Have you ever heard the phrase “Buy this technology and all your problems and worries will disappear”? Perhaps it went something like this: This is the most advanced technology available, and it will solve all security issues. Is there any technology that can completely protect a company? This is what I’m trying to tell you: NO! It takes multiple layers of defenses, using various techniques and technologies–to secure a business. To create “defense-in-depth,” these layers must be interwoven and linked together. This is because attackers can find and penetrate weaknesses that they can attack. Follow the below areas to increase your security.
Protecting your company with a plan is the best way to ensure safety. Management is responsible for coordinating everything into a coherent whole. The importance of strong security management is often forgotten or lost in the noise of buying things. Security management is crucial and often overlooked. Security is just as important as any other role in an organization. This function can be managed by a dedicated team of staff and management. You can outsource this function if you are unable to do so due to company size or cost. Many larger companies are currently planning to separate senior management positions and responsibilities.
People are our most valuable assets. We all know this. Do you encourage your security personnel to learn more? Do you expect your staff to learn more in a year? Are you expecting them to get a certification? Are you setting an example? Security people can be hard to find, and they are becoming more difficult to afford. So, do you encourage your staff to expand their skills to fill the gaps? Your staff should be aware that knowledge is readily available via various channels, such as YouTube, Spotify, iTunes, and Udemy. Your company will be safer if you encourage security personnel to learn and grow.
Many companies lack policies and procedures to protect their employees. Some have a one or two-page document for the entire company and some say why worry about creating and updating documentation–because it changes so often. These points are valid if your company is small. This lack of documentation can cause security gaps for most people. What do you need to document at the minimum? The physical and logical networks maps, along with all controls necessary to protect your data and offices, are probably the most crucial pieces of security documentation. This information should normally be between 5-10 pages. Next, you must document what to do in the event of a hacker getting in (called incident response). These two items should be at least five pages long.
Too often, security personnel are not allowed to work on equipment or configurations except during production issues. While some companies may have a testing environment for developers, few have a second environment for security. This is even true for older equipment. This is a problem that must be overcome. The best way to learn security is to practice with configurations and see what happens. This is a great asset. If an issue does arise in real life, which they often will, the person who has practiced and experimented with the configurations will often solve it faster than someone who hasn’t. In other words, more experience leads to greater confidence and capability which in turn results in less downtime and lower revenue loss.
You can implement many simple processes to stop hackers from getting away with their work without spending a dime. For example, financial controls could include requiring international wires exceeding a certain amount to be authorized, requiring approval from senior management before an international vendor is added into the accounts payable system, and giving Finance staff permission to ask any emails involving money, banking information, or C staff members (even if they are urgent or critical). Another example is that almost everyone reading this article can send emails or data files using their company’s system to any number of hostile or hacker-friendly countries without it being blocked. These same hackers can still email corporate users, as they aren’t being blocked by most companies. Is it any wonder hackers can hack into companies and obtain the information so easily? It is time to block data transfers from these countries that your business allows. You should also block any country you do not have tech support or business dealings with. This is common sense, not rocket science.
You need to test your defenses to ensure they can withstand attack, no matter how strong or weak they may appear. Penetration testing is not just about looking for weaknesses or holes in your defenses (like a door or window open), but it also tries to get in the opening (penetrate), and see what else it could do, much like a hacker. The test will penetrate your defenses to determine the extent of the damage without causing any harm. Due to the cost, time, and potential impacts to systems, this test is typically only run once per year. If extensive testing is not feasible due to costs or potential impacts, a simpler non-intrusive test known as vulnerability scanning (or testing), can be used. This test can be used to find weaknesses, gaps, and surface holes. The test should be performed at least once a quarter. This is a low-cost, low-impact option that can save you a lot of money. Penetration testing can be expensive. Although quarterly scanning might seem excessive, hackers are improving, and you need to identify the problems before they do.
You must ensure that your technology devices, including smartphones, are up to date with patches (aka updates), and the latest versions. Why? Software whether purchased, open-sourced, or internally created has always had weaknesses and over time more will continue to have them.
In case you are among the many victims of hacking, make sure that your insurance covers breaches and associated costs. Why? Many policies still do not cover breaches directly, so it is best to ask in advance of something happening, to be prepared.
Even if everything is in place, quality control or auditing must be done to ensure that security processes are being monitored and maintained. This monitoring can be done by an individual who is extremely detail-oriented, instead of a team. One recent example of why security monitoring is important is the fact that some people and companies constantly search for unsecured Amazon S3 servers. They publish the weaknesses in the media to make it easy for everyone to see, even though no data was stolen or breached. While they claim to be providing a public service, they are often selling cloud security monitoring services. Your company is now in their crosshairs. This means that your defenses must be flawless and work every time. These hackers or individuals only need to find one problem with your defenses.
You can stay ahead of hackers by improving each of these areas continuously. If you don’t strive to improve your skills, hackers will eventually discover you and make you, their prey.
Cyberwarfare is here! You can either get smart or get hacked…