Security rule No. 1: Assume you're hacked

Accept that your company's IT system have been compromised -- then get to work defending them

A recent Forbes magazine article advised readers to assume that their companies have been hacked. Some readers have asked me to weigh in, and here's my assessment: The article is slightly hyperbolic, but all in all, it's a pretty accurate assessment. Most companies are actively hacked, and their sensitive data is being stolen and leaked to outsiders.

Many readers might find such statements inaccurate and unsupported, and they may wonder where is the documented evidence to back up these gross claims. True, there is no survey data to prove the conclusion. Surveys and interviews can only measure known hacking incidents; it's hard to measure the known unknowns. But in this case, there is strong anecdotal evidence.

[ Keep up on the day's tech news headlines with InfoWorld's Today's Headlines: First Look newsletter. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

I'm not certain precisely when it happened, but during the past two or three years, I found that all the companies I worked with were being hacked. It's more than my own personal experience. Ask any computer security consultant who works in the field across a large number of clients and they will tell you the same thing: "Yes, every company is hacked!"

Now, the level of hacking may differ among the different-size companies. Every company is hacked in a sense that they probably have one or computers that have a remotely controllable Trojan/bot/zombie malware program installed. If the company is of sufficient size or in an industry with extremely valuable data (for example, one that competes against foreign companies, law firms, or the defense industry), it's likely a malicious hacker has installed various backdoor programs and has sent volumes of sensitive data to other locations. In the large companies I visit, the hackers set up programs that automatically look for new files and directories and send only the changed information to the remote site. Little do those companies know that they have a free offsite backup service.

Every company I've dealt with has had dozens of big security vulnerabilities. The IT employees that I interview admit that their company's defenses are unevenly applied and that they know of many more major security holes that I haven't found in my limited review. Rarely are these security issues new; most are several years old and well known by IT management.

There's a chance that your company is not hacked, but in today's uber-active crimeware environment, it's unlikely. If you aren't hacked, you're either extremely good (with full management support and resources) or lucky.

So how should that change your behavior and tactics? First, as strange as it sounds, it's probably not a bad thing to communicate to IT senior management, if you haven't already done so. If they react in a bad way, pull out this column (or the Forbes story), and list all the major security issues that have remained unfixed for years in the company.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)