When setting next year’s budget, you will likely be considering how investments in technology will help drive the outcomes you want from your business. How will improved hardware and software solutions increase the efficiency of your teams? Will your staff enjoy their work more once they have said goodbye to their dinosaur computers?
As our reliance on Information Technology continues to grow, so too do the risks to our businesses. It may seem as though there is always some new cyber threat out in the world, and technology providers and IT Departments are constantly playing defense. It does not have to be this way and we have compiled 5 steps you can take in your own business to improve your security posture and reduce the risks presented by hackers, viruses, and rogue employees.
Take a layered approach to security
In the past, it was considered a best practice to create walls around your business technology and keep the bad guys on the outside. Today, however, threats are too advanced, and no castle is impenetrable. We must consider that each security measure has its own weaknesses and that the bad actors out in the world already have made their way past some of them.
These new risks demand a new approach to Information Security- a layered approach. Some of the old standbys remain, such as using complex passwords, along with reliable Anti-Virus and Anti-Malware solution on every desktop, laptop, and server in your organization. These devices should live behind a quality firewall that provides Intrusion Detection and Intrusion Prevention Systems, as well as Content Filtering and secure Remote Access. Portland Internetworks takes this piece so seriously, that we provide to you a free Meraki firewall with our Fully Managed IT plan.
If we assume that Anti-Virus and Firewalls are no longer enough to prevent all the possible threats in the world, then we must look to solutions that exist outside of your business’s data center for additional protection. Cloud-based solutions such as Cisco’s Umbrella platform stop malicious software in its tracks, even if it makes its way past your Anti-Virus and your firewall. Backed by Cisco’s Talos threat security group, Umbrella is actively looking to prevent your data from traveling to known bad actors globally. This is security at a scale that most small and medium-sized businesses cannot manage on their own.
Lastly, we must assume that your staff will have their accounts compromised at some point in the future. Phishing attacks are becoming more believable, and malicious websites more convincing. It only takes a few moments for an employee to unwittingly hand over their passwords, and it may be too late before they realize it.
To prevent a small mistake from becoming a big problem, we recommend implementing Multi-Factor Authentication. Strong passwords are important, but without a second factor – such as a one-time code – hackers who obtain your staff’s passwords will have all that they need to enter your network and do as they please. Solutions like Duo provide a fast and user-friendly solution to what used to be a cumbersome process involving tokens hanging from keychains. A simple smartphone app, Duo will enhance your organization’s security posture, while not hindering productivity.
Train your team
It is all too easy to look for technical solutions for the problem of Information Security. One of the most important factors, if not the most important factor is the people within your organization and their behavior. 91% of successful data breaches begin with a phishing attack, and for these breaches to become successful, they require an employee to click a link, download a file, or run a program. These are behaviors that lead to the average total cost of a data breach becoming $3.86 Million.
Behavior is a difficult thing to manage since it is learned. If you are not taking the time to properly educate your team on the dangers of lax security practices, then you are failing to teach them the behaviors that will protect your business. We manage risk in almost all aspects of our lives, both personal and professional, so ensure that your business is protected at its most disparate, diverse, and challenging layer: your people.
Portland Internetworks offers free Security Awareness Training to all Fully Managed IT customers and can facilitate simulated cyber-attacks to test your organization’s readiness in the event of a real breach. Don’t wait until you are reeling from the PR disaster that is a data breach, instead focus on preventing the problem in the first place with adequate training of your employees.
Don’t forget physical security
With so much focus on the more intangible aspects of securing your business, such as advanced software for preventing data loss, or enforcing a training program for employees to follow, it may seem as though things like locks on the doors and security cameras are of reduced importance. This assumption would be incorrect, however, and ignoring these basics would be a mistake.
Even if you do not yet realize it, you have enormous amounts of sensitive data in your possession. These may be the fruits of your company’s intellectual labors- designs, plans, software code, and financial data. Or perhaps they are the personnel records of your team- their names, addresses, Social Security Numbers. This data is highly valued by hackers who are motivated financially to acquire them.
At a minimum, the physical records that exist in filing cabinets and the equipment in your server room or network closet need to be locked down with restricted access. If you find yourself working in a small office with limited space for securing IT equipment, there are small “cages” available that will allow you to keep your servers and network equipment under lock and key while still allowing them to live alongside the company copier. Take these steps to both prevent unwanted physical access as well as any accidental damage to your precious data.
Take stock of your current abilities
You may have an idea of where you want your company’s security posture to end up or the outcomes you hope for all of these security products and services to deliver, but you must periodically assess the effectiveness of each of these layers of defenses. A brief Risk Assessment can deliver a report that outlines the steps needed to improve your information security standing and increase your readiness in the event of a data breach.
Taking this a step further, a Penetration Test will leverage the expertise of highly skilled technicians as they play the role of hackers in the midst of a targeted attack on your organization. They will begin with little to no advanced knowledge of the environment, or your people, and will work as the bad guys do- gathering information online from social media, performing Social Engineering activities against your team, and possibly attempting to place malicious devices or software on the company network.
The information delivered after a Penetration Test will be more comprehensive and will take into consideration any regulatory pressures your organization faces. This will help establish the path towards compliance and increased overall security. Doing this each year will allow you to continuously improve on these efforts and truly drive a culture of security.
Gain the support of Leadership
We get it, Information Security is not the most thrilling of topics and many of the measures we must all take to enhance the security posture of our organizations will impact the behaviors of our teams. This means that some folks will be rubbed the wrong way by the need for longer passwords, Multi-Factor Authentication, and locks on the doors. At the end of the day, however, the business needs to not only survive a data breach but thrive in the face of constant threats.
The company leaders must support the efforts of improving security by means of additional technical controls, enhanced user education, and a shift in company behavior. Without this support, these endeavors are certain to fail, and it will only be a matter of time before a breach attempt is successful. Company leaders understand that any leak of their customer’s sensitive data would be extremely harmful to the organization, potentially leading to the loss of clients or future funding. Crafting a message to leaders, be they owners, managers, or supervisors, will be a challenge. But preventing these events from ever having a tangible impact on your company’s operations will be well worth the effort.
5 step recap
Security is more important now than ever with the “bad guys” out there are getting exceptionally good at what they do. It is crucial that you take a layered approach to security, utilizing multiple levels of security to ensure your information is protected. No company is ever 100% safe when it comes to security, that is the unfortunate truth. However, one way to lower your organization’s risk of a breach is to train your team. Ensure they have the knowledge and resources to know when they are being targeted. When discussing information security it would be foolish to forget about physical security, all the firewalls in the world won’t mean a thing if someone can walk through the front door and gain access to your business’s information unhindered. Make sure your workplace is protected with up to date security measures. Everyone has room to develop their security practices, a good jumping off point is to take account of your current abilities with a risk assessment or penetration test. Lastly, with information security never being more important, gathering the support of leadership can be what it takes to ensure new safe practices gain traction and become a pillar in your business.
Resources To Check Out:
We would only share products that we personally trust. When it comes to training our team we utilize KnowBe4, a great company whose goal is to keep your business safe. (No we don’t sell their products, so we have no incentive to plug their services!)
Reach out to our team if you have questions via email (firstname.lastname@example.org) or phone (503) 972-7272
Keep up to date with our team, join our mailing list. We promise not to fill your inbox with junk.