Cyber-Security is a SHARED Responsibility
What kind of process do you have around analyzing your risk and liability as it pertains to cyber-security?
That’s one of the questions we ask when we are talking with prospective clients who are curious as to how we can help their organization. 9 times out of 10, the answer that we get to this question is – I am not exactly sure what we do, but the guy that takes care of our technology says we are good and nothing to worry about. However when we push a little further, and ask questions like –
How often do you audit and verify your security
You can see some doubt starting to show in their eyes. Normally again that response is – I trust our guy to take care of those things for us since cyber-security is his thing. I am here to tell you – if you are just trusting your guy to take care of your cyber-security with no involvement from you and your staff, you are 100% dead wrong! I know that’s a strong statement, but it is unbelievable true. The truth is cyber-security is a SHARED responsibility an no matter how good of a I.T. person you have, they cannot protect you without your involvement.
Now that we have ruffled your feathers a bit, lets dive a little deeper. In days past, you could just rely on your I.T. guy to install your anti-virus, keep the definitions updated, and setup a firewall and that was sufficient to be protected. Those days are long gone. With the threat vectors that are present today it is almost guaranteed that your staff and employees are seeing very crafty and serious threats daily if not hourly in their normal day to day tasks. To protect yourself today, a multitude of security measures need to be put into place and you need to be involved in quite a few of them.
So What Do You Need To Do To Protect Yourself and Your Organization?
First and foremost let’s get this out in the open and accepted before we go any further – There is no amount of time or money that will COMPLETELY assure that your environment is totally secure and protected. That’s a tough pill to swallow for most folks. They want a clean, easy, assurance that there is nothing to worry about. Sorry but you need to worry and again – you need to be involved.
Having said that, lets look at what you should have to BEST protect your organization from ransomware, data breaches, and other cyber-security risks.
· Antivirus software – Yes even though antivirus software is not as effective as it used to be, you still need to have up to date antivirus software installed on all computers(even Macs). But to take a full fledged approach to security you need to utilize a next generation antivirus software that no longer relies on a static list of definitions or signatures to base what can or can’t be done. With a next generation antivirus it bases it’s decision making on activity in addition to a static list. So it looks at what processes are run and how often and by what applications, how quickly there are files being changed, and how often there are unusual indicators. Really good next generation anti-virus solutions actually go one step further and talk to the firewall to make sure that if it detects any of the unusual activity it can shut that down to the rest of the network to limit further cyber-security risks and block any malicious outside servers that could be doing command and control operations. If you are curious as to how Ransomware is spread and how anti-virus software is tied in – This is a good resource.
· Firewall – The firewall in your network acts to create a barrier from the big bad wild Internet to your inside protected network. In the past this was based again on a static set of rules that get defined when the firewall is installed. The problem with this is that as new threats come out, in quite a few instances the rules are not updated to address new threats. So to better protect your network from bad guys coming from the Internet you want a firewall that is adaptive and updated automatically to address new threats. The best firewalls will also provide that communication that we discussed above in the antivirus solution and be able to communicate with the endpoints being protected by antivirus. These advanced firewalls also are aware of unusual activity and can monitor for any traffic coming in that has malicious attachments, malicious connections, and adapt to changes in the sources of threats automatically. Finally these firewalls also get security updates from a central source on an automatic and scheduled basis.
