My wife hates it when I say the word “stupid”, she prefers me to say "silly" instead. But sometimes I think it is the most appropriate word, like this morning when one of my employees was reporting an issue with his password and yelled it across the room. We are in the managed IT and security business and still our employees sometimes do stupid things! Just goes to show that whatever the industry you are in you need to keep reminding your users about the importance of data security.
So what can you do to drill the importance of good security into ever one that works in your company. Here are a few things that will make a difference.
Enforce password complexity and expiration
This is a really simple one but its also one we find being ignored over and over again. You know that old saying, "you're only as strong as your weakest link"? Well your weakest link might be that sweet old woman that has worked in accounting for twenty five years and used the same password for all twenty five of them. Not just that but three of the stores she shops at have had data breaches and her password is al over the internet.
Work with your IT group to make sure passwords are complex and they expire. This creates some occasional helpdesk calls but its much better than calling you customers to tell them your company is breached.
Tools to Help
- Have you or your users been pwned? Are your usernames and passwords out in the wild. For example, I was pwned because of two data breaches, one at Adobe and one at LinkedIn. If I use the same password on my corporate network then my company is at risk.
- Check your password on the Password Meter - this handy tool will rank your passwords strength with a simple visual red, yellow or green.
- Run a Network Assessment. - Someone needs to be minding the store. If your MSP or in house IT department is not continually watching what is going on in your network then you are bound to have an upcoming problem.
Operate on a strictly “need to know” basis
Again a pretty simple tip but one we see overlooked all the time. As staff and systems get older, with out good security practices in place, data and passwords get "loose". What once was limited to the finance or executive managment is now wide open on the network or protected by a password that everyone knows.
Start by listing all the data you feel needs to be protected, this can be physical (files) or electronic. Then assign it a classification:
- Restricted: This is the most sensitive data that could cause great risk if compromised. Access is on a need-to-know basis only.
- Confidential / Private: This is moderately sensitive data that would cause a moderate risk to the company if compromised. Access is internal to the company or department that owns the data.
- Public: This is non-sensitive data that would cause little or no risk to the company if accessed. Access is loosely, or not, controlled.
Then figure out the smallest number of people that need access to that data in each of those buckets. Lastly make the appropiate changes to your network so that the data is locked down appropiately.
Lock up the goods
What good is having passwords if the Administrator account is logged into the server in the closet down the hall. How about keeping all the payroll files in the bottom right hand drawer but not locking the desk or office. Use physical security to keep restricted data restricted. Make sure every employee knows what is permitted and what is not. Think about remote access to employees desktops and the use of desktop locks to prevent prying eyes.
Use two factor authentication
If you are doing online email, banking or online payroll or anything online that involves your cash you would be wise to use a system of two factor authentication (2FA).
Two factor authenication requires the user to know something and two have something at the same time. So for example, you need to know a password and have a code that is sent to your cellphone. Many banks use a RSA security token that displays a different multi-digit number every minute so you need to have that token available when you login. There are two many variables to explain how to implement 2FA in your corporate network so work with your IT provider to discuss your options.
Tools to help
Use a firewall and a VPN
This should be common sense for business but I am shocked by how many times I walk into a company to do a security audit and their only firewall is the one supplied on the cable companies modem. They actually work but give the user almost zero flexibility on controlling to proper communications needed so often times they are full of security holes or worse yet turned off.
Get a business class firewall and configure it as tight as possible. If you have remote employees make them use a VPN to access anything behind the firewall.
Stay up to date on your software
Old software is almost always a security risk in your business. Keeping your software up to date is key to keeping your company secure. Your IT department or outsourced IT provider needs to have systems in place to blacklist buggy software and to keep all of the users software current. Did you know that in 2015 Malware attacks on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. Over 200,000 attacks in three months!
Or to be notified when a new security release is out, try TouchPine, where all notifications about version updates you care about are delivered to your email address.
Use Perimeter Testing
In the book, "Inside Network Perimeter Testing", the author says, "The security of your network is evaluated daily. A rich question to ask is, "Are you the one doing it?:""
Consistant ongoing testing of your network from the outside (and the inside) is the only way to keep network security top of mind. Is there a new port opened? A new Administrator account? Are there unknown devices on the WiFi network? These are all questions you need to answer repeatibly.
You also should continually monitor if you network ...
Free tools like the Reputation Monitor from AlienVault can help you monitor your ip space and see your network from a hackers point of view.
Purge Old Employees and remove old Emails
When an employee leaves companies will often change the password and leave the account in place on the domain. In addition they will forward that ex-employee's email to someone else in the company. This is fine to do for a short term period but all too often these accounts and forward stay on the network for years. This is just another account to get hacked and more possible spam, phishing and malware to come into the inbox of a current employee. Get a policy in place to remove old user and email accounts.
This is another area where a full network assessment can uncover active accounts that have not been logged into in some time.
Educate your Users
More than ever, because we are so connected, your users are the weakest link in your network and the biggest risk to your company's security. According to Verizon, 67% of cyber espionage started with a one phishing email. One user clicking on a link that looks real but in reality starts the process of wreaking havoc on your network. Often times this will go one for months or even years before it is exposed. Invest in User Awareness Training we can work with you on a number of fronts and that’s what is needed to keep your company secure. Security is not a technology problem it is a human problem. We work with your users to make sure they understand the mechanisms of cyber security and how they can apply that knowledge in their day to day activities on the job.
We can work with your users and provide ongoing education for:
- User Security TrainingPhishing
- PCI Compliance
- CEO Fraud
- Strong Passwords
- Handling Sensitive Information
- Mobile Device Security
- Credit Card Security
- GLBA Security Awareness
- Safe Web Browsing
Get some policies in place
Last but not least, get some written policies in place in your company. We breifly talked about a Data Classification Policy, but what about an Internet Use Policy, a Bring your Own Device policy, an Information Security Policy. If your IT department or outsourced IT provider is not helping you with these policies then you are opening yourself up for risk. If the users don't know the boundaries, aren't made aware of the risks then they will by default be part of the problem.
So in the end...
All of these things are not enough but I hope they will help you tighen down your network and hopefully prevent a breach, infection or worse. If I can help you or your company please shoot me a line at our contact us page. I will do my best to help you in anyway I can.