Right now, the people in charge of very important pieces of our national infrastructure are bearing an uncomfortable resemblance to a room full of preschoolers wandering around with sharp, pointy scissors.
The SolarWinds breach earlier this year, considered the largest in the world to date, is said to have resulted from an intern using an incredibly simple and easily guessable password: “solarwinds123”. The hackers didn’t have to do any “hacking” to execute their breach. They just walked in the metaphorical front door and sat in the living room for 18 months without anybody knowing they were there.
Meanwhile, the Colonial Pipeline ransomware incident, which abruptly stoppered the flow of fuel through one of the country’s most important arteries, didn’t happen because the hackers got access to the systems that actually control the pipeline. Instead, the hackers simply targeted the company’s business systems, which had wide open connections to the control systems.
This begs the question: Why on earth were traditional business technologies like email or sales tools on the same network as operational technologies like valve controls, temperature sensors, and mixers? As someone who works in cybersecurity, there is no reason for those two worlds to co-mingle, particularly when business systems like email are just one wrong click away from being compromised.
These two companies, while particularly notable for their blunders, are hardly alone with their cavalier approach to security. A hack of a Florida water treatment facility earlier this year can be traced to achingly bad security practices like sharing a single password across all computers for remote access.
In fact, walk into almost any municipal power authority, water authority, or sewage authority, and the fact that a 10-year-old could likely paralyze half of the systems across the country using very unsophisticated and untrained techniques will probably be greeted with a shrug.
If you’ve detected a pattern here, it’s that, due to poor security practices, many of these companies are their own worst enemies.
Companies need to address their own failures to better protect themselves against attacks.
The weakest link in any network is the users. It doesn’t matter how smart they are, how cybersecurity-aware they are, or how well-trained they are. People are still the weakest link and represent the biggest threat to the organization.
Imagine a busy manager rushing from meeting to meeting who gets an email saying “voicemail received” and quickly decides to click on it, unaware that it is a phishing attack trying to steal their login credentials. Work is often hectic and chaotic; these things can happen all too easily.
The only way to fully prevent “the weak link” from causing serious self-harm is to turn off the internet entirely and not allow people to use tools like email — but that’s not exactly a practical approach for the 21st century.
Instead, companies should focus on a few key areas to reduce their IT footprint and minimize harm.
For starters, operational technologies, such as the software that controls a fuel pipeline, and business systems, such as email or marketing software, should be segregated or “siloed.”Any cross communication between the two should be highly controlled and monitored.
Virtual desktops, which allow users to access multiple systems or desktops at one time without commingling data, help build these silos and ensure that there’s no communication with the local network that is not authorized.
A single sign-on process that incorporates multi-factor authentication, allowing a person to sign in once and access several independent software systems — such as Teams, Zoom , and Outlook — with a single log-in, can dramatically reduce the possibility of a successful breach.
Also, in a world of “bring your own devices,” proper mobile device management — for instance, turning on security features to prevent certain employees from using their devices to print documents on their personal computers — can lessen the risk associated with smartphones and tablets. Employing best practices for device management should include making sure that only whitelisted devices can access the corporate infrastructure.
No more delaying
These are practical, straightforward recommendations. So, why aren’t more organizations following them?
Frankly, because it’s harder than it looks. If you’re starting from scratch, it’s easier to put these measures in place than if you have a lot of legacy IT investments to navigate. But even if you’re starting with a blank slate, you still need to make sure that everything is properly integrated, configured, and maintained.
There is no easy button here. Many companies will look at what’s required to beef up their security and file it under “we’ll tackle this another day.” Additionally, Americans tend to have a very short memory, which means that events like SolarWinds and Colonial Pipeline will soon be out of sight and out of mind.
But that would be exactly the wrong lesson to take from these events.
The companies in charge of our nation’s infrastructure have tripped and stumbled and gotten a few serious scares. Now is the time to take the most aggressive measures to protect their systems before there is a real catastrophe.
Michael Abboud is Founder and CEO of TetherView, a leading Private Cloud provider.