Pratum Blog

Validating Vendors' Cybersecurity Practices

How much is too much? The biggest mistake many organizations make is spending too much money on things they don’t need when reviewing their cybersecurity. While tools like technology can be valuable at times, cybersecurity should be focused on the business.

In cybersecurity, there are a lot of security options available to help protect your business. Trying to keep up with all the latest and greatest trends can be expensive, and often unnecessary. Instead, try to focus on what makes your business secure!

A good first step is to assess the make-up of cybersecurity.

Three Pillars of Cybersecurity:

  • Confidentiality – Keeping things safe and secure. Determine what’s on a need to know basis.
  • Integrity – Is the data you saved the same data you come back to? Have unauthorized changes been made that aren’t known or detected?
  • Availability – Is data available to those who need it, when they need it?

The three pillars help you determine which cybersecurity controls to put in place. What happens to your business if the system is offline, data is corrupted, or secrets are exposed? How you answer these questions will determine the next steps in your cybersecurity plan, and whether you need to spend money on more security.

Find the biggest risk to your business.

First, look at your business and see what would happen if the three pillars are impacted? Find the area you have the greatest likelihood of being attacked, and where the biggest impact would be. That’s where you need to begin to address what is necessary to keep your business secure.

Defense in depth is a cybersecurity best practice. You should create a plan to deter, prevent, detect and respond to security incidents. Think of it this way, – “Can I deter an attck? If not, can I prevent it? If I stop the problem at one level, a threat might still get through. If that happens, how do I detect the attack and then recover? Where could it go next, and how do I address it from there?”

You should think of your cybersecurity in layers. Each layer has different controls in place to address the threat potential at that point in the process. That means your process should be adapting over time to match any changes to your company. When your business grows or evolves, so should your cybersecurity plan.

What’s worth the investment?

Investing in cybersecurity is all about prioritizing your risk versus the cost. When you analyze security expenses for technology or process or personnel, you need to be able to show a return on that investment. If something is reducing your risk of being hacked, or gives you an edge over the competition, it’s probably worth the investment. If it’s not helping you earn or keep money, don’t waste resources on it. It’s all about perspective.

While you want to be critical of where your money is spent, you should be investing in your cybersecurity. One efficient use of money is investing in the people who work for you.

Teaching your employees how to handle situations like a phishing email or a suspicious person in the building will protect your security interests. Once people learn how to respond to threats and why cybersecurity is important, proper security processes and awareness will continue to protect your business.

Focus less on technology and more on business.

The goal of most businesses is to generate profits. If a process or technology does not provide or protect profit, it should not drive your business decisions. What you should strive for is decision-making based on business objectives, the technology will follow.

As your business evolves, so should your cybersecurity. Constantly evaluate what is happening in your business to decide what investments should be made. Don’t just throw money at one thing, expecting it to fix all your problems. Understanding what the problem is, how it should be handled, and who should be involved will help you decide if technology investments are needed.

Physical Security

Would a criminal be able to walk into your building and steal private information? You hope the answer is “no”, but there are only a few ways to try to keep your business secure. Pratum has a solution for that; it’s called Social Engineering.

Essentially how this works is a business hires Pratum to test their physical security. In some cases, that means going to the business location and trying to enter the building or attempting to find sensitive information around the facility.

For each assignment there are two Pratum employees directly involved in the process. One does the physical entry work, while the others set up the parameters with the client to establish boundaries and expectations. In this blog we are interviewing one person who helps set up these tests, Tony Schwarz, Information Security Consultant. We’ll also hear from someone with a lot of experience testing physical security, Tanner Klinge, Information Security Analyst.

What are some methods of physical social engineering?

Tanner: I typically do dumpster diving and facility access. I use tailgating, where I follow someone without their knowledge into the building without a keycard or code to get in myself. Other times I will use piggybacking, which is where someone lets me into building by holding the door open for me because my “hands are full” or they are being polite. Sometimes I imitate a vendor or friend of an employee to get into the building. I do media drops, like flash drives left around the office or outside the building. I also check exterior doors to see if they’re locked.

When would a company need to use these services?

Tony: It’s all about their risk. If they have assets they need to protect, which most businesses do, they need to have those services done. They may see indicators that tell them that people are dumpster diving or trying to get in after hours, or see unexpected people going through the office. Having a third-party come in and test the controls that can show you what needs improvement. If you protect the money or personal information of customers, or if you have access to another location with sensitive data, you may need this.

Sometimes it’s due diligence. Sometimes it’s regulatory or compliance. Some auditors will request a social engineering report.

What sort of things have been uncovered in these tests?

Tanner: During dumpster diving outside offices I have found a lot; driver’s license numbers, social security numbers, addresses, full names, birthdays, personal banking information such as bank account numbers, pin numbers, and account totals.

I have found confidential or sensitive information from a business standpoint, like proprietary designs from a company. I’ve seen sales and finance information and HR documents.

There’s also been more personal stuff like child support documentation. Really all kinds of things!

How do you avoid being detected?

Tanner: There are times I will wear small disguises such as safety glasses or a fake badge that is visible. It depends on what I know about the company that I can use to blend in with the other employees. I’ve noticed people have a hard time engaging with others. People still don’t “see something, say something”. As long as I’m walking in with confidence people don’t question it. Most people do not like confrontation.

Are there safeguards for if you do get caught? To prove you’re there with permission.

Tanner: We’ve started talking to local law enforcement in the jurisdiction of the clients we serve. Then we notify police when and where we’ll be working. We will also carry ID and a statement of work (or contract with the company). Plus, we have a point of contact with the client, in case we need to reach someone to prove we are who we say we are.

