How Technical Debt Opens the Door to Cyber Attacks—and Steps to Protect Your Small Business
The virus pandemic of 2020 is severely disrupting the economy and the large and small businesses that drive it. Poor practices such as ignoring safe distancing, insufficient sanitation, and not mandating mask-wearing open the door to infection of customers and staff and threaten the viability of a business.
Similarly, poor practices that allow a business to incur technical debt open the door to cybersecurity exploits that can bankrupt a business financially or through loss of trust and reputation in the eyes of its customers. Leaders of small and medium size businesses (SMBs) often think their size lets them operate under the radar, as less attractive targets to bad guys. But, actually, their lack of robust security strategy and resources make them easier to penetrate. And, sadly, the National Cyber Security Alliance (NCSA) reports that 60 percent of small companies are unable to sustain their business more than six months following a cyberattack.
Years of experience working and advising businesses domestically and internationally has shown that business leaders find it difficult to recognize tech debt and how it exposes cyber vulnerability. As technology has evolved over time from main frame to client server to the Internet and now the cloud, the impact of a new Tech Debt 2.0 has grown stealthier and more sinister. This is especially true for SMBs that lack the resources to apply to cybersecurity. CEOs and CFOs managing technology may not recognize tech debt building up in their SMBs—because it is not revealed in monthly variance reports or other accounting controls. Someone in their organization, without explicit or implicit authority or oversight, may be making decisions adding to the Tech Debt 2.0 load and increasing exposure to cyberattacks. Let’s look at how that might happen and how to prevent it.
Old and Obsolete Infrastructure:
Azeotrope, an aerospace firm in the Southeast, realized they were compromised when a number of clients complained of receiving invoices from Azeotrope that contained confidential information about their client’s orders and projects. Months of investigation by a cyber consulting firm finally determined the source of the vulnerability to Azotrope’s network: a combination printer/fax machine in their testing and QA area that engineers regularly used to fax lunch orders to a local Chinese restaurant. Because the device was connected to the company’s network for printing purposes, it provided network access using out-of-date insecure facsimile protocols. This gave the bad actors access to the company’s customer accounts and valuable data.
“Fax is an ancient technology; the protocols we use today haven’t been changed for the past 30 years,” notes Yaniv Balmas of Check Point Software, a leading provider of cyber threat intelligence. “Fax data is sent with no cryptographic protections; anyone who can tap a phone line can instantly intercept all data transmitted across it. Fax is always sent unauthenticated. There are absolutely no protections over fax.” Balmas advises: “If you can’t stop using fax, segregate the printers, put them on a separate network.”
The Tech-away: Identify and remove obsolete components from your network. Not just equipment with obvious vulnerabilities like fax, but all equipment no longer supported and updated by the manufacturer for cybersecurity risk.
A Stitch in Time . . .
Patches are often created after a software or hardware company has experienced a data breach or recognized a vulnerability that might allow one. The patch is issued to ensure other businesses’ data remains safe. Applying a patch as quickly as possible lessens the risk of your business becoming affected. But it is each business’s responsibility to know a patch has been issued and to apply it promptly. That is patch management—a relatively straightforward process, 10 or 20 years ago. Today, however, the vast proliferation of software and hardware components in our business environment have made patch management a complex, time- and resource- consuming necessity, critical to the cybersecurity of a business’s network. Failure to effectively manage patching is a main cause of accumulating excessive Tech Debt 2.0 and security penetration.
NETGEAR, a highly respected manufacturer of network equipment in data centers, offices, and the homes of hundreds of thousands of people working from home now, and, possibly, far into the future, recently sent an email alert to its customers. An excerpt is below. How would your CFO or CIO handle this?
We have become aware of vulnerabilities involving certain NETGEAR products and have issued a security advisory.
We have released hotfixes addressing some of the vulnerabilities for certain impacted models and continue to work on hotfixes for the remaining vulnerabilities and models, which we will release on a rolling basis as they become available. We strongly recommend that you download the latest firmware containing the hotfixes as instructed in the security advisory. We plan to release firmware updates that fix all vulnerabilities for all affected products that are within the security support period.
Until a hotfix or firmware fix is available for your product, we strongly recommend turning off Remote Management in your product. Please follow the steps below to turn off Remote Management immediately. . .
The Tech-away: Take steps to reduce the burden and complexity of patch management. Adopt software and hardware that automatically detect and apply patches. Look for opportunities to shed responsibility for patch management through outsourcing cybersecurity responsibility or utilizing cloud services that provide monitoring and patch management services. Tech Debt accrued through failure to manage patching effectively can fatally compromise your network and business.
People, Policies and Processes
Of greater consequence than obsolescence and patch management to Tech Debt 2.0 and cybersecurity are the people, policies, and processes that make up the culture and collective mindset of a business organization. Properly patched, up-to-date infrastructure is not going to stand in the way of the accounts payable clerk or chief marketing officer who clicks on the attachment to an email from some bad actor posing as a trusted vendor or prospective customer. Equally dangerous is the computer operator who props open the data center door to make it easier to allow the guy who says he’s the A/C maintenance engineer get in and out. Or the CEO who shares her password with her husband and children so they can access her mail and messaging accounts.
Establishing a data security mindset from the bottom to the very top of an organization is a basic essential to safeguarding a business from cyberattacks. Policies and processes must instill in all the company’s people an always-on awareness of their responsibility to protect the physical and digital assets of the enterprise. That mindset needs to be reinforced frequently and backed up by actions that demonstrate commitment and consequence behind company policies and processes.
The Tech-away: Formulate and clearly communicate policies and processes governing any actions that involve cybersecurity. Visibly demonstrate across the organization the commitment to security.
Make cybersecurity awareness a visible priority for every person in the organization.
About the Author
Michael C. Fillios is the founder and CEO of the IT Ally Institute, a nonprofit organization providing small and medium-sized businesses (SMBs) access to knowledge, research, and practical tools to improve their tech bottom line. A senior global business and technology executive with more than 25 years of experience in IT, finance, operations management, and change leadership, he lives in Mason, Ohio. His new book is Tech Debt 2.0™: How to Future Proof Your Small Business and Improve Your Tech Bottom Line. Learn more at www.itallyinstitute.org.