The 20 | Security Archives | Page 2 of 4

Small business owners face an important question when it comes to IT support: should I hire an in-house IT employee or work with a vendor?

We recently looked at reasons why companies should outsource their IT. Check out this infographic to break it down further.

IT Support questions to ask when deciding between Full-Time Employee and Managed IT Department (MID)

• What is the cost for one full-time employee vs. going with a Managed IT Department?

• What do you get for what you’re paying? What is additional?

• What are the advantages and challenges of both sides?

• What’s the best choice for your business?

Want to learn more about the advantages of a Managed IT Department? Contact us today!

5 Reasons Why Your Company Should Outsource IT Support

Companies commonly outsource its accounting and bookkeeping duties, customer service, and HR management… so why should technical support be any different?

It shouldn’t.

Outsourcing provides a lot of benefits, especially to small businesses with limited resources. Plus, good IT support teams are especially hard for companies to build and maintain.

Here are 5 reasons as to why outsourcing is a good business move:

1. Reduces Costs

Reducing labor and equipment costs is one of the major reasons why companies outsource IT support. Employing a company to do the work for you is cheaper than hiring a whole IT staff. The employees’ initial training to get them onboarded, plus the regular training to ensure their knowledge is up-to-date, add to the cost as well.

Buying all the equipment you need for a functional IT department and maintaining the system also costs a lot of money. Removing these factors and paying a fixed cost contract will help you manage your annual operating costs more easily.

And If your operating cost is high, you will likely pass it on to customers by raising your product prices. This makes you lose your competitive edge.

2. Provides Support 24/7

If your business is one that needs to be open to customer calls 24 hours a day, that’s one of the reasons to outsource IT support. Instead of getting another IT staff, which will only cost you more, solely for answering calls outside of your normal working hours, outsourcing to a company will guarantee that someone is always available to help your customers.

A 24/7 team will also allow you to recognize flaws and bugs even before they affect your infrastructure and business.

3. Adjusts According to Demand

When the demand suddenly increases, and more calls start coming in, what do you do if you have a permanent staff?

Hiring temporary employees poses a lot of issues. You don’t know when the demand decreases, which will force you to terminate them immediately. You’re also not sure of the technical skills and personality if you’re in a rush to get someone onboarded.

Meanwhile, an IT company can easily scale up or down depending on your needs because of their access to vast resources.

4. Gives Access to Cutting-Edge Technologies and Industry Experts

Security of your data and your customers’ data is paramount. That’s why Facebook is in a lot of heat nowadays — its platform is vulnerable to third-party entities mishandling the users’ data. Even large companies are susceptible to attacks, with hackers successfully gaining access to JP Morgan’s 76 million households plus 7 million small businesses in 2014.

To keep your data safe and secure, however, you must have the newest technologies and the knowledge of industry experts. You and your staff must be up-to-date with the industry standards, which might be hard to do if you’re a small-time player.

Outsourcing solves this problem. It’s their job to get cutting-edge technologies and train their employees regularly so you don’t have to do it. Getting access to these will also ensure that your systems are working smoothly.

5. Allows You to Focus on Your Business

When you no longer have to worry about the security and integrity of your system, it allows you to focus on what you need to do in order to grow your business. Your employees, without network interruptions and possibly the added IT responsibilities, will also be able to perform with their best for the company.

You can focus on improving your products and services while the outsourced IT team deals with the technical issues so you and your staff can keep on working without worry.

Yep, sorry, everyone… this is a real problem. In fact, it’s a HUGE problem. Your company’s vulnerability, in large part, comes from your employees. And with a little know-how and finesse from the bad guy, here’s a few ways this happens AND a few ways your employees can be active participants in stopping them.

1. Carelessly opening email

Employees often spend the day checking their email — and hackers know it. This makes email a prime entry point for cyber criminals. Employees MUST approach their email with care so they can identify signs of an attack and mitigate the risk.

Common signs of an attack include fake/forged email addresses ([email protected]), unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.

Employees should be able to identify a potential threat, and report to IT. They shouldn’t click on links (including unsubscribe), submit information, open attachments, or respond to such an email.

