CEO and co-founder of Altair Data Resources, providing data and analytics marketing solutions with credit data and marketing technology.
Ransomware is the fastest-growing threat to businesses around the world. Increasingly clear is the cost of hacking and phishing campaigns to all companies. It is estimated that ransomware victims are paying an average of $713,000 per incident. Ask yourself: What would the impact of that be to your agency or company?
As a data and analytics agency, we work with over 100 companies in the financial and healthcare sectors. In order to work with a client’s most valuable resource — their customer list — we must take great care to protect their data. We pass over 30 client and vendor security and compliance audits every year as well as facilitate our own independent audits.
There are some fundamental decisions agencies and marketers should consider that can greatly reduce their vulnerabilities, including:
1. Where are your customers located?
If you are not working outside of the United States, then consider blocking all traffic that is international. At the very least, block all traffic from high-risk areas including Ukraine, Russia, India and China. You would be surprised in viewing your firewall traffic at how many daily attacks and bots hit your site. Simply check with your IT professional and make sure your firewall and security package includes Geo IP blocking (most of them do these days). Then instruct them to block either all international traffic or just the highest-risk ones.
MORE FOR YOU
2. Implement two-factor authentication.
The rumor is that Colonial Pipeline had a security alert in 2017 and was advised to implement two-factor but determined it was too expensive. In exchange, they ended up paying a $5 million ransom.
First, there are some very affordable options to implement two-factor authentication via email or mobile phones. Second, two-factor greatly decreases your exposure to hacking attacks. Areas to focus on are email, machine login, password managers, hosted websites and any cloud-based software. These are the areas where you are most vulnerable. Any login to these systems should require two-factor authentication to make sure your data is protected.
3. Categorize your servers and data.
Determine what data and servers are external (for customers and vendors) and internal (operations, billing, internal processes). Keep your operational and internal servers away from the external through your firewall setup. If you are using AWS (Amazon Web Services) or a similar cloud provider, it is easy to secure your internal versus external servers by using separate VPNs and firewall rules.
4. Perform annual external penetration testing.
Hire a company to do external penetration testing of your company environment. A good penetration test will include a phishing campaign, firewall testing, vulnerabilities and ethical hacking. For $30,000 or so, you will have a hacker that will explore all of your IT systems and provide a thorough report of all of your potential weak areas. Most PEN test companies (short for penetration testing) run similar software through automated tools to check for open ports and vulnerabilities.
It’s a good idea to alternate from year-to-year between tests, or at least request a different tester from your vendor, to give you multiple perspectives and potentially uncover new vulnerabilites. For external PEN testing, you are actually hiring an ethical hacker to come into your network and do a thorough analysis of your entire system. This typically involves phishing attacks, password remediation and a very detailed report of all of your systems, including security grades of all your systems.
5. Update your software.
Make sure your IT is keeping all patches for operational software up to date. Some of the biggest issues are in large software providers (i.e., Microsoft, SolarWinds), and there are patches and updates sent out when vulnerabilities are discovered. Also, make sure to read all notices from security providers such as McAfee and your software providers to know when new discoveries are made.
6. Have a backup plan.
Have a rigorous backup strategy where your servers and data are backed up to a true disaster recovery cloud solution on a regular basis. The easiest solution for backups (not necessarily the most affordable) is to use your colocation provider or AWS to help you manage your backups and provide data security.
The U.S. government fell victim to hackers through their SolarWinds software. Colonial Pipeline is a large company with 2020 revenue of $1.32 billion, according to Dun & Bradstreet, that fell victim to hackers. There are hundreds of state and county governments that have been hacked as well. This is a real problem that we face.
According to research, nearly 75% of companies infected with ransomware are without access to their files for two or more days. And that’s only if they pay the ransom!
Imagine a worst-case scenario. What if you came into the office tomorrow and your servers were locked and you could not access any of your client data? What would you pay to get it back and unlock it? Or, would you rather implement the suggestions above and sleep well at night?
Forbes Agency Council is an invitation-only community for executives in successful public relations, media strategy, creative and advertising agencies. Do I qualify?
Go to Source
Author: David Hadaway, Forbes Councils Member