Securing Your Business & Self from Hacks

If you received an email from a random or trusted contact this week that said "do not open a Google Doc from me," you're not alone. The Google Docs phishing scheme is one of many examples of the embarrassment that both brands and individuals can suffer when security lapses. 

Nearly every channel a business is on - whether it's their social media profiles or company website - has the potential to be compromised, and no company is too small nor too large and no employee to involved or too removed to avoid those with malicious intent from trying to gain access. 

Website Magazine
caught up with Auth0 Chief Technology Officer and Co-Founder Matias Woloski whose company provides single sign-on and token-based authentication. Woloski shares the top questions and answers around Web security today for Internet professionals and the companies that employ them - a must read in today's vulnerable Web environment. 

 

What are the top technology and security related measures that a non-software business should take while trying to establish an online presence?

Matias Woloski, Auth0: When starting out, keep your technology stack as simple as you can get away with. Complexity leads to security and availability issues, and higher costs. Rely on proven solutions built by experts if possible. For example, don't run your own email server when Google and Microsoft offer great products that do the job.

 

Should small business be as concerned about security as big companies?

Woloski: Yes, no business is too small to be a target. Cyber criminals often go after small- and medium-sized companies. They tend to have enough money in the bank to be worth stealing from, but they usually lack the mature security program you would find at a larger enterprise. Adopting a security-aware mindset early on will help engrain it into the company's culture as it grows.

 

What are the most common flaws that lead to data breaches?

Woloski: One of the most common attack vectors is to go through a third-party vendor who has access to the victim's network or data. These connections or accounts are easy to overlook, and they often require special configurations that might make them less secure. Another common weakness is poor authentication practices. This can be in the form of password reuse across systems, or the lack of multi-factor authentication. It's worth investing in a password and account management solution for everyone in an organization.

 

How can businesses improve their security stance with a limited budget?

Woloski: To stretch your security budget, invest in solutions that address the most common attack vectors. Since phishing is still incredibly common and effective, user education and strong account management tools are worthwhile investments. It also pays to build solutions that solve more than one problem. For example, having a robust data backup and recovery process will help with IT failures as well as ransomware attacks.

 

Does use of social networks within the company, increase the risk of employees unintentionally causing the leak of confidential data?

Woloski: Yes, but it's largely unavoidable. Attempting to block social media usage from the office is not effective, especially given the proliferation of smartphones. Having clear policies and user awareness training are better investments.

 

What measures should businesses take while allowing employees to use their own devices (mobiles, tablets etc.) within the corporate network?

Woloski: Bring your own device (BYOD) is very common in modern businesses, but it's important to keep these devices segregated from production systems. For example, keep them on a guest Wi-Fi network without any intranet access. There are cases of Android malware that specifically infects mobile devices to gain access to internal corporate networks. You should also ensure that a mobile device management system is in place. Configure it to require software patches, screen lock, and device encryption. Don't allow "rooted" devices into your workplace network, it's impossible to guarantee their security.

 

How does artificial intelligence (AI) and user data can help improve security posture of any business?

Woloski: Artificial intelligence and machine learning are becoming an important part of how businesses can improve things, in terms of growth as well as security. AI applied on top of user data helps understand users better. With AI, businesses get better insight of behavioral patterns and trends allowing them to detect anomalies and take preventive action before its too late.

 

What are the security implications for a business that doesn't enforce strong password requirements on users?

Woloski: Weak passwords are easy to guess, and many people will reuse them on multiple systems, potentially leading to an even worse compromise. You will also fail to meet various compliance requirements if you don't have a strong password policy. Multi-factor authentication is a critical part of managing credentials. It helps reduce the effectiveness of phishing and the value of stolen passwords. A solution that is based on a FIDO U2F hardware token is the most secure option, but a solution that uses push notifications to mobile devices is more convenient and the second best choice.

 

What security measures/processes should companies follow on a regular basis to ensure they are protected?

Woloski: Conduct regular table-top exercises to test your incident response process, and to help train your responders. Each drill will probably uncover blind spots or gaps, and those findings should be tracked until improvements are made. It also pays to hire an external security assessment expert to review your systems and applications on a quarterly basis. Use a different vendor every year or two for a fresh perspective.

 

What are the immediate steps to be taken when a company realizes that it has been breached?

Woloski: First, go back in time and ensure that you have a cyber security policy and well as a contract with a professional incident response firm. In the case of a major breach, you will be glad to have experts on hand during the response and cleanup effort. The typical organization will want to first "stop the bleeding" during a breach, and then worry about next steps. But it's a common mistake to think you've removed an attack from your network when they have actually just changed tactics. If your organization doesn't have internal experts, it is best to leave this sort of work to a vendor who does.