McMichael, president, VECTEC Solutions
Have you ever found a bug in your kitchen and wondered, “How did that get in here?” Just like that bug found the smallest foundation crack to slip through; a hacker can find the smallest vulnerability in your business’s information systems. How do you stop these pests? Well for that bug you found, call an exterminator, but for those hackers – you are going to need to invest in cybersecurity.
If you plug the word cybersecurity into Google, it quickly returns over 19 million results which demonstrates the scope and complexity of this topic. Merriam-Webster succinctly defines cybersecurity as measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. The Merriam-Webster definition is a good start, but it overlooks one key aspect – true cybersecurity is a perpetual function that is forever evolving and changing. Your systems and devices may be up-to-date and patched, but the pests are still out there looking for a new way to get in.
Vectec Solutions’ cybersecurity strategy has always been to try to stay one step ahead of the game. And yes, it is a game to some. These hackers get catchy little screen names and try to see who can out-do one another, never even considering the victim or the impact. The worst part is that this game will never end, and there is no winner.
When asked to write this article, a recent experience with one of our clients came to mind and I thought it might be fitting to share their experience in this context. We developed a basic, marketing oriented WordPress website for this small business, and once it was ready for the World Wide Web to see, we started discussing hosting plans and options. Our client selected a more cost effective hosting plan with a different solutions provider to cut costs. Long story short, the web host did not provide regular back-ups, software updates or any sort of added security features. Moreover, the site was hosted on a shared server with hundreds of other sites, each with their own vulnerabilities.
Needless to say, the website was eventually compromised and had to be taken off-line for several days. Our client was shocked that their small marketing-only website, which did not store any type of personal or sensitive data, was of any interest to hackers. In reality, hackers and their network of attack bots do not care if you are a Fortune 100 company, the U.S. government or a small business. If they can get in and do damage, they have met their goal of you now having to call an ‘exterminator’.
This particular client had to spend quite a bit of money to do forensics analysis to determine what all had been compromised. Had their hosting account’s username and password, which was the same username and password for access to other business systems, been obtained? (This is a very bad practice, but I will save this topic of discussion for another article.) Once they identified it was a WordPress username/password breach, along with SQL injections, they had to start the process of rebuilding a clean website. In the end, they ended up spending quite a bit of money, and their cost cutting measures were for naught. Sometimes that old adage is true – “you get what you pay for”.
Our client’s story underscores the importance of accepting that your information systems will always have vulnerabilities. As such, your security and technology strategies need to be aligned properly to find the best cybersecurity posture for your budget and risk profile. Here are some questions to ask:
- What is the backup plan?
- Are there regular updates in place? This would include things such as server operating systems, software updates to tools such as SSL, WordPress, security patches and the like.
- If using a tool such as WordPress, are there any extra security plug-ins in place (i.e. WordFence or IThemes Security)?
- What does the firewall set-up look like? Have ports been locked down/limited to what is absolutely necessary?
- Are there regular vulnerability scans in place for malware or spyware?
The above is certainly not a comprehensive list, but in my opinion, it’s a critical list for even the smallest small business. The answers to these questions will help shape a framework for your cybersecurity approach. To complete your approach, you will still need to choose your tools and establish the processes that you will execute day to day, week to week and month to month. And remember – this is an on-going, iterative process, so unless you like creepy crawlies in your kitchen and information systems, talk to your local ‘exterminator’ and get on a routine pest control plan.
Megen McMichael is President of Vectec Solutions, a technology services company in the Hampton Roads area. If you are looking for additional information on cybersecurity or need assistance with any technical needs, please feel free to contact her at megen.mcmichael@vectec.org. Vectec provides web hosting and support services as requested to COATS Staffing Software.