What Are Your Blind Spots?
By now you’ve heard much about the Wanna Cry ransomware attack that affected over 200,000 systems across the globe. Basically, it attacked a vulnerability in the Windows operating system and rendered systems useless until a ransom was paid. Microsoft had released a patch recently that protected some systems, but unpatched systems and outdated systems like Windows XP -- which is no longer supported by Microsoft -- were wide open to the vulnerability. Wanna Cry 2.0 is coming soon and is expected to be much worse than the first wave.
In general, hackers spread a wide net and aren't necessarily expecting to be successful with well-maintained and supported systems. They are targeting individuals and organizations who have Blind Spots. Blind Spots are the "I don't know what I don't knows" with regards to IT. "Are all of our systems patched and up to date? – Maybe? I don't know". "Does our Firewall have the latest firmware and security settings? – I don't know, don't they all?". "Are we sure there are no users or ex-employees still in our system with potential access? – someone must be checking, right?".
Blind Spots are the result of a lack of process in managing and maintaining IT systems. Most people think their IT manager or outsourced IT people have a process for ensuring IT systems are up to date and secure, but over 200,000 breaches of Wanna Cry tell us differently. In fact, most of the IT industry is so focused on putting out IT “fires” that time and resources aren’t generally available to take care of the important process around system checks, Standards and Best Practices – which eliminate Blind Spots. There needs to be a process for constant review of IT systems and reporting to management of what has been checked and if there are any areas of risk or concern.
Here are a few examples of telltale signs of having Blind Spots:
- You do not receive a Best Practices/Standards/Risk report (in IT, if it isn't reported, it generally isn't being done). This report should identify all the best practices/standards checks that have been done, where any areas are out of compliance, the risk level of being uncompliant and what is required to remedy the situation. This goes beyond the simple industry report that tells how many tickets were reported to the help desk and how much down time you had. Without a report similar to this, no one is checking for vulnerabilities and you will most likely have some.
- You are paying hourly for your IT service. Hourly IT service providers or consultants generally do not get paid for proactive service nor do they spend the time to develop the processes and procedures necessary to execute a proactive service, which leaves you exposed.
- You don’t have a process for testing backups or don’t know your process for recovery in the event of a disaster. Most businesses have backups in place, but without a process in place for testing regularly, you won't know for sure if the backups are complete and trustworthy. Furthermore, in the event of a disaster, how much downtime can your business afford?
- You have on average approximately one or more IT issues per supported system user (e.g. if you have 50 system users and have 50 or more IT issues per month). This level of IT issues points to a weakness in following Standards and Best Practices which would cut this number down drastically. Higher levels of issues like this are also indicative that most of your labour is being dedicated to putting out IT “fires” and leaving you exposed.
- I have antivirus and a firewall, so I’m protected, right? A firewall and antivirus are great tools for security, but they are now only a small part of what's required to protect against today's advanced threats. Without the process and dedicated resources for proactive system checks, you will have vulnerabilities
- We have monitoring so my provider will be able to see and stop issues before they happen. Many people misunderstand standard IT monitoring tools mainly because they are sold and marketed as a magic “proactive” weapon. However, monitors are not proactive at all as they only report incidents after they occur. A similar monitor is the oil light in your car. When it goes off it’s too late – you’re out of oil! I’m sure monitors around the world went off letting businesses know their systems stopped working – when it was too late to do anything about it.
- We’re a small business, they’re not targeting us. Hacking is a multi-billion-dollar industry - organizations overseas are set up with businesses that look just like yours and mine with salaried employees, vacation, sick days, office parties, health care etc., except that these are criminal organizations. They are growing in sophistication and are even moreso targeting smaller businesses that do not invest as much in their IT and security as bigger businesses and thus are easier targets.
- Ensure there is a regimented process around proactive system checks (there should be 75-100+ check items for an average IT network)
- Ensure you are receiving regular reports on what has been checked, if there are any areas of risk or concern and options for remediation
- Ensure you have a process for testing backups regularly and that you are part of the testing process – this should include complete disaster testing
- Ensure your IT provider is security-focused and process-driven and has an ISO or similar process-focused accreditation
Related Blogs.
-
Read more
IT Resolutions: Improve Security, Backups and Employee Productivity
Get Better IT Results. Your Business or Firm Should Consider These New Year IT Resolutions.Happy New Year! During this time of year, we meet with companies that either want to find improvements or fla... -
Read more
Common mistakes businesses make when it comes to their cybersecurity culture
We all desperately want to believe it won’t happen to us. However, cyber threats are everywhere and on the rise. Cybersecurity training empowers your employees to be a front-line of defense against cy... -
Read more
PACE Technical is a 2023 Best Workplaces™ in Technology!
PACE Technical is proud to announce that our organization has been named again on the 2023 Best Workplaces™ in Technology list. PACE has received this honour after a thorough and independent analysis ... -
Read more
Looking for Love? Definitely Don't Look Here...
Just like most millennials, I was catching up on an episode of "90 Day Fiancé: Before The 90 Days", when I came across the "unique" love story of Maria and Caesar. During the first few minutes of the ... -
Read more
Our April Feature In ChannelPro Magazine!
About ChannelPro Magazine The ChannelPro Network is a media company providing targeted business and technology information for IT decision makers and channel partners. Via its websites, live events an... -
Read more
Improve Workplace Efficiency & Productivity with Ongoing Employee Training Courses
The Top 5 Reasons Why Your Business Needs To Implement Employee Training Courses If you are looking to improve your employees’ productivity and keep your business operating at peak efficiency, then he...