What changes have employers made after our testing?

Tony: Some organizations will add or improve security controls related to the method Pratum is able to get into the environment. After events like this clients may either upgrade controls, or they accept the risk. An example control could be another layer of security between a reception area and the main part of their business.

How often should this be done?

Tony: At least annually, or more frequently if you have lots of things that were discovered, and you want to validate that your new protocols are working. It comes back to the risk. If you have a big room of gold or nothing, where on that scale are you? The more you have to lose, the more you have to do to put controls in place.

What does the client receive after a test? What is on a social engineering report?

Tanner: The clients are given photos and a synopsis. The photos are taken when I’m at the facility. They are proof of how far I was able to get and what I had access to. The report, or synopsis, details where I went and who I talked to. I try to be very detailed and give a chronological report. I want the reader to feel like they were there with me, to fully understand the situation.

What is the best result from these tests?

Tanner: I would need to be stopped at the door and approached by an employee. Someone should stop me in the first few minutes. Validation is key.

For example, I was at a bank and claimed to be a maintenance worker doing some work for the facility manager. I told the clerk a different name than my own. I looked around and said I needed to get behind a counter. I had a fake work order in hand to look legitimate. They did ask for my ID, so I handed over my real driver’s license, with a different name than what I told them. They made a copy, gave it back to me, and I signed the sign-in sheet. No one checked to see that the driver’s license didn’t match what I told them. I was able to get behind the counter where the money safe was at and had access to the network closet.

Tony: I would hope that management has more information on what choices they should make on how to run their business. At the end of the day it’s up to management to either accept the risk or spend money and time to make changes to reduce the risk. It really just depends on what they’re dealing with and the culture of that organization.

Final Notes from Tanner and Tony for Businesses:

1. Be familiar with your building.

2. Shred your trash.

3. If you see something, say something!

4. Respond quickly if you notice something unusual. Don’t wait for something to happen.

5. Test security controls on a regular schedule.

6. Make sure security measures, like cameras, are working.

7. Management should be training their employees on security protocol.

For more information on how you can test your organization’s physical security, reach out to a Pratum representative today to set up Social Engineering services.

Finding the best approach to security risks within your business.

Business is all about taking risk. Some risks will pay off, while others will come back to haunt you. Unfortunately, there’s no crystal ball to know which risks will be worth the potential danger.

The same can be said about cybersecurity.

Protecting your business from cyber-threats can be costly and time-consuming. There comes a point when a business goes too far to protect itself. Not every organization needs every security measure known to man. You have to determine what level of risk makes sense for your situation.

We’ve come up with some questions every business leader should ask themselves when determining what cybersecurity protection you need.

1. How Do I Determine Risk?

Every business has a certain level of risk they can tolerate before it threatens the future of the company. Determining risk is all about finding your unique tolerance level.

Look at the information your company is storing. Do you have client or employee personal information? Do you have intellectual property such as R&D, patents, etc.? Do you have access to your vendors’ critical information? Then, determine how that information is being protected.

Security professionals should be able to identify, document and explain the various security risks related to the use or storage of this information for you.  However, you as the business leader should make the decisions about how much risk to take.  Savvy leaders must consider all the risks, then sort through the noise to determine what really impacts business operations.

2. How Much Protection Is Appropriate?

Some risk is good! Risking investments to make money can earn you even more money. Taking on a new product no one else is trying could pay off with a new opportunity in an untapped market.

Knowing what level of protection your business needs is all about knowing your business well. If you pay for a lot of cutting edge security technology your company does not need, you might be losing money your business could use to grow. Over-protection might be the downfall of your company.

Consider this: If you live in a brick home in a wet climate, you are far less likely to face the risk of fire damage than a wooden home in a dry climate. Buying a robust fire insurance policy for the home in the wet climate would be a waste of money. Not having enough coverage for the wooden home would be too risky. Each home should have a plan designed for its needs.

Cybersecurity should be approached in the same way. The level of risk you can handle is always going to be dependent on the situation your business is currently in.

3. Am I Following the Crowd?

Getting advice and guidance from colleagues is a great way to stay up to date with the latest technology trends and threats. Those resources can be invaluable. However, following the crowd too much is dangerous. “Best practices” are not always universal truths when it comes to cybersecurity.

Having the same cybersecurity protection as everyone else may sound safe, but it’s not going to be the perfect fit for your company. Keeping up with the specific needs of your organization is your responsibility. There should be constant communication and analysis of your cybersecurity operations.

At the end of the day, it’s up to each business leader to decide what makes sense for their own company's interests. Consultants and colleagues can give great advice and valuable wisdom, but the final say needs to come from company leadership.

4. Do I Need Any Cybersecurity Protection?

Yes, but it varies. While you may not need as much protection as your neighbor next door, you always need to have some safeguards in place to protect your business. The three pillars of information security are confidentiality, integrity and availability. While each of these is important to every business, the blend that works for you will be unique.

Cyberattacks happen every day, and they target all levels of organizations. No matter how big or small your operation is, there are hackers looking to gain access to the valuable information you possess.

Risk What You Can, Protect What You Must

You will never be able to eliminate all risk. It would be too costly, and you would never accomplish anything! People take risks every day. Driving to work or eating food could be potentially dangerous, but some risks are more necessary than others. Some need to be more documented and calculated.

We all have a risk tolerance level, and so does your company.  Tolerance levels will fluctuate with changes in the industry, new cyber threats, and evolving leadership.  Recognize and understand these dynamics so you can stay ahead of the risks your business will face. 

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.