5 min. read Email this page Bryley Systems Inc.
Construction general contractor

It can help to have trained eyes to see the risks you might not have calculated

Know thyself?

Last report I focused on a 4-question tool to help you self-assess your organization’s vulnerabilities – because many vulnerabilities become evident if you look.

At the same time Bryley has seen common overlooked areas that have vulnerabilities that should be remedied. Following are three, based on Bryley’s experience, with details altered to obscure any real business.

And while enterprise-level security shows up in headlines, smaller organizations are a target (get any phishing emails lately?) due to limited resources and the criminals expect to encounter weaker defenses. These cybersecurity threats can stop operations and wreck a reputation overnight.

The following kinds of vulnerabilities represent gateways for criminals to steal important information, disrupt operations or hold your business hostage. So familiarizing yourself with these can help you avoid common pitfalls that end up affecting many businesses.

A hidden and close call

A construction-industry general contractor was working with a payroll company to handle the paperwork associated with its subcontractors. To file the forms the payroll company needs to have the subcontractors’ names, addresses, contact information, social security numbers and payment information.

During the end-of-year filing crunch, the payroll company hired a small bookkeeping company to lend a hand. This bookkeeping company was a one-person sole-proprietorship. The general contractor’s records ended up on the bookkeeper’s computer. The bookkeeper clicked a phishing link, but realizing the mistake immediately unplugged his computer. He called the payroll company, who then alerted the general contractor.

All the records turned out to be safe, but things could have gone much worse.

What could the contractor have done?

  • Consider setting minimum security requirements for vendors that can be enforced through written agreements.
  • Insist vendors have cyber liability insurance and collect vendors’ updated insurance certificates. Not only may this directly help in the event of a catastrophe, but vendor awareness and compliance with the insurer’s coverage demands will press vendors to behave more responsibly.
  • Maybe all the subcontractor data, above, was required, but keep a mindset to restrict the data to what is absolutely necessary to share. Similarly have a plan for that shared data to be completely removed from any vendor/supply-chain devices (including backups and data archives) once the project is completed.

Shooting paper

Changing passwords on a schedule is still ideally considered an IT best-practice.

Password-changing makes logical sense – if a password is compromised, there is a built-in time-limit for how long the leak will be an issue. It stops making sense when people are allowed to change a single digit or otherwise make their passwords easy to guess.

If minor changes and easily-guessed passwords are prohibited, people still write down trickier-to-remember passwords (41% in 2023, per statista). This can work fine if the passwords are locked away. But sometimes people leave them on their desks, and a sticky note can be photographed by anyone with access to the physical space. This can include angry (maybe laid-off or fired) employees, cleaning crews, painting or repair people, etc. Once photographed – it’s nothing for digital copies to be disseminated. So:

  • Put passwords away in a locked drawer
  • Keep passwords in your wallet (like Bruce Schneier)
  • Don’t write down hard-to-remember passwords, use a password manager

Thorough data governance

A manufacturer’s intern was given a data entry task. Without thinking, the intern was given a laptop that had – for another project – been setup with admin access to the company’s financial management system. While trying to update a vendor payment, the intern accidentally clicked “delete all records” instead of “delete current record” and wiped out the accounts payable database. The data was recoverable, but correcting the mistake was time-consuming, delaying and expensive.

Instead:

  • Onboard the employee so all parties in the affected departments understand the responsibilities of the intern
  • Correctly provision company devices, providing what’s needed for the role to be performed
  • Use the Principle of Least Privilege

Time is on my side

A common thread in these situations is urgency shoving better thoughts to the side. It makes sense to assess vulnerabilities before anything bad happens.

A partner like Bryley can help you think clearly what are your most chancy vulnerabilities. And Bryley helps you address them, so they don’t bite you when things are especially stressful. This is how Bryley (a regional top-10 IT provider) has advised hundreds of New England clients since 1987 – call 978•562•6077 or email Bryley’s Roy Pacitto to discuss.

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.
This field is for validation purposes and should be left unchanged.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.
This field is for validation purposes and should be left unchanged.