2. Giving password over the phone/leaking passwords

How would your employees respond to this call? “Hi, this is Sam, from IT. We noticed your certificate is about to expire, so I need your password to reset.”

Well, hopefully they’d know that IT would never ask you for a password, or other sensitive information like a social security number, address, or common password reset questions/answers.

Another big one is writing passwords on a notepad, or taping it to the computer. I wrote about this a couple of weeks ago. Not a good idea.

3. Losing mobile phone

It’s easy to lose a device with sensitive information. it’s actually not a matter of if, it’s a matter of when.

So, the question then is, how do we mitigate the loss of information? The 2 most important steps for you to take are 1) requiring that phones automatically lock and require a password to access and 2) making sure you have the ability to remotely wipe a device.

The employee plays an important role here, too. Should this happen, they need to be aware of the risks involved, and report immediately, even late on a Friday night. This allows your IT team to quickly wipe the device and prevent information loss.

Pro tip: Make sure employees know who to contact (direct manager, IT, etc) and let them know they will never be punished for losing a device and reporting it immediately. They could, however, be at risk if they try to hide it.

4. Weak passwords

Employees (and well, everyone) typically use the same password for their social sites, bank login, and work password.

Is that bad? Yes!

If one is compromised, then the list of password possibilities for everything in your life significantly dwindles.

You should have a company policy that requires employees to use an unrelated password for all company logins and enforce that these passwords are updated regularly.

5. Improper disposal

Proper disposal of information is often overlooked.

Let’s say an employee is cleaning their desk, and the primary culprit appears to be the large stack of papers, mail, envelopes, sticky notes, and other junk that’s piled up since the last time they cleaned. Well, they haven’t needed anything in the stack for 6 months, so it’s safe to say they won’t need it in the next 6, right? Everything is pushed in the trash.

But wait — what all was in that stack? Maybe a flash drive? Maybe a flash drive with sensitive customer data, confidential company information, passwords…?

Work with your IT team to develop an information disposal policy. This should include wiping all read/writable media like hard drives and flash drives. CDs and DVDs should be shredded. Paper should be shredded or placed in a special bin in which your IT team can properly dispose of them.

So, who should be held responsible when a company’s data system gets breached? Historically, the CIO, the CISO, or both have shouldered the lion’s share of data breach responsibility; well over half of security decision-makers expect to lose their jobs if a hack happens at their organizations. However, breaches don’t happen in vacuums, and CIOs and CISOs don’t operate in them, either. Many CIOs report directly to the CEO, and some security experts feel that CISOs should be elevated to the same reporting level.

Whatever an organization’s reporting structure, the bottom line is the same: the responsibility for everything that happens within the organization, positive or negative, ultimately falls on the CEO and the board of directors. This includes data breach responsibility. This has been reflected in the numerous CEO firings (or resignations) that have followed bad breaches over the past few years, including those at Target, Sony Pictures, and the Democratic National Committee.

Apparently, Yahoo didn’t get the memo about this a couple of years ago. After years of poor cybersecurity practices caught up with them, resulting in multiple breaches affecting over a billion user accounts, putting its acquisition by Verizon into question, and making the Yahoo brand name synonymous with the phrase “data breach,” the company decided to fire its General Counsel, Ron Bell. Shockingly, CEO Marissa Mayer remained in place, albeit with a pay cut (she then went on to leave Yahoo after the Verizon acquisition, however, but it was of her own choosing).

In Yahoo’s case, the CISO and the rest of the security staff couldn’t be fired. Fearing that a major security incident would eventually happen, they’d already run for the hills. The New York Times reported that former CISO Alex Stamos and his team had spent years warning Mayer of potential security issues, but Mayer insisted on putting “the user experience” ahead of cybersecurity and even cut the team’s budget.

Preventing Breaches Is Everyone’s Responsibility

Cybersecurity isn’t just an IT issue. It impacts every individual and department in an organization — from the board of directors all the way down to minimum-wage clerical and retail employees. The overwhelming majority of data breaches originate inside an organization, either because a negligent or untrained employee makes a mistake or a malicious insider decides to strike back against the company. No cybersecurity policy is complete unless it addresses the human factor behind data breaches by promoting a culture of cybersecurity awareness. This culture must start at the top of the organization; if the board, the CEO, and the rest of the C-suite do not take security seriously, front-line employees certainly won’t.

