The 2018 Winter Olympics are underway in South Korea, and cybersecurity professionals in PyeongChang and elsewhere are working overtime to combat the elevated potential for cyberattacks. With thousands of tourists, athletes and celebrities in PyeongChang all using their smartphones and accessing Wi-Fi networks, hackers from Russia, North Korea, and other regions are certain to take notice.
Whether you've had an opportunity to visit PyeongChang or are simply watching the Winter Olympics from home, we hope that you're using the web carefully and monitoring your social media accounts closely.
With cybersecurity experts on high alert, watching the Winter Games has made us pause for reflection. During the Olympics, athletes from around the world compete for recognition as the best in their fields.
In the digital world, would your company be worthy of receiving a gold medal for cybersecurity? We believe that one of the best qualities of a security-minded company is a willingness to think unconventionally and realize that the commonly accepted "best practices" don't always apply in modern cybersecurity.
Let's examine a few examples of how unconventional thinking can make your company worthy of a cybersecurity gold medal.
Best Practice: Force Users to Choose Complex Passwords
Why it no longer works: Hackers don't need your passwords
A dictionary attack is only one of the many ways in which hackers may attempt to compromise your company's systems -- and dictionary attacks against business networks aren't actually that common because they're easy to detect and block. It's more likely that a hacker who wants to penetrate your network will exploit a zero-day vulnerability in your software or plant malware on one of your machines to harvest passwords.
Companies around the world have embraced software as a service and run their software in the cloud rather than on local machines. One of the reasons why software as a service has become so popular is because it removes much of the security burden from the user.
Cloud providers know about zero-day vulnerabilities -- it's their job. They also know how to detect and prevent all forms of unusual network activity. Forcing employees to choose complex passwords is a great first step in preventing unauthorized network access. When you run your applications from the cloud, the cloud provider handles everything else.
Best Practice: Use a RAID Array to Protect Corporate Data
Why it no longer works: RAID is obsolete and dangerous with large hard drives
If your company uses a network-attached storage device or RAID controller for data redundancy, it's likely that you're using either RAID 5 or RAID 6. A RAID 5 array can tolerate the loss of a single drive; RAID 6 tolerates the loss of two drives. RAID sounds like a good solution for data protection until you consider the fact that a single read error encountered while rebuilding a RAID 5 array will cause the entire rebuild operation to fail -- and the larger a hard drive is, the more likely a read error is to occur.
IBM estimates that rebuilding a 42 TB RAID 5 array with enterprise-class hard drives has a 3.66 percent chance of failure. With consumer-class hard drives, the chance of failure is about 96.5 percent. A large RAID 5 array with consumer-grade hard drives, in other words, offers almost no data protection. Using RAID 6 greatly increases data safety, but growing hard drive capacities will eventually render all forms of parity-based RAID obsolete.
Have you ever wondered how cloud technology companies can guarantee the safety of your data if parity-based RAID is so unreliable? Cloud networks don't use RAID. Instead, they use file systems that distribute redundant data across hard drives, servers and data centers.
If a hard drive in a cloud data center dies, there's no array to rebuild; the entire network just continues chugging along. If you've already realized that RAID is obsolete and migrated your company's data backups to the cloud, you've taken the best possible step to protect your organization from ransomware and other forms of malware. If you're still relying on RAID to protect your data, consider this your wake-up call.
Best Practice: Relying on Antivirus Software
Why it no longer works: Antivirus software is a poor defense for zero-day threats
Since a capable antivirus solution -- Windows Defender -- comes with every new Windows computer, it's likely that there are more computers with antivirus software today than ever before.
Cyberattacks haven't ended because of antivirus software; they've only become more insidious. For example, the U.S. government claims that the 2017 WannaCry attack -- a ransomware attack that struck computers around the world -- was a state-sponsored attempt to earn illicit funding for North Korea's nuclear program. It's likely that most of the infected computers had antivirus software. That didn't matter because antivirus software can only protect computers from known threats.
A threat can spread around the world before antivirus software makers discover it.
How can you defend your company from an attack that doesn't exist yet? One way is to implement an application whitelisting policy and manually approve the applications that your computers are allowed to run. If a virus can't run, it can't infect a computer.
Another way is to augment your in-house antivirus software with a cloud-based security solution that uses machine learning to detect likely threats.
Best Practice: Banning Mobile Devices in the Office
Why it no longer works: Mobile devices can increase employee productivity
Every new technology presents a potential security risk for businesses. During the personal computing age, offices have banned optical discs, USB drives, digital cameras and smartphones due to the inherent risks of those technologies. Every time your company bans a technology rather than developing a way to embrace it safely, you potentially harm your organization's productivity.
Technology for cloud-based administration of mobile devices makes it possible for your organization to create and manage separate work accounts on employees' devices.
With remote device administration, you can control the applications that team members can install and the websites they can visit. You can even delete work-related data remotely if an employee leaves the company.
Remote administration doesn't guarantee that a mobile device -- intentionally or inadvertently -- will never become a security risk, but it does minimize the chance of a breach occurring. Allowing employees to bring their own devices to work can greatly increase productivity because it creates opportunities for remote working.
Putting It All Together: Does Your Company Deserve a Cybersecurity Gold Medal?
We believe that one of the primary qualities of a company that deserves a cybersecurity gold medal is a willingness to discard or modify the "best practices" of past decades if those practices no longer apply.
In this article, we've cited four examples of outdated security practices that are no longer good enough to protect your business from cyberattacks. Can you think of any others?
If you can't, it might be a good idea to make an appointment to chat with the team here at Continuous Networks. Since 1997, we've been helping small and medium-sized businesses leverage their technology to maximize productivity. The truth is when things are working well, your employees are happier.
We'll provide a free audit of your existing infrastructure and help you plan a blueprint to help you win the goal medal in cybersecurity.