As we sit at home and practice social distancing, I can only look forward to a time when our everyday lives and businesses get back to normal. While this seems a long way off today, I’m confident that the industriousness, inventiveness and ingenuity of our private sector will lead us to overcome the challenges we are facing and set a tone for how such challenges can be tackled in the future.
Situations like these give you time to pause and think, a luxury that is in short supply in our normal fast-paced lives. Observing what is happening to our society and businesses in general, it’s clear that even those with the most detailed continuity and disaster plans may need to rethink their approach in light of the current pandemic. Three to four weeks into the current crisis and we find many businesses teetering on the brink of failure, in many instances being forced to take drastic action for their very survival.
While business continuity planning generally takes into account things like natural disasters, system availability, supply chains and security, it’s hard to plan for everything, and a pandemic has not likely been on the list of major concerns. That is likely to change, and pandemics will soon become a standard part of business continuity planning. As this happens, the economic impact of events like this should be minimized in the future.
The caveat to this, though, is that you are only as secure as the weakest link in your security chain. I would agree with this sentiment; however, in my experience, this hasn’t been a strong enough motivator for businesses to take serious action. Take security in the office equipment industry, for example. For years, industry veterans like myself marketed and touted the security capabilities both inherent in and available for office equipment technology. We spent a considerable amount of time, money and effort in this area. As MFP technology, in particular, became more integrated into critical business workflows and more sensitive information was processed and stored by such devices it was only a matter of time before such information was compromised. Did our efforts cause businesses to take action? Unfortunately not. Even for those businesses in regulated industries, where the penalties associated with breaches were significant, little action was taken. Why is that? Why is it that we seemingly need to get burned before taking the simple actions that can lessen our risk?
Maybe one positive to come from our current crisis will be a focus on prevention —although (and please don’t speak ill of me for being skeptical) I’ll believe it when I see it.
When I look at the landscape of business continuity planning today, and at security in particular, one thing still stands out: Our most widely used application in business is still our most vulnerable. As a result, the majority of businesses remain exposed to significant risk. What is this application you ask? It’s email, of course.
Electronic mail gained its foothold, like many technologies, in academia, as a means for communication between professors at different institutions. It wasn’t all that long before it was realized that electronic mail was a convenient and simple means of communication and with the widespread proliferation of networks, both WAN and LAN, email quickly became the “killer app.” Like most software, email capabilities were gradually expanded as users desired more advanced capabilities and it has reached a point today where it has expanded well beyond its intended function of basic communication. With the ability to attach content, email has ultimately become the tool most used by individuals for not only basic communication but for collaboration as well. Herein lies a major problem and email’s inherent security risk.
While email itself is generally a secure application, the introduction of attachments opened a huge security hole that has ultimately made email the most at-risk application in any organization. As such, viruses, malware, ransomware and other maladies are typically cloaked in email attachments awaiting an innocent user to double-click. How many of you have clicked that attachment claiming to be a past-due invoice? Guilty as charged. This hoax is a favorite of those with malicious intent. And while businesses get wise to these schemes and take action to thwart them, degenerates are becoming increasingly smarter in disguising their attacks — and are currently preying on a scared and vulnerable population looking for information on economic relief, health warnings and more.
As the largest threat vector for network, system and data security, businesses are certainly taking action to lessen the threat of email attacks. However, most of the software and tactics being used today still permit attachments to flow through email, leaving businesses highly vulnerable.
Are there solutions?
Like a virus, there is no foolproof cure; however, technology does exist that will, for example, automatically strip both inbound and outbound attachments and placing them in cloud content management systems, which makes it possible to prevent email attachments from infecting a user’s system. For companies relying on anti-virus software and whitelisting as a means of email protection, it is worth looking into more advanced technologies — after all, an ounce of prevention is worth a pound of cure, and creating stronger, more effective business continuity plans based on lessons learned will be key to surviving future disasters.