Yahoo’s firing of Ron Bell certainly shook up the legal community and caused much debate over where data breach responsibility ultimately lies. While this may have served to light a fire under organizations with questionable cybersecurity practices, the focus should not have been on whose heads would roll if a breach happened; it should have been on implementing proactive cybersecurity and compliance measures to prevent hacks from happening in the first place.

As for Yahoo, they settled in September a worldwide class-action lawsuit that alleged security issues dating back as far as 2003. Yahoo’s attorney and lead plaintiffs’ counsel told the U.S. District Judge in federal court that both sides had reached an “agreement in principle” — $47 million to be exact.

Is Your Computer Secretly Mining Cryptocurrency?

Mining cryptocurrency used to require thousands of dollars worth of equipment to see any kind of meaningful return, but not anymore. Newer digital currencies like Monero, ByteCoin, and AEON have given would-be miners the ability to mine tokens right from their laptops. This might benefit small-time miners that want to get involved in the sector, but for every good thing online there are always people that figure out a way to use it for bad.

Hackers have begun using these tools to infect computers and websites to secretly mine cryptocurrencies. This emerging type of malware attack has been dubbed as “cryptojacking,” and it could cause your computer to overheat and crash. Luckily, spotting these hidden miners isn’t all that difficult.

Cryptojacking essentially hijacks your computer’s CPU power to mine. This means when you’re browsing the web, the malware is running in the background completely unbeknownst to you. There are a few types of this malware, and some run only when you visit a certain website and others can be maliciously installed on your computer. The best way to prevent this is by using antivirus software and adblockers.

If you’ve already been hit with this kind of malware, you’ll notice either your computer acting sluggish, getting warmer than usual, or its fan constantly spinning. If you aren’t running any kind of demanding software, like video games or video editing programs, this should be the first hint that your computer is working overtime.

If you’ve noticed your laptop acting up, it’s time to go check on what’s going on under the hood. Mac users can view a detailed breakdown of everything their computer is running by searching “Activity Monitor” and using the magnifying glass icon at the top-right of the screen. Windows users can simply hold down the Ctrl-Alt-Del keys to bring up “Task Manager.”

Both of these menus will display a graph of how much of your computer’s processing power is being used. Any massive spikes should be red flags. You’ll also see an ordered list of the programs using the most processing power at the moment. Before ending any of these programs be sure to research what they are, as you could be ending a crucial part of your operating system.

Both Tesla and the Los Angeles Times have had their sites infected by cryptojacking software. Companies with popular websites are the most at risk, as hackers can embed code onto their servers and use the CPU power of everyone who visits the site. But making it a habit to check on how your computer is running will ensure your device isn’t getting used to make someone else a crypto fortune.

If you’re concerned this is happening to you or your company, please contact us today.

We’ve all heard that in order to protect our information and online accounts we need to create complex passwords with uppercase and lowercase letters, numbers, and special characters, right? Following such advice, does, in theory, produce passwords that are difficult to be hacked. Reality, however, tells us that while complex passwords provide better security, they also create new kinds of risks.

First, due to the limitations of human memory, complex passwords are more likely to be written down than familiar, easily-remembered passwords. This means that utilizing complex passwords increases the risk of passwords being exposed through insecure storage. People who don’t write down their passwords risk forgetting a complex password and having to go through a frustrating process of resetting it.

Storing complex passwords in a smartphone app is not an ironclad solution either. Password storage apps place numerous pieces of sensitive information in one place, and as a result, must be properly secured. Properly protecting the app and the data that it stores can make looking up a password an infuriating process involving entering long, complex passwords and waiting for various decryption functions to run. Of course, if such an app — or the phone itself — were ever infected with malware, the impact could be devastating.

In addition to the risks created by memory limitations, there is a major concern about how strong the complex passwords truly are, and how well they stand up to hacking tools. Research shows that the actual security provided by complex passwords is often far less than one would expect based on the password’s theoretical strengths. One major issue with complex passwords was published last year by a research team from Carnegie Mellon University, which explained that predictable human tendencies often dramatically undermine the strength of complex passwords.

