By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal

In the last month, two major cyber-security reports have been released — one from Verizon and one from Symantec — that are both scary and really scary.

It you have a large IT department, they may be reading and analyzing these reports. But if you are like the vast majority of small businesses, you have a small-to-non-existent IT department, a part-timer or outsourced service. Do they fill the role of strategic IT advisor? Most likely not.

So here are some takeaways you should be thinking — and talking — about.

Updates and virus protection are very important and they must be done. But they are not the guardian at the gate that we used to think they were. As hacking has become more profitable and more prolific, there are a lot more people figuring out how to get into our systems than there are experts stopping them. As Doug Hewes, chief information security officer for the state’s Health and Human Services department, noted at a GSATC Lunch in January, we are outgunned and outmanned.

The data bear that out. Symantec reported that in “2014, it took 204 days, 22 days, and 53 days, for vendors to provide a patch for the top three most exploited ... vulnerabilities. “ Once a patch is provided, it can still be years before company systems and websites are patched and updated. The Verizon report found that 99.9% of exploited vulnerabilities were compromised more than a year after they became known. Some hacks in 2014 exploited known vulnerabilities from as far back as 1999. (Are you still running Windows XP?)

The broadest software vulnerability of 2014 was Heartbleed — an exploitation of a software hole that hackers use to distribute malicious code. Zero Day attacks are a growing strategy by cyber criminals in part, it seems, because we are so slow to patch systems once vulnerabilities become known.

In fact, in early April — one year after Heartbleed — Bloomberg Business reported that 74 percent of the companies comprising the Forbes 2000 — that’s 1600+ major companies — had not thoroughly fixed the Open SSL hole on their servers and networks.

While we are talking about guardians at the gate, who are yours? It is your firewall, your intrusion detection system, spam filtering? Nope. All of those things are important, critical even. But the single biggest vulnerability for every business, nonprofit or governmental agency are authenticated users. Every major hack and breach has had one thing in common: they started with someone innocently or carelessly letting them in.

So there you are with your major IT investment in hardware and software, but your staff are still opening email they shouldn’t, following links they shouldn’t and downloading photos, videos and applications that they shouldn’t. Coming along happily on this ride: the malware that took down Sony, hacked Anthem, and exposed 56 million records at Home Depot.  

That’s especially disturbing since Verizon reports the percentage of recipients who open phising emails and click on attachments is actually going up — 23 percent in 2014 compared with 10-20 percent in recent years. A security test using 150,000 emails found it took less than an hour for 50 percent of users to open the emails and click on the links. The good news? Fewer people seem to be giving up passwords on faked websites.

These are just two of dozens of aspects you might need to know about. But in knowing these two, what can you do now?

First, be aware. Do the cloud services you use, other companies you do business with protect your data? There are many exploits, and it’s impossible to know them all. But you can check any site for the Heartbleed vulnerability at this site maintained by the security company LastPass.  When it comes to your own servers, systems and procedures, you may have exposures you don’t even know about. Get the advice and support you need to best protect yourself.

Second, work with your staff constantly so that they understand that they are the critical piece in protecting their clients and customers. They — and not some expensive piece of hardware —are the guardians at the gate.

FBI DIrector James Cormey has said there are two kinds of businesses — “those that have been hacked and those that don’t know they’ve been hacked.” You will be hacked, he has said, “get a plan”.

What’s your plan? Contact Portfolio and we'll help you build one you can live with.