This article was originally published in the first quarter, 2008 edition of The Agent Newsline, a publication of Westfield Insurance.

Despite the Hollywood stereotypes, most hackers are not technical geniuses using complicated and personalized attacks on your systems. Hackers use openly-available toolkits to look for and exploit known holes in the most common computer systems. They look for unpatched operating systems and old versions of software that are vulnerable to specific viruses and other malicious code. They don’t really know how the virus works but they know enough to send it toward your computer.

Of course, some hackers don’t use software at all. They use well-known tactics to try to con your staff into revealing confidential information or into giving them access that they can later abuse.

If you have some fairly simple defenses in place, the vast majority of hackers will go looking for easier prey. The challenge is finding (and fixing) these common holes. Few of us can do our day jobs and also keep up with the constantly-changing list of vulnerabilities, rapidly changing software versions or evolving tactics of the hackers.

In addition, more and more regulators (and customers) are expecting us to have our security periodically tested by someone from outside our own organization. Luckily, there is an entire “vulnerability testing”industry with experts who do stay current on all these issues and who can provide an independent assessment of your systems’ strengths and weaknesses.

Every company should have an independent assessment of their systems conducted at least annually and preferably more often. It validates that your normal IT operations are running properly, finds and closes the door on the more obscure vulnerabilities that you didn’t know about and, perhaps most importantly, shows that you have been doing everything reasonable to protect the confidential information entrusted to you. If you have independent audits of your security and act on the findings, you will be in a far better position to defend your company if the unthinkable happens.

There are many vulnerability or “penetration” testers out there, offering a wide range of services. Pick a vendor that decides what to test based on your specific risks and circumstances. Ask for samples of their final reports and make sure that they can communicate their recommendations clearly. The most thorough test in the world is worthless if the findings are buried under incomprehensible jargon. The best test for you is the one that you will use to improve your company’s security.

Leave a Reply