For example, on systems that require passwords to include both upper and lowercase characters as well as a number, a widely disproportionate number of passwords created will follow such pattern: an uppercase character followed by lowercase characters, and then ended with a single digit. Similarly, the researchers found that when people are required to create long passwords, they often repeat a short password twice. As a result of these human tendencies, password cracking is easier than ever.

So how should you best address these issues?

I wrote a blog on passwords a couple of months ago discussing this very topic after The National Institute of Standards and Technology (NIST) had issued new guidelines regarding secure passwords. The 3 guidelines were (and please refer to the previous password blog for more detail):

1. Remove periodic password change requirements.

2. Drop the algorithmic complexity song and dance.

3. Require screening of new passwords against lists of commonly used or compromised passwords.

Hopefully this helps! I know at the very least it should get you thinking about doing more to protect yourself in the password arena. I know it helped me and got me thinking smarter.

Please contact us for any questions you may have on password screening! We’re happy to help and point you toward software that can make this process simpler.

One of Asia’s top airlines, Cathay Pacific Airways, said a hacker accessed personal information of 9.4 million customers, becoming the target of the world’s biggest airline data breach.

Oh boy.

The airline’s shares sank dramatically, shaving $201 million off its market value, after the Hong Kong-based carrier disclosed the unauthorized access late Wednesday, 7 months after discovering the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, it said, without revealing details of the origin of the attack.

“This is quite shocking,” said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.”

“We are very sorry for any concern this data security event may cause our passengers,” CEO Rupert Hogg said in a statement. The airline is in the process of contacting affected people, he added.

It’s the latest embarrassing data breach to hit a major international airline. British Airways said the hack on its system lasted for more than 2 weeks during the months of August and September, compromising credit-card data of some 380,000 customers. Delta said in April that a cyberattack on a contractor last year exposed the payment information of “several hundred thousand customers.”

The hackers who hit Cathay gained access to 27 credit card numbers but without the cards’ security codes, and another 403 expired credit card numbers. They also accessed names, nationalities, dates of birth, telephone numbers, emails, physical addresses, numbers for passports (roughly 860,000), identity cards and frequent-flier programs, and historical travel information according to the airline.

“Upon discovery, we acted immediately to contain the event and to thoroughly investigate,” Hogg said. “We engaged one of the world’s leading cybersecurity firms to assist us, and we further strengthened our IT security systems, too.”

Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. A dedicated website provides information about the event and what affected passengers should do next.

Some local lawmakers criticized Cathay for taking so long to reveal the breach. Lam Cheuk-ting, a member of the Legislative Council’s security committee, told reporters that many people in Hong Kong are angry and the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer, Paul Loo, said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic.”

Cathay is in the midst of a 3-year transformation program, as part of which Hogg has reduced jobs starting with the carrier’s head office in Hong Kong to cut costs and introduced better business-class services on long-haul flights to help lure premium passengers.

Cathay was ranked as the 6th best airline in the world this year by Skytrax, a London-based firm that provides advisory services for carriers and airports.

As I wrote earlier this month, IT problems in the airline industry seem to be growing. And while the causes are complex, when an airline cancels your flight and blames technology, you can’t accept it with a shrug. It sounds like they need to be introduced to an unbeatable IT service with decades of experience and demonstrated expertise to solve their problems…

The Internet of Things (IoT) is an idea that could radically alter our relationship with technology. The promise of a world in which all of the electronic devices around us are part of a single, interconnected network was once a thing of science fiction. But IoT has not only entered the world of nonfiction — it’s actually taking the world by storm.

While the possibilities of these new technologies are mind-boggling, they also reveal severe IoT cybersecurity challenges. During the last few years, we’ve seen a dramatic increase in the number and the sophistication of attacks targeting IoT devices.

A Growing Network

IoT devices are no longer a niche market. They have started to move from our workspaces into our (smart) homes, where IoT devices are expected to have the most significant impact on our daily lives. Most smart home devices will be benign, everyday appliances like kettles and toasters. Even if these devices are hacked and compromised, short of ruining your breakfast, there’s not a lot a hacker can do to cause you grief. However, IoT will encompass a significant portion of the electronics around us in a variety of settings. This includes situations involving intruders and could have lethal consequences.

