Is your current IT company doing enough? How will you know?
When it comes to computers, most businesses either have an internal IT person, or someone that they outsource the computer work to. This person is typically responsible for daily, weekly, and monthly tasks such as backups of the company data, setting up new computers, replacing printers, and fixing problems that arise when an issue occurs. This IT service is a critical part of your business, but is it enough? No.
Cybersecurity is its own discipline. While a cybersecurity person also deals with the computer systems, they are not focused on keeping things running. They are focused on how systems are set up in such a way that they can be exploited.
Let us look at an example. Take the Adams & Baker law firm. They have 15 employees, 12 computers, 5 printers, a multi-purpose copier/scanner, and one server. Most of their files are stored in the server in the office. The office has Wi-Fi set up, and the username and password are available to all employees as well as to clients that come into the office. The IT specialist, a local IT company, “Compufix” sets everything up and helps employees when they have problems. Since Adams & Baker pays Compufix hourly for time spent working on their systems, the most important tasks for Adams & Baker are that the computers work, and clients can access the Wi-Fi. Compufix does not specialize in cybersecurity, so they are happy to set up the computers in the easiest way possible to both operate and maintain. This might mean simple or easy passwords, unlocked PCs, unprotected backups, relying on Antivirus software to keep the data safe, open permissions to all client documents, or even out-of-date software and operating systems.
This is a terrible scenario for Adams & Baker. They are getting what they pay for, but not everything they need. They need someone to come in and do a cybersecurity audit. Based on the findings, Adams & Baker may discover that not only are they likely to be attacked, they may have been attacked already.
At KidderSec, we work along side your business to educate employees on risky behaviors like phishing and spam, we assess your systems to determine if your systems are at risk, and we will display how those vulnerabilities can be used by hackers to get the client data that you hold.
Back to our example, Adams & Baker decide not to pay Compufix to update their software on a monthly basis, and one of their administrative assistants opens an email allegedly from a known client. The email was phishing, and there is now malware on the computer. In minutes, the hackers have gained access to all of the computers and all of the data through vulnerabilities in the software that hasn’t been updated.
Adams comes in to work on Monday to find that his company data is being held for ransom by unknown attackers. They must either pay $350,000 to the hackers or lose the data that they have on all of their cases and their clients. Worse yet, is now they must disclose this to all of the clients (who will lose faith in them to hold their data in the future) and will likely lose any case they were working on. It could mean the end of the law firm financially.
Were they wrong for having Compufix? No. IT is a necessary service. But as an IT contractor, or even a full-time employee of the company, was it enough? No.
Is your IT person or company doing enough? Contact KidderSec today to find out more of how we can protect you.
For more information