As business owners, with so much talk about cybersecurity and all of the threats that face us, we tend to put a lot of faith in the security investments we make. I say we, because an IT company has to be as protected, if not more, than their most demanding client. I’m going to talk shop a little bit about security, and some major concerns that I have in regard to all of our businesses.
I want to start by saying that I think we (as in, all local business owners) need to never put complete blind faith in something that our business relies on.
Let’s start with an analogy. When you buy a car, you expect that the car will operate pretty well during its life expectancy. According to Consumer Reports, the average life expectancy of a modern vehicle is around 8 years or 150,000 miles. You expect that your new car, with proper maintenance, will last you at least that long, if not longer.
You might think, well as long as I don’t have a collision or have a deer jump out in front of me, this car is going to get me everywhere I need to be for the next several years.
Let’s look at cybersecurity for your business. You invest in a backup, in a firewall, in a security suite, and you perform audits with your IT company to get everything locked down. You are patching all of your software, your end-users are using 2FA for everything, and you are spending a good amount of money on protecting your data.
You might think, well as long as I have all this security infrastructure and keep it maintained, I’m good for a few years until this version of Windows Server hits end of life, or until it’s time to swap out old hardware and upgrade it with something new. Either way, you probably feel like you at least purchased some peace of mind.
I’m not trying to sound bleak. In fact, I have a lot of confidence in my techs, the solutions we use (both for us and our clients) and in the security of my data. When we work with a client and set them up with all of our security solutions and our business continuity device, I have confidence that these tools will operate as expected and when they don’t, my technicians will be made aware quickly and resolve the issue. We’ve done this time and time again.
Why am I worried that we are putting too much stock in trusting that, say, a firewall is infallible?
More and more often I’m seeing news about different software providers disclosing attacks and breaches that they experience. Most recently, a popular antivirus company Avast and virtual private network service NordVPN were targets of data breaches. In either breach, it sounds like no end users were harmed, but these attacks are complicated.
Another security firm, Comodo, was recently attacked by hackers who exploited a vulnerability on its user forums. The breach resulted in the theft of 245 thousand users’ personal data.
Back in August, Imperva, who provides high-end cybersecurity protection solutions, informed customers that it recently discovered a “security incident” that exposed the sensitive information of users utilizing one of their products over the past 11 months.
These cybersecurity businesses are doing the right things. They are disclosing the breaches and taking proper action to protect their customers and prevent further issues. The problem is that we are seeing more and more businesses like this getting targeted, and the threats then trickle down.
Sure, it’s scary that these cybersecurity giants are being targeted by cybercriminals, but it’s much more relatable (especially for me) that managed service providers are in the crosshairs.
Last October, the U.S. Department of Homeland Security’s Computer Emergency Readiness Team issued an alert regarding cybercriminals attacking MSPs directly, and over the last year we’ve been seeing more and more cases where an MSP was the target of a data breach.
I’m not saying that our clients are at risk simply because we are a managed IT provider. Again, I’m trying to avoid being bleak, but I do feel that a little paranoia is healthy when it comes to your data. We are extremely adamant about our own cybersecurity. We believe it is our responsibility to raise the bar when it comes to protecting data, especially the data of our clients.
The point is, it’s good to question your investments and not place total confidence in something.
No matter how comprehensive it is, you should always be auditing your cybersecurity. As a business owner, even though I want to fully entrust everything I’ve invested in to protect my network and my data, I know I NEED to run regular audits and penetration testing to make sure what I’ve bought and set up is actually doing its job.
If you aren’t having your network regularly tested and audited, it is time to start. If you are already working with an IT company and they are telling you with full confidence that your network is safe, get a second opinion.
We’re happy to be that second opinion, and we’re happy to be discreet. If you want to get started with a network audit, give us a call at (703) 821-8200.