IoT Cybersecurity Challenges

Numerous cybersecurity experts have exposed severe security flaws in IoT architectures. Some have demonstrated how cars can be hijacked and controlled remotely. Perhaps more alarmingly, they’ve shown how medical devices, such as pacemakers, can be switched on and off at will. While this is undoubtedly alarming, what makes it even more shocking is just how little attention people pay to cybersecurity. IoT cybersecurity challenges are plentiful—and those are just the ones we know of.

Researchers who were able to access a multitude of IoT medical devices found that they weren’t password protected. And when they were password protected, many were using default passwords that an experienced attacker with information from the device manufacturer could crack in a few seconds. We can’t afford to have such basic cybersecurity blunders jeopardize the promise of IoT.

Regulate and Standardize Cybersecurity

Consider the difference in the number of security threats that exist for iPhones versus Android phones. Because all iPhone generations run on the same hardware—representing standardization across devices—it’s much easier to secure them from attacks, implementing comprehensive security measures.

If the IoT revolution is going to succeed, we need to have a robust regulatory framework in place to ensure that device manufacturers adhere to minimum, mutually intelligible IoT cybersecurity standards. We should also standardize device-level security protocols to ensure that each network element is part of a general strategy for combatting common threats. We can’t afford to leave any weak, low-level links unguarded.

With new types of cyber-attacks emerging constantly, it’s essential to get ahead of the curve as soon as possible. Every IoT device has a corresponding IP address. Therefore, each small device can have serious implications for global network privacy. An attacker could potentially infiltrate the network and follow a trail of data from any given device to an end-user.

The next few years will be critical for IoT. The entire concept may well rise or fall on the basis of how well we collectively address cybersecurity risks. Connectivity is always a double-edged sword, and most IoT cybersecurity challenges have yet to be overcome. Fortunately, it seems that device manufacturers are being spurred into action.

Imagine you’re a top executive at a company hit by a major crisis within the last 72 hours. First, and most importantly, there may have been serious damage to the community in which you operate. Your customers may have suffered, people’s livelihoods destroyed. The environment may be irretrievably damaged.

What do you do?

The threat is growing

Many incidents inside companies never hit the headlines, but recent evidence suggests that more are turning into full-blown corporate crises.

Why is this a bigger problem now than it has been in the past? First is the growing complexity of products and organizations. A new pickup truck today includes computer controls programmed with more than 150 million lines of computer code, while the average deepwater well is the height of seven Eiffel Towers. Goods travel thousands of miles and move through supply chains that comprise multiple intermediaries and multiple jurisdictions. A second reason for the significance of the problem is a higher level of stakeholder expectations. Customers, often in response to messages on social media, are more willing to sue or shun a company they believe is unethical. Governments are more willing to seek redress from companies they believe are breaking the law, and shareholder activism is on the rise. Third, the changing social contract is driving anxieties and mistrust in institutions, making irreversible knee-jerk reactions more likely. Finally, the raw speed of business operations—from rapid communications to shorter product-development timelines—makes crises more likely.

Understandably, companies spend more time trying to prevent crises than preparing for them. However, crisis readiness has become at least as important as risk management, takeover readiness, and vigilance over safety.

Five parallel paths to resolution

It helps to think of a crisis in terms of “primary threats” (the interrelated legal, technical, operational, and financial challenges that form the core of the crisis) and “secondary threats” (reactions by key stakeholders to primary threats). Ultimately, the organization will not begin its recovery until the primary threats are addressed, but addressing the secondary threats early on will help the organization buy time.

When a crisis hits (or is about to hit), one of the first actions should be to create a cross-functional team to construct a detailed scenario of the main primary and secondary threats, allowing the company to form early judgments about which path the crisis may travel. This helps the organization set out major decisions it needs to make quickly and is the first step toward wresting back control—improving the headlines of tomorrow, rather than merely reacting to the headlines of today.

1) Control the organization

An effective crisis team is central to mounting a satisfactory response. The best crisis organizations are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.

