The Costs of Ignoring
February 13th, 2019
Odds are you’ve already seen it. And your users have. An innocuous seeming email or link pops up, gets clicked, and before you know it strange things are happening with your machine, your network, and your sensitive client data. In the best cases, this can be resolved by running malware and anti-virus toolkits, at worst you can say hello to the headlines.
CIS Network Security experts work with clients to ensure that not only will they be kept out of the newspapers, but that malicious code will be kept out of their environment almost entirely.
In a recent case, an executive user at a major marketing and copy-writing firm that had not previously worked with CIS was experiencing some strange symptoms on her PC. The “~” character began appearing thousands of times in documents and spreadsheets, and strange .exe files were attaching themselves to her web-based emails. After determining that no keys on the keyboard were stuck, the executive considered her options…
Across 25 years of work in network security, CIS’ experts have learned there are essentially three paths that are taken by users in this situation:
“Nothing to see here…” No actions are taken
“I can handle this.” / “This is IT’s problem.” Tech-savvy users or IT Administrators may revert to backup versions of Windows, or deploy their own toolkit to purge malicious code from their individual machine and on the network
“This needs some expertise.” Contact CIS’ experts for Triage and then Security Testing, Analysis, and Training
The first option is clearly unacceptable behavior from users but is quite common. Whether through fear of consequences, belief that everything will somehow be OK, or sheer ignorance, users are often slow to report potential security breaches resulting from their mistakes. This can leave entire organizations vulnerable to malicious actions from data theft to operational takeover of a network, to deployment of ransomware encryption.
The second option provides a measure of security. IT administrators can run publicly available toolkits and deploy anti-virus software to combat the ability of malicious executables to launch in the environment. This approach remains flawed, when considering that most major anti-virus and anti-malware utilities can only be updated to combat emerging code after it has been discovered “in the wild.” This leaves gargantuan gaps for so called Zero-Day attacks to wreak havoc on organizational networks across the globe. Additionally, this approach is limited by the network security knowledge of in-house IT resources. Through no fault of their own, this is typically an area in which many internal resources and “our computer guy”(s) come up lacking. Network security is an ever-changing landscape, requiring dedicated attention, anyone splitting time working on password changes and replacing user’s monitors can’t hope to keep up.
Fortunately for our example Executive, she chose option three. CIS was able to purge a particularly devastating piece of ransomware from the environment prior to its deployment. Following this scare, the client asked CIS to conduct a full Vulnerability Assessment and help educate her users. CIS found numerous vulnerabilities in the environment, from a lack of a uniform platform to combat malware, to a lack of simple network security devices, and unaware users, it was only through luck that a serious breach had not already occurred.
Utilizing CIS’ team of Network Security Experts provides by far the greatest opportunity for small and medium-sized organizations to achieve a level of true security on their network, without breaking the budget. CIS experts run proprietary industry-leading tools in purging a client’s environment of any existing malware/virus code, and in running an in-depth Vulnerability Assessment to determine the state of security on the network.
The CIS team then reviews findings with IT staff, executives, and other relevant personnel, to determine a course of action to secure the network. CIS’ experts make a range of recommendations based on findings. Tailored specifically to each client’s industry, profile, budget, and personnel, recommendations include not only what hardware and software to implement, but also ways to improve the security awareness of the end-user community.
CIS firmly believes that end-user awareness is the cornerstone of true network security. Alarmingly, testing of these end-users shows this is an area of glaring weakness. This is borne out year after year in industry study numbers that say end-users are the leading source of network security breaches.
As part of the user awareness campaign, CIS designs a customized training program to focus on specific weaknesses uncovered through end-user focused attacks such as phishing, spear-phishing, shoulder-surfing, and other mechanisms. Training is typically conducted in several small user sessions, at times that will not impact productivity. Training follows a test-train-retest approach that ensures users are understanding and applying concepts presented to them. CIS strives to reach even the least technically savvy users at every client during these training sessions and can include customized training materials to help curb the learning curve.
While no network can ever be guaranteed 100% secure, regardless of budget or profile, dedicating a small portion of the IT budget to a program of network security testing and end-user awareness training will dramatically decrease the odds of a security breach. Our example executive was very lucky to avoid disaster with her unsecured environment, as many less fortunate organizations have discovered, ignoring network security today is invariably more costly tomorrow.