Network giant Cisco Systems released its 2014 Annual Security Report last week, which should make sobering reading for every business manager and owner. If you’re looking at a career change, the survey even suggests a possible new job.
Over two million of Cisco’s customers were examined in the survey and every single company had evidence of their systems being compromised in some way, from staff visiting suspicious websites to full-scale hacker break-ins.
Keeping up with change
The survey points out that IT security risks are evolving quickly as business technology becomes more complex and it’s hard for even industry professionals to keep up with the pace of change.
“Even the most sophisticated and well-funded security teams are struggling to keep on top of what’s happening,” the chief security officer of Cisco, John Stewart, told a media briefing yesterday.
That concern was reinforced by Stewart’s colleague Levi Gundert, technical lead at Cisco’s Threat Research Analysis and Communications (TRAC) group.
“It’s not about are you going to be compromised,” said Gundert. “The question is how long is it going to take for you to detect and shorten the remediation window?”
If even the world’s biggest corporations are struggling, what can smaller organisations do to control the risk?
The biggest computer security risk is Java software. Cisco found a shocking 91% of software exploits were related to the application, “2013 was the year of the Java exploit. It was a bad year for Java.” says Gundert.
It should also be noted that the first successful malware targeting Apple Macs, the Flashback Trojan, was a Java exploit.
The best way to deal with this risk is keep Java off your systems, the problem with that advice is many business applications – and games if you have a home office or kids use your computer – need the software to run.
If you have to use Java packages, make sure you have the latest version running on your systems.
Keep your systems up to date
It’s not just Java that is a risk; Cisco identified Adobe PDFs and Microsoft Office vulnerabilities as being other threats. It’s important that all systems – Mac, Windows or any other operating systems – are kept up to date with the latest patches.
Lock down office systems
Except when your computers are being updated, there’s no reason for office computers to be running in Administrator mode. Day to day use should be done in restricted user profiles.
On a Windows machine, workers should be logged on as standard users, while on Macs they should be managed users, the only time an Administrator needs to be logged on is when maintenance is being done.
Watch those mobiles
The IT security industry has been watching smartphones for a while and 2013 started seeing large-scale malware appearing on mobile devices, although it’s still small scale compared to PCs.
Cisco’s survey found only 1.2% of web-based malware coming from mobile devices with almost all the infections being on Android systems.
Most of these Android infections were game add-ons downloaded from unofficial Android app stores, so the message is to stick to the official, trusted services.
Another risky area for businesses identified by Cisco are websites being compromised and hijacked. The software on these needs to be updated to the latest versions just as office computers should be.
Often, disused websites and blogs aren’t updated, the ABC discovered last year that abandoned, neglected websites are a great way for hackers and malware distributors to launch attacks or spread problems.
So if you have older websites or blogs shut them down and redirect the domains to operating addresses.
For those operational websites, password security needs to be beefed up as Cisco found ‘brute force’ attacks – where automated systems try every conceivable password combinations – were up threefold in 2013.
Professional skills shortage
A big problem facing the IT industry is a worldwide skills shortage: “There are essentially a million jobs across the globe that can be filled but we don’t have trained people to fill them,” says Cisco’s Stewart. “We’ve got a dearth of talent and skills.”
For smaller businesses, that means it’s harder to find someone to fix problems when they happen, for both business managers and owners it’s smarter to reduce the likelihood of having a problem rather than scrambling to find an IT professional to help after the event.
The good news from Cisco’s survey is if you’re thinking of a career change, or you have a teenager moping around looking for a job, then IT security could be the answer.
For everyone else, as business and the world in general becomes more connected we have to start taking security more seriously.