A common error is to choose an external expert as leader of the company’s crisis response. External hires typically struggle to motivate and organize the company in a crisis situation. The right leader usually will be internal, well known, and well regarded by the C-suite; will have served in an operational capacity within the industry; and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought to gain credibility and trust both internally and externally.

2) Stabilize stakeholders

In the first phase of a crisis, it’s rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders while buying time for the legal and technical resolution teams to complete their work.

For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.

3) Resolve the central technical and operational challenges

Many crises have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, therefore, the organization will enter a period of discovery that urgently needs to be completed. Frequently, however, companies underestimate how long the discovery process and its resolution will take.

It’s best, if possible, to avoid overpromising on timelines and instead to allow the technical or operational team to “slow down in order to speed up.” This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.

4) Repair the root causes

The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management, and standards setting), and systems and tools (maintenance procedures). They may span the organization, affecting hundreds or even thousands of frontline leaders, workers, and decision makers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost cutting, attrition of top talent, and strategy reformulation.

For all these reasons and more, repairing the root cause of any crisis is usually a multiyear exercise, sometimes requiring large changes to the fabric of an organization. It’s important to signal seriousness of intent early on, while setting up the large-scale transformation program that may be necessary to restore the company to full health.

5) Restore the organization

Some companies spend years of top-management time on a crisis, only to discover that when they emerge, they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilization. This allows the organization to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalize on them.

In conclusion

Risk prevention remains a critical part of a company’s defense against corporate disaster, but it is no longer enough. The realities of doing business today have become more complex, and the odds of having to confront a crisis are greater than ever. Armed with the lessons of the past, companies can prepare in advance and stand ready to mount a robust response if the worst happens.

US Weapons Systems Vulnerable to Cyber Attacks

Authorized hackers were quickly able to seize control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities, according to a new and eye-opening government review.

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.

A public version of the study, published last week, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.

But even the declassified review painted a terrifying picture of weaknesses in a range of emerging weapons, from new generations of missiles and aircraft to prototypes of new delivery systems for nuclear weapons.

“In one case, the test team took control of the operators’ terminals,” the report said. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system” — a technique reminiscent of what Russian hackers did to a Ukrainian power grid two years ago.

The Government Accountability Office, the investigative arm of Congress, described “red team” hackers who were pitted against cyberdefenders at the Pentagon. The tested weapons were among a total of 86 weapons systems under development; many were penetrated either through easy-to-crack passwords, or because they had few protections against “insiders” working on elements of the programs.

Sometimes the testing teams toyed with their Pentagon targets. One team “reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

The searing assessment comes after years of warnings about the vulnerabilities of the military systems — some of which the Government Accountability Office said were ignored — and just as President Trump gives American commanders more flexibility to deploy cyberweapons without obtaining presidential approval.

It also suggests that the United States is vulnerable to cyberattacks when it seeks to disable enemy systems.

Nuclear weapons themselves were not included in the report; they are mostly controlled by the Energy Department, which oversees their design and testing. But nuclear weapons have become a focus of increasing scrutiny, both inside and outside the defense establishment.

Last month, the Nuclear Threat Initiative, a group that studies nuclear threats, published a detailed report about the risks that nuclear weapons systems could be subject to cyberattacks. It warned that such attacks “could have catastrophic consequences,” including the risk that weapons could be used in response to “false warnings or miscalculation.”

“The world’s most lethal weapons are vulnerable to stealthy attacks from stealthy enemies — attacks that could have catastrophic consequences,” former Energy Secretary Ernest J. Moniz, former Senator Sam Nunn and former Defense Minister Des Browne of Britain wrote in that report.

“Today, that fact remains the chilling reality,” wrote the three Cold War veterans. “Cyberthreats are expanding and evolving at a breathtaking rate, and governments are not keeping pace. It is essential that the U.S. government and all nuclear-armed states catch up with — indeed, get ahead of and stay ahead of — this threat.”

It can be a scary business that we’re in sometimes, huh?

I think all people can ask for is that we have our very best men and women on the case protecting us at all times. And if your business is looking for that kind of protection, look no further than The 20. Contact us today.