There is a difference between what people perceive as enough cyber security and what the industry recommends as best practices. The problem, especially in small to mid-sized businesses, is the notion that good security is impossibly expensive and/or complex.
So ask yourself: How much security do you really need? The answer will help drive the right focus and the right solution for your business. Because let’s face it: security can be complex. Just look at a sampling of security frameworks and regulations in existence (cue the “Star Wars” opening crawl music):
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability & Accountability Act (HIPAA)
HITECH/HITRUST Common Security Framework (CSF)
International Basel III
ISA/IEC 62443 (formerly ISA 99)
ISO/IEC 27002: 2013
Internet Engineering Task Force RFC 2196
Information Security Forum (ISF) Standard of Good Practice
Information Technology Infrastructure Library (ITIL)
NERC CIP (CIP-002-3 through CIP-009-3)
NIST 800-53 v4
Payment Card Industry (PCI) Data Security Standard (DSS) v3.0
Safe Harbor Int'l Info Privacy Protection
Sarbanes-Oxley Act of 2002 (SOX)
That’s a daunting list and each category represents its own focus and purpose. But there are common denominators and in an effort to simplify, we’ve narrowed it down to the top five security areas. These are the areas that should be addressed and applied in all businesses, whether you are NASA or a donut shop.
I Need A Security Assessment
1. Data Security
What year is it? Do we really need to talk about backing up data? Believe it or not, we still find businesses with no backups, or tape backups stored in the trunk of someone’s car and labeled as their “off-site” solution. Whether they’ll work when needed is anyone’s guess. Some businesses still have backups connected to the network that can be encrypted, deleted or exfiltrated during a data breach.
We recommend a cloud-based system that keeps your data backed up and safe from any attacks on your local drives. And make sure your employees are using it! We’ve seen instances of vast amounts of critical data stored on employees’ local drives — sometimes years’ worth of lost data in the aftermath of a Ransomware attack.
2. Physical and Logical Access Controls
Sometimes physical security gets ignored in all the excitement and drama of cyber security. Yes, locking the doors still deters criminals. One of my roles at ProTech involves leading security assessments for customers – and physical security is high on the list. I am still amazed when I walk through a facility and find the server room doors propped open or unlocked. Some even with no lock or doors that won’t shut.
Here’s some irony: I attended two cyber security conferences recently and in both cases, the facility’s server room and electrical room doors were propped open during the security conference. And, no, it wasn’t for a tour.
But, locks alone won’t keep you safe — you also need access controls to limit who can enter and when. You also need a policy that prohibits tailgating — we’ve all seen employees letting others slide in behind them when entering secured areas.
3. Secure Endpoints and Network Devices
Unattended but still-connected endpoints (end-user devices), such as desktops, laptops, smart phones, tablets and wireless APs, are a security nightmare waiting to happen. Even a five-minute delay before time-out can be risky. Five minutes leaves plenty of time for someone to walk over and take control of a device. Our best practice is to lock screens anytime they are unattended – even for a few minutes.
In our security assessments, we often find that network devices such as switches and routers have easy-to-guess default passwords such as admin, user, or even password. It’s bad enough to leave these default passwords in place, but it’s just as bad to change them to something equally as easy to guess.
IT pros, practice what you preach! Complex passwords are not just for your end-users. Create passwords that are unique and contain capital letters, lower-case letters, numbers and symbols. There is some debate as to how many characters a good password should include. Kevin Mitnick, known as the world’s most famous hacker, recommends creating passwords with 25 characters.
By the way, don’t initially configure equipment properly and then forget about it. You want to constantly update and patch to ensure that you have the latest security updates. This includes life-cycle planning for when the operating system is no longer supported (I’m looking at you Windows XP).
4. Safeguard Email and Web Usage
It’s been said that 91 percent of data breaches begin with a phishing email. That makes email one of the most important focus areas to keep your business safe. There are many anti-virus applications and SPAM-reducing tools available. It’s important to work with an IT company, such as ProTech, to ensure that the appropriate solution is tailored to your business needs.
For instance, a product like Cisco Systems’ Advanced Malware Protection (AMP) offers the ability to determine if a file is malicious as a point-in-time check, but it can also track each file that enters your network, even if it appears to be non-malicious. If that file is later determined to be malicious, it can retroactively neutralize the file everywhere that it traveled on your network.
Obviously staying safe when browsing the Web is important. Simple web filtering can prevent end users from venturing onto sites that are, at minimum, productivity-killers, or worse, vectors for malicious content. Other tools can prevent malware from “phoning home” by checking a database to determine if the target website is known to be malicious.
5. Continuous Assessments and Training
Last, but certainly not least, we recommend on-going security assessments and training. Let me be clear: I am not advocating a one-and-done security assessment, nor am I recommending a once-a-year security training session for employees. You cannot have a “set it, and forget it” approach to security and expect to keep your business safe. The cybercriminals are constantly changing and constant vigilance is required to adapt to emerging risks. For security assessments, know and understand your regulatory obligations; then, implement an assessment of your entire operation – one that encompasses both the physical and logical security aspects of your business.
Our security training has two objectives:
- Educate employees to be skeptical and learn to spot cybercriminal red flags.
- Develop a culture of security awareness that deputizes end users to act as a “human firewall” to spot and stop potential compromises.
To accomplish these goals, continually test end users to see how many fall for social engineering attemps, such as phishing emails. In our security assessments, we’re able to see just how likely it is that a user will click on a potentially malicious email link or attachment.
For example, an email sent by ProTech that appears to be from Amazon or Apple will get about 18 percent of employees to respond. However, one that appears to come from upper management will se a jump in click rate to 65 percent. Some users will even reply, if prompted, and provide login credentials.
Users who fall for the phishing emails will be automatically enrolled in online security training to continually reinforce the security message.
Don’t let the perception of complexity keep you from attaining the level of security your business needs. Let ProTech design a security roadmap to keep you and your business safe.
Help Me With My Security