As we all saw this weekend the cyber world is fragile, and vulnerable. As we have increased our reliance on technology we have also exponentially increased our risk and created an extremely vulnerable system. We have had multiple instances in the past 12 months alone where targeted attacks, or mistakes, have negatively impacted the ability for organizations to deliver their services for extended periods of time.

• In October of 2016 the Dyn DNS service was attacked with a targeted Distributed Denial of Service Attack where home devices (IOT) were compromised and used to launch a massive attack on the Dyn service. https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/Dyn service.
• In February Amazon Web Services, the largest web hosting provider in the world, had their entire east coast systems taken down from a mistake by an employee: http://bgr.com/2017/02/28/internet-outage-amazon-web-services/
• A series of security breaches are reported here, including companies such as Google, Inter Continental Hotel Group, Dun and Bradstreet, Saks Fifth Avenue and many more. https://www.identityforce.com/blog/2017-data-breaches
• The recent WannaCry Ransomware attack from this past weekend which focused on healthcare but quickly spread globally to all sorts of businesses and consumers. http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry-ransomware-what-we-know-monday
• The popular document signing technology DocuSign has been reporting a phishing scam that is pushing out malware to users who fall for it. https://blog.barkly.com/docusign-phishing-attack-emails-leaked-in-data-breach

The question consistently is posed to our team, "How can we be assured we are safe?"

The short answer is, "you just can't because nobody is safe."

Just like you aren't guaranteed safety when driving, flying, walking down the street or virtually anything else. You can, however, take measures to reduce risk and create a higher degree of safety. Some of these include:

1. Education, awareness, education, awareness. Educate yourself, your family and your business associates is the first and most crucial step. A large majority of security issues can be minimized by greater understanding and awareness of us as individuals. Not opening email messages that even seem suspicious, or clicking on links or opening files. If you didn't expect to get it, then be suspicious and double-check. Pay attention to well know security outlets, such as our blog, Facebook and Twitter, as well as the one from the US-CERT, and sign up for their email alert system. We also suggest talking to us about some of the new educational and phishing email tools we are offering that will periodically test your employees, and give them paths for education that you can track and monitor.
2. Take Policy and Procedure work VERY seriously. In our experience most customers just want a fix, but they don't want to do the hard work required to develop their company's posture and policy regarding risk, security, business resumption and incident response and all of the related policies that go along with this. It is, in fact, also more than just writing the policies - it is having buy in at the shareholder and executive level, understanding their value to the organization and then embedding them in the culture in such a way that pervades the organization. This has to be coordinated with IT as well, so that whomever it is (Us, someone else or internal IT) the policies are integrated and both sides know the expectations. We do this work for a lot of clients, and we suggest everyone begin the process of redefining their IT policies and integrating them with their business practices.
3. Take Security Defense Seriously. This is not something that can be overlooked, and it doesn't stop with a firewall and antivirus system. A multi-layered, defense-in-depth, system has to be employed and continually evaluated, updated and layered upon to protect an organization. You are going to have to apply budget to these areas, or you will apply unexpected budget to dealing with the fallout when you are compromised. Security defense includes, but isn't limited to, the following:
   1. Intrusion Detection and Prevention Systems
   2. Ongoing Penetration and Vulnerability testing
   3. Corporate and Site Based Firewalls
   4. Cloud and host level anti-spam and anti-virus systems
   5. Cloud based internet filtering and device management
   6. Mobile Device Management solutions
   7. Backups and recovery solutions, options and plans, that are also tested (This is part of your security infrastructure)
   8. Security event logging and managed security services with a Security Operations Center
   9. File integrity monitoring systems
   10. Encryption and data loss prevention of email
   11. Encryption of devices including laptops, mobile phones, desktop computers and sensitive systems

We cannot put our heads in the sand as leaders and team members any longer. The stakes are too high and the "bad guys" are always working the background to determine the next best way to exploit our systems. Be vigilant!