A healthy dose of skepticism never hurt a security professional

Don't click without validation is one lesson that will do a security team a world of good.

In a 2014 article "How to Transition From Information Technology to Cyber Security", written by Sarah White at Monster, she said, "There aren’t any entry-level cyber security jobs, so you will have to work your way up by starting in IT and keeping a close eye on your career."

Two years later, there are 660 entry-level positions for which you can apply on LinkedIn. Proof positive that the industry is always changing, and it changes at a rapid pace. That's why it is so important to take the time to reflect not only on lessons you can learn within your own company but also the lessons you can learn from those who have been victims of attacks.

Ransomware has become so common that it's not even something that those in IT or security know about, even lay folks in non-tech positions have heard of it. Why? Because of the victims of the many recent attacks. Criminals are going after hospitals and health care providers. They are hitting close to home.

Everyone, from the janitors to the board members needs to be aware of the realistic threats that lurk behind the screen of any device. Security teams need to understand what happened with those who have been attacked in order to figure out how they can avoid being the next organization whose name hits the headlines.

Security expert Chris Doggett of Carbonite has provided some “lessons learned” for other hospitals and organizations in light of the recent attacks, and he shared a step-by-step guide for others who may be impacted by this type of attack. 

Criminals have been more successful with ransomware attacks, which means that they can demand higher payouts to decrypt the corrupted files. Everyone needs to first recognize that they are a target. 

Hollywood Presbyterian is an example that the dollar amounts will go up. There is, however, a natural ceiling to the dollar amounts. "The more expensive the payment, the more an organization is going to try to pursue other means to recover their data, but the middle ground is attractive for criminals. The fee is expensive for those they hit but not so expensive that organizations won’t pay because the cost of down time is too high, and it's cheaper to pay the ransom," Doggett said.

Organizations need to plan for alternative ways to deal with ransomware beyond paying the ransom. Most companies have really good security awareness programs, and everyone from the entry level security professional all the way up the chain of command right to the CISO must be actively engaged with the entire work force to continuously provide the education that end users need.

A recent Carbonite survey revealed what keeps security professionals up at night:

  • Data loss is a business’s greatest fear. 47% of respondents said a fear of losing data is one thing that keeps them awake at night. In the past year, nearly one quarter (22%) had data loss, with nearly 50% recovering less than half of it.
  • There’s a data recovery dichotomy. 88% of small businesses equate a disaster recovery plan to a data insurance policy, yet only 36% have a detailed disaster recovery plan in place and only 45% have a framework.
  • Their biggest security threats are inside employees. 55% worry more about employees’ threats to data than from outside forces such as hackers. Thirty-two percent have grappled with an internal IT security incident in the past year.
  • They care about compliance and privacy, but demands are complex. 63% have to meet some regulation, driven by HIPAA (38%) ISO (32%) and PCI (22%). 58% say privacy concerns for people in IT are now worse for those in the medical profession.
  • The cost of downtime is severe. Nearly one-quarter (22%) of businesses have experienced data loss, with nearly 50% recovering less than half of their data. The time between when data is lost and recovered (downtime) can cost companies upwards of $250,000. 

Doggett said that all security professionals, regardless of rank or status, need to understand what the organization's security policies are. "If your organization says do not open attachments from unknown sources, you should know that," he said. Regardless of whether you are an entry level security engineer or a customer service technician.

You may receive a call or an email from the  IT help desk. Don’t believe them. Doggett said, "Ask for proof. If somebody shows up at your facility and says they need to get into the data center, don’t let them." 

You have to be a little bit paranoid. "There is a healthy degree of skepticism in this industry," Doggett said, and that is one of the most important lessons that those new to security need to keep at the forefront of their daily focus. 

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline