By now you’ve heard much about the Wanna Cry ransomware attack that affected over 200,000 systems across the globe. Basically, it attacked a vulnerability in the Windows operating system and rendered systems useless until a ransom was paid. Microsoft had released a patch recently that protected some systems, but unpatched systems and outdated systems like Windows XP — which is no longer supported by Microsoft — were wide open to the vulnerability. Wanna Cry 2.0 is coming soon and is expected to be much worse than the first wave.
In general, hackers spread a wide net and aren’t necessarily expecting to be successful with well-maintained and supported systems. They are targeting individuals and organizations who have Blind Spots. Blind Spots are the “I don’t know what I don’t knows” with regards to IT. “Are all of our systems patched and up to date? – Maybe? I don’t know”. “Does our Firewall have the latest firmware and security settings? – I don’t know, don’t they all?”. “Are we sure there are no users or ex-employees still in our system with potential access? – someone must be checking, right?”.
Blind Spots are the result of a lack of process in managing and maintaining IT systems. Most people think their IT manager or outsourced IT people have a process for ensuring IT systems are up to date and secure, but over 200,000 breaches of Wanna Cry tell us differently. In fact, most of the IT industry is so focused on putting out IT “fires” that time and resources aren’t generally available to take care of the important process around system checks, Standards and Best Practices – which eliminate Blind Spots. There needs to be a process for constant review of IT systems and reporting to management of what has been checked and if there are any areas of risk or concern.
Here are a few examples of telltale signs of having Blind Spots:
- You do not receive a Best Practices/Standards/Risk report (in IT, if it isn’t reported, it generally isn’t being done). This report should identify all the best practices/standards checks that have been done, where any areas are out of compliance, the risk level of being uncompliant and what is required to remedy the situation. This goes beyond the simple industry report that tells how many tickets were reported to the help desk and how much down time you had. Without a report similar to this, no one is checking for vulnerabilities and you will most likely have some.
- You are paying hourly for your IT service. Hourly IT service providers or consultants generally do not get paid for proactive service nor do they spend the time to develop the processes and procedures necessary to execute a proactive service, which leaves you exposed.
- You don’t have a process for testing backups or don’t know your process for recovery in the event of a disaster. Most businesses have backups in place, but without a process in place for testing regularly, you won’t know for sure if the backups are complete and trustworthy. Furthermore, in the event of a disaster, how much downtime can your business afford?
- You have on average approximately one or more IT issues per supported system user (e.g. if you have 50 system users and have 50 or more IT issues per month). This level of IT issues points to a weakness in following Standards and Best Practices which would cut this number down drastically. Higher levels of issues like this are also indicative that most of your labour is being dedicated to putting out IT “fires” and leaving you exposed.
Some false assumptions around IT and security:
- I have antivirus and a firewall, so I’m protected, right? A firewall and antivirus are great tools for security, but they are now only a small part of what’s required to protect against today’s advanced threats. Without the process and dedicated resources for proactive system checks, you will have vulnerabilities
- We have monitoring so my provider will be able to see and stop issues before they happen. Many people misunderstand standard IT monitoring tools mainly because they are sold and marketed as a magic “proactive” weapon. However, monitors are not proactive at all as they only report incidents after they occur. A similar monitor is the oil light in your car. When it goes off it’s too late – you’re out of oil! I’m sure monitors around the world went off letting businesses know their systems stopped working – when it was too late to do anything about it.
- We’re a small business, they’re not targeting us. Hacking is a multi-billion-dollar industry – organizations overseas are set up with businesses that look just like yours and mine with salaried employees, vacation, sick days, office parties, health care etc., except that these are criminal organizations. They are growing in sophistication and are even moreso targeting smaller businesses that do not invest as much in their IT and security as bigger businesses and thus are easier targets.
How do you make sure that you don’t have Blind Spots or security risks?
- Ensure there is a regimented process around proactive system checks (there should be 75-100+ check items for an average IT network)
- Ensure you are receiving regular reports on what has been checked, if there are any areas of risk or concern and options for remediation
- Ensure you have a process for testing backups regularly and that you are part of the testing process – this should include complete disaster testing
- Ensure your IT provider is security-focused and process-driven and has an ISO or similar process-focused accreditation
Do you have Blind Spots? What are your “I don’t know what I don’t knows” about your IT? If you’re unsure, I can almost guarantee you have blind spots and unknown vulnerabilities. Reach out to PACE Technical Services us today at 905.763.7896 Ext. 214 or firstname.lastname@example.org for an evaluation to know for sure.