5 Things to Remember About Network Security
Last October, what was likely the largest distributed denial of service (DDoS) attack of all time took down much of the internet in America and Europe, including sites like Twitter, Netflix, and CNN.
The main target in that attack, Dyn, handles the vital domain name system structure of the internet. But DDoS attacks can hit anyone at any time. All businesses should be taking measures to protect themselves against this and other threats.
To get an expert’s take, we talked to Chris McDonald of Sprint’s Security Services team about the most important things businesses need to remember to keep their networks safe.
1. A $5/hour DDoS attack could cost your business millions.
A single distributed denial of service attack can be commissioned for just $5/hr. and cost a business as much as $2.5 million in losses.
In a DDoS attack, perpetrators flood a target with huge amounts of fake traffic, effectively making it unusable. The target could be an app, website, or even an exposed company intranet.
DDoS attacks have been levied against everyone from sites like Github.com to Olympic swimmer Michael Phelps to public school systems—they’re so inexpensive to initiate that there doesn’t need to be a great reason for one to happen to you.
Fortunately, protecting yourself against a DDoS isn’t expensive either. Every organization that’s connected to or relies on the internet simply needs some level of protection at the ready—such as Sprint’s IP Defender.
2. The biggest vulnerability is your people.
Today, much of network security revolves around educating people to the real threats that they face -- many of which involve social, rather than technical engineering.
The now-prevalent Business E-Mail Compromise (BEC) or “CEO” scam is a good example. Imagine you manage the accounts of various high-level executives at your company. One day, you get this email “from” one of them that says something about him or her needing you to “process a wire transfer” for them.
You wire the funds just as requested, but find out after it’s too late that the recipient never actually worked at your company—they simply hacked into the email account of someone who did.
A whopping $1.05 billion was lost to scams like this between 2013 and 2016, according to the FBI.
To keep incidents like this from happening, companies should institute safeguards around large financial transactions and provide better education about the types of risks they face, McDonald says. There is no way to fully insulate your business from danger, but you can train your staff to be vigilant and keep it from affecting your operations.
3. Multi-factor authentication is key.
In 2017, some form of multi-factor authentication is no longer optional or a nice-to-have. It’s mission-critical.
The most common form of MFA is probably phone-based verification. You enter a request, fill out your username and password, and then as a last step, you enter a PIN code that’s been sent to your phone.
Employees aren’t always thrilled about having to constantly use their phone to access their various user accounts. There’s a solution to that, too: you probably don’t always have to have MFA enabled. If you’re not a bank or hospital or other holder of sensitive information, you can be flexible with where you enable MFA.
For example, you could only enable it for logins from unfamiliar locations, a great method for preventing the CEO scam shown above, or for other unusual patterns of behavior.
All real security is about compromise—finding a happy medium between safety and mobility, McDonald says.
4. No, you’re not safe because you use Apple products.
“But Apples don’t get hacked!” This is a common, but very flawed line of thinking, McDonald advises. Apple just doesn’t own that much of the tech market. If you’re a hacker, and you’re going to risk writing malware, you’re going to target the platforms that have wider reach.
But just last month, McAfee Labs reported that the number of Mac computers infected during the first quarter of this year was the highest it had ever been—by a significant margin.
You should not assume that just because you’re an Apple shop, you’re safe. That doesn’t mean you need to expect disaster. It just means you should plan for it.
5. You shouldn’t go it alone.
The biggest problem with trying to understand network security is that it’s always changing. The cat and mouse game between security professionals and hackers has been going on for decades, and it will continue as long as there’s profit to be made in stealing information and compromising security.
That’s why the best solution is to offload the work of thinking it through to someone else. “You can waste a huge volume of resources chasing the impossible dream of 100 percent cybersecurity protection,” as general manager of Sprint's IoT Business Unit Mohamad Nasser wrote.
Instead, focus your attention on getting the basics right, McDonald says. Make sure your team knows about the kinds of threats you face. Make sure they know how to set good passwords. Make sure they know why multi-factor authentication is important. Then get yourself a security-as-a-service platform to take care of the rest and get back to focusing on running your business.