The Twitter Hack Proves that Nobody is Safe from a Breach Steps that Small and Midsize Enterprises Can Take to Improve Cybersecurity On July 15, 2020 attackers were able to enter Twitter’s system and take over a large number of verified accounts, including the likes of Barack Obama, Elon Musk, Kanye West, Bill Gates, Joe Biden, and many others. The attackers then were able to tweet out phishing/social engineering messaging from said accounts and walk away with over $121,000 worth of untraceable Bitcoin currency. It may be old news in the fast-paced cybersecurity community, but the breach of a company as large as Twitter should be an eye-opener for businesses of all shapes and sizes. This breach shows that no matter how advanced your processes are or how big your team is, you are still vulnerable to compromise. Even so, not every company has the resources to strengthen their cybersecurity controls and maximize their defense against attacks like the Twitter hack. While the juggernauts like Apple, Google, and even Twitter themselves will be able to learn and grow from the incident, many small and medium-sized businesses are left wondering what their takeaway should be—if anything. What can the average organization possibly do to prevent breaches when even Twitter could not? Do small and medium-sized businesses even need to worry when their data seems so much less enticing than say an account of a former president? The answers are that there is a lot every organization — especially the smaller ones — can do to improve their cybersecurity, and that, yes, all companies are likely to face an attack and need to be prepared. Although, the rewards gained infiltrating lower profile organizations may be smaller, so are the challenges nefarious attackers face in doing so. Everyone needs to take whatever steps they can to put their company, no matter the size, in the best position possible to prevent and recover from inevitable attacks. Security Starts with Humans The biggest vulnerability to any company’s cybersecurity are the humans they employ. In fact, at least 60% of personal data breaches (PDBs) are the result of human error. Recent advancements in phishing and social engineering have been detrimental to the security posture of most companies across the globe. This change is because most attack attempts sent to employee email addresses are now nearly indistinguishable from the messages they would regularly receive from the boss. However, despite the growing sophistication of these types of tactics, we are not all doomed to become helpless victims. Instead, small and midsize companies need to lean into one of the most important measures they can take to maximize their cybersecurity: training employees on cybersecurity best practices and company policies for reporting breach attempts. Clearly defining red flags for employees to notice and also establishing a detailed protocol for reporting to your cybersecurity team will ensure that attackers get no “easy wins” in breaking your defenses. Investing in the ongoing education of your employees will go a long way in protecting your company. Implementing these measures in your company will likely reap big savings when it comes to time, money, and data in the long run. You Can’t Fight What You Can’t See When it comes to security breaches, you can’t fight what you can’t see. Awareness is often regarded as one of the most important parts of cybersecurity. Cybersecurity awareness is defined as “the combination of both knowing and doing something to protect a business’s information asset.” This awareness is vital because the earlier an attempt or breach is discovered, the sooner it can be remedied and prevented in the future. Improving cybersecurity awareness company-wide is another investment to make to shore up cybersecurity overall in a small or medium-sized business. But how can a smaller company with limited resources achieve this goal? The answer is to clearly establish a comprehensive and real-time view of both the assets you have and the defenses that are in place within your company. Once these two existing resources are clearly defined, it’s vital for your security team to consistently assess and monitor assets and defenses. By making the consistent evaluation of your assets a priority, you’ve already improved your cyber defenses. There is a common belief that small businesses are not targets for attackers because there isn’t enough to gain from breaching their defenses. This thinking can lead small business owners to invest money in other areas of their company instead of cybersecurity, resulting in lax security posture. However, this belief couldn’t be further from the truth, as around 36% of small businesses have suffered from a data breach. Making the Right Friends While improving your employees’ education on preventing breach attempts and investing in increased cybersecurity awareness will help bolster your defenses, your in-house resources can only get you so far. The honest truth is that many small and medium-sized businesses are limited in their defensive ability against the majority of the dangerous cyber attacks present in the wild. Being honest about your limitations and then reaching out to “make new friends” will prove to be invaluable for your company’s long term healthy. These “friends,” in the form of both tools and partners, are a way to fast-track plugging major holes your security may have. Although purchasing software or platforms and enlisting contractors can require a larger investment than the other steps mentioned above, doing so can also take the biggest burden of menial tasks off the in-house team. But who are the right friends to make, and how do you make them? The resources you need most will vary company-to-company, which is why it’s important to conduct an internal audit on your security posture and identify tangible gaps in your defense quality. These gaps will point you in the direction of companies who can provide the services or platforms, like us at PlexTrac, to improve the efficiency of your existing security resources. Additionally, your audit can help determine other companies to befriend who may be able to bolster your human capital by providing actual defense services, as many small and medium-sized organizations simply do not have the cybersecurity personnel necessary to do all the work that needs to be done. Whether your company needs external help or can manage your security in-house, it’s vital to perform regular audits on your cybersecurity posture. These audits will either point your team in the right direction for improvement or show you that you can’t take on all of your existing threats yourself. Either way, you’ll learn something useful to strengthen your defenses. We may not all be Twitter but we can all learn something from their recent breach. No matter what you have to protect or how well you are defending your organization, hacks happen. For many small and medium-sized organizations taking some simple steps can dramatically improve security posture and better equip them to fight the modern inevitably of an attack attempt.
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE