When Sites Like Twitter Are Vulnerable to Cyber Attacks, Should We Just Give Up?
Last Friday huge sites like Twitter, Netflix and Spotify were down for a while thanks to a massive cyber attack on domain provider, Dyn. According to an article in Fast Company, attackers were easily able to take over tens of thousands of home-based or small office devices that had poor security to mount the attack.
We all know cyber attacks are a risk, and that we should be doing more to protect the security of our own information and that of our customers. And yet…
Few Companies Are Protecting Their Data Well
In today’s episode of the Frank Reactions Podcast on Customer Experience I interview cyber security expert, Saar Cohn. He’s worked for huge international organizations like l’Oreal and Israel’s Defense Department, but says his real love is startups and small companies that are struggling to figure out how to avoid cyber attacks. (In fact, he’s offered to answer questions, free of charge, for any small businesses that have a concern about how to handle cyber security. Just send him an e-mail.)
This interview is a bit of a roller coaster, filled with both scary moments and great advice about how businesses of any size should prepare for and handle cyber security breaches.
Here’s the first bit of bad news from Cohn:
“You need to acknowledge that you are going to be breached or that you’ve already been breached and don’t know about it.”
Yes, folks, a cyber attack is only a matter of time.
To cheer you up even more, he comments that
“It’s proven that passwords are useless.”
So, as tempting as it is to go bury our heads in the sand now, we don’t dare do that. Because if a breach is only a matter of time, what can we do to minimize the damage?
Tips for Preventing a Cyber Attack
Decide what is most critical to your operation.
What would kill your business if it went down? What would be almost impossible to recover from?
You can’t effectively protect everything, so focus on the mission-critical parts of what you do.
Don’t be overly pressured by the cyber security vendors.
They make their living by scaring the living daylights out of all of us. In fact, if you buy too much security software and hardware, you can end up lowering your security!
Because if you are screening everything there’s so much “noise” in the data that you either get paralyzed or you start turning the warning systems off to shut them up. Result? There’s no “noise” and you think everything’s OK, when it isn’t.
Train your staff on cyber safety.
It’s a lot easier to fool humans than machines. Most cyber attacks succeed because of human weaknesses, such as wanting to help a stranger on the phone who seems to know what they are talking about, or being tempted to click on a link in an email when you really shouldn’t, or using default passwords like “admin”.
Keep your software up-to-date.
As annoying as it is to have to keep updating, it is necessary. Cyber criminals are finding loopholes to exploit as fast as software makers can fix them. You must not fall behind. Of course, you also have to teach yourself and your staff how to know the difference between a legitimate software update and one that’s just pretending to be.
Use strong passwords.
Yes, I know Cohn said they are useless. But only in the sense that a determined criminal can get past them. But just as locking the door of your house makes you a less likely victim of a break-in, using a strong password will deter attackers looking for an easy hit.
Be careful about what you put online, in email or in other electronic files.
As Cohn puts it,
What To Do If You Do Suffer a Cyber Attack
Have a plan in advance for how you’ll deal with it.
The same sort of crisis management we’ve discussed in other episodes applies here too. Key to a good response is being able to move quickly, and that’s hard to do if you haven’t planned.
It’s going to feel awful to have to tell your customers that their privacy has been breached. But stalling or trying to hide it will only make things worse. Far better to admit it quickly, apologize, and tell them how you plan to fix the problem.
Don’t punish your staff.
This may be the hardest one of all. But if people are afraid they’ll be punished, or even fired, they’ll do everything they can to hide their mistake. That means:
a) it will take you longer to discover, so more damage will have been done in the meantime,
b) they may do further damage while trying to cover their tracks, and
c) if they do manage to hide, the organization won’t learn from the mistakes that were made.
In the aviation industry they decided decades ago that they had to stop punishing staff for mistakes. In fact they even set up a system to encourage reporting of near-misses, so the whole industry could learn from them. As a result, accident rates went way down. The same effect has been shown in health care when it’s been tried.
So, cyber attacks are now a part of life. You’ve got to accept that reality, prepare for it, and know how to both minimize the risk and act swiftly if and when it does happen to your organization.
I mentioned in the podcast that I’m giving a talk on Wednesday, October 26, on
How to Beat The Competition Without Resorting To Rock Bottom Prices
The registration link is at: https://www.eventbrite.ca/e/speakeasy-gangster-networking-tickets-28233203271?aff=es2
I’d love to see you there!