The Penetration Test: Trust but verify

While you may have procedures for protecting your computers, actual practices may not be the same. You can trust people all you want but, when it involves critical data, you should verify with a penetration test that policies are being followed. Why all the fuss? Here’s an example.

Imagine that someone in your business or at home inadvertently enables a virus from an email link that locks up all your files until you pay a ransom. Think about losing access to your financial spread sheets, human resources databases or customer contact information until you pay off some hacker. This sort of malware, once in place, has been proven to be nearly impenetrable for even the most sophisticated security programmers.

Also known as “ransomware”, these program viruses can have an automated timer that renders your files unrecoverable if the ransom is not paid by the stated deadline. If payment is not made, you can kiss that data goodbye. Examples of extortion described on the internet suggest ransom demands often are in the range of $300 but, even if paid, there is no guarantee these criminals will provide you the encryption key to unlock your files.

Though such ransom demands may seem “affordable”, the associated costs can be financially crippling particularly if you do not have the proper insurance coverage. A cyber insurance policy can pay for investigation costs, public relations services, data restoration and the cost of legal notifications.

Penetration Tests

A penetration or “pen” test is more than simply testing your company procedures. It is a methodical attempt to exploit vulnerabilities in operating systems, security software and other safe guards designed to thwart unauthorized access to company or personal files.

Some pen test vendors may attempt to gain “unauthorized” physical entry to a client’s place of business. One such team hid in the restroom then emerged long enough to find PC passwords at employees’ desks as well as sensitive files left unsecured in executive offices.

If your files are the key to your business, being tested is worth the expense. Being hi-jacked or compromised is disruptive and particularly costly if you are not properly insured.

• Leadership of an organization will have to be involved which distracts from managing your business.
• Service or production staff may be idled if their work relies on information that has been locked out.
• Internal IT staff and outside vendors have to become involved to assess the source and extent of a data breach.
• If there is reasonable evidence that third party information has been accessed, there also may be legal requirements imposed to notify those potentially impacted.
• Your reputation and customer loyalty can suffer if your information is exploited.
• You may be subject to fines if you are subject to certain compliance laws.

Another consideration is whether or not to inform the authorities. Certainly you will have to report the incident if required by law. However, you also may risk losing your computer hardware if it is considered evidence in an investigation. The best first step if your system has been compromised is to contact your lawyer to ensure you are compliant but still able to conduct business.

To prevent this kind of breach, conduct a “pen” test, drill your co-workers to be suspicious of oddities in email and to never open links if there is the slightest possibility a link is questionable. Also, everyone ought to be sensitive to programs that don’t work as they should, files that can’t be accessed and internet performance that is unusual. Such anomalies should be reported immediately. Some viruses can remain undiscovered for days or weeks doing damage before they are identified.

Other points of entry are mobile smart phones and tablets. Think about what these contain.

• Emails
• Attachments
• Contact lists
• Shortcuts and apps that lead to business and personal information
• Social media sites
• Photos

Owners of phones and tablets ought to do two basics.

• Establish an access code to lock your device
• Enable a lock-out/wipe feature that renders the phone unusable and clears all data if desired

Check your owner’s manual or search online for “Find My Phone” directions, hints and tips about the specific device you wish to protect.

The more we rely upon electronics, the more we have to take appropriate measures to protect our information. Start with the bromide “I wouldn’t be paranoid if they weren’t out to get me.” Then, take the steps necessary to verify that what you say is the same as what is done. Finally, call your insurance agent about cyber insurance coverage. Don’t wait to be exploited.