If you’ve been anywhere near the internet or a newspaper in the past few days, you’ve no doubt already heard about the Twitter hack. Essentially, someone got access to the accounts of influential Tweeters and tried to pull off a poorly disguised Bitcoin theft scheme.
Most of the discourse I’ve seen around this concerns the harm that could have resulted if the hackers had decided to try something that wasn’t a two-bit cash grab, and I won’t deny that there are some scary hypotheticals there, but I’d like to focus on one major point that should matter to business owners.
Here’s the thing: we know that the Twitter hack wasn’t orchestrated by some shady group using brute force and other high-drama tactics. The Twitter hack only happened because an internal actor with “god-view” privileges and access to admin panels changed emails on high-profile accounts to allow the hackers access.
If you’re a business owner, this should scare you, or at least give you some food for thought. I’m not a fan of using scare tactics to convince people to care about their network and cybersecurity, but in this case, I won’t hold back.
Ask yourself: who has access to everything in my organization? Who can view or edit customer information, employee information, and all of my company’s files? Who has admin rights? Who could, in theory, take my entire company down with them if their position were terminated or they were offered the right sum of money?
The all too common answer is, essentially, everyone in the company. Maybe even people who no longer work at your organization.
We often talk about “hackers” and “cybercriminals” and imagine shadowy hoodie-clad figures typing away on a keyboard in an unlit room, but 34% of breaches include internal users, and that’s not counting the poor souls who clicked on a ransomware email link.
Would you give every employee a key to a safe holding all of your assets? We don’t think of network access this way often, but the parallel is real. It’s time to take a look at who has the digital “keys to the kingdom” of your organization and lock down the unnecessary files, folders, and other areas that aren’t useful for day-to-day work, but pose a security risk.
Our customers are nowhere near the size of Twitter, but their data is just as important. Twitter has users’ names, emails, demographic information, and a general idea of users’ interests, but they don’t have other sensitive information like credit cards, routing information, and tax information. Would your customers want that left in an open file cabinet that any of your employees can access?
Regardless of what your organization does, it’s worth a look to see who can view sensitive information and data. You can’t leave this stuff up to your IT folks alone—if you’re a CEO or owner, you need to be aware of your vulnerabilities and how to fix them.
We recently started offering a service called the Facet Security Plus Audit, a comprehensive deep-dive into your company’s cybersecurity position. Facet’s Senior Network Engineer, Matt Ghiglieri, developed it along with other team members to specifically address our clients’ needs and give them the information they need to make solid security decisions, including prioritizing areas of most concern. It’s a brand-new way of looking at cybersecurity and we’ve received great responses to it so far. This service is available to both current and new Facet clients.
If you have any questions, or would like more resources and information on the Security Plus Audit, fill out our contact form or give us a call at (309) 353-4727.