· Backups – EVERY organization needs to have a comprehensive approach to backing up their data and monitoring that process. This means that you need to be involved in the process of making sure ALL of your data is being included in your backup sets as well as making sure that you keep an appropriate set of versions of this data. Depending on the size and type of data you are backing up as well as the connection you have to the Internet, the approach may include multiple components. There are two general types of backup – local backups, and Cloud backups. A local backup is one that backs up the data to a locally connected device on your network. This could be something as simple as a USB drive or as complex as a Storage Area Network that can hold Terabytes of information. A Cloud backup is one that backs up the data to an offsite, Cloud hosted storage target. This could be as simple as backing up to a dropbox or Google Drive location or as complex as a fail-over Amazon or Azure datacenter. There are also 2 sub-types of backups, file level backups, and image level backup. File level backups just create backup copies of individual files. These backups depend on an operational server and operating system to be able to restore from them. Image level backups include all files including the operating system and backs it up as an “image of the entire server” What this means is that you can restore your entire server at once to a point in time. Additionally depending on what solution you are using for the image backup, you may also be able to boot the image of the server up on the backup device so that if you lose the physical server hardware due to failure, or natural disaster, you can run the server at least temporarily on the backup appliance until new hardware is obtained. Regardless of what approach you chose – YOU have to be involved in the process. You can no longer just trust your I.T. person or partner to make these decisions in a vacuum. In addition this information should be reviewed at least quarterly if not monthly to make sure that any new items or changes are being included. One of the most common mistakes when it comes to backups is setting up the backup software and never revisiting what is being backed only to find out when an emergency occurs that new software has been added but never included in the backup set.
· Good Password Policies – Yes… everyone hates passwords. However until we get to a point where biometrics can secure everything in the technology world, we are going to have to deal with passwords. You as the manager or owner of your organization are the driver of this critical area of security. I.T. managers and partners can implement the policy, but you have to dictate and direct the policy to your staff, employees, and partners. All too often we see managers and owners of organizations as the main roadblock to implementing strong password policies and management. Instead, you need to help set the tone for your organization that password complexity and security are crucial to the livelihood of your organization. This means that you should be implementing complex passwords that require a mixture of upper and lower case letters, special characters, and numbers. In addition you should require that passwords not be the same as what employees utilize for common cloud based applications and sites. Using a password manager software can help you implement complex passwords and ensure that passwords are not being reused. If it helps to motivate you – 80% of cyber-security breaches today are due to reusing the same passwords across multiple sites and not utilizing hard to guess passwords. If you want to truly decrease your password vulnerability – you should also implement multi-factor authentication that requires you to enter a time based code in addition to your normal username and password. All of these items are ones that you as an owner or manager must take charge of and set the tone for your organization.
· End-user training – If you were to poll your staff, it would be a safe bet that they are getting multiple malicious emails trying to phish for information like credit card numbers, passwords or links to get you to go to a malicious site that could spread ransomware or other malicious software. You as the leader of your organization need to also set the tone and establish the policy to implement ongoing monthly and/or weekly training for your staff on techniques to recognize fake and malicious emails, and websites. End-user security awareness training can produce an average reduction of up to 95% of people clicking on bad software or sites. We have an entire post dedicated to End-User Security Awareness Training.
· Security auditing and testing – at least quarterly if not monthly you should have your I.T. person or a cyber-security contractor audit your environment as well as test to see what vulnerabilities can be found before the bad guys do. Many organizations ignore this because they feel that if cyber-security vulnerabilities are found, as they inevitably will – it will mean large expenditures to the organization. The fact is, it will be much more expensive if the bad guys find it before you do.
· Monitoring – you should have some process in place to continually monitor your cyber-security for your environment. This monitoring and alerting should be tuned to provide relevant and applicable information that can be acted upon. In many cases, the thresholds for these solutions is set too low and too many alerts are issued and the end result is that they get ignored. The opposite is true if the threshold is too high. If the alerting doesn’t happen until it is too late, it provides no value as well.
· Security mindset and culture – this one is big because it drives all the rest of the items. If management and ownership establishes a culture in making sure security is a top priority across all areas of operations, it makes the approach to cyber-security much easier. This starts with having process and policy in place that has specificity in regards to security. This extends to physical security as well. By making sure that access to all data and network operations are secured and tracked, it lays the foundation to build logical security upon.
While cyber-security a pain and is a dry topic to cover, it is imperative in today’s vulnerable data environments to implement fully and properly. In most cases, it will mean adding new process, policy and procedure, and in many cases new toolsets and software to your operations. It is going to cost you more than what you are paying today in any scenario. However – by proactively taking a part in your cyber-security, you get to control those costs. Conversely if you leave it to chance or assume that you do not have anything to worry about because your I.T. person says so and you get a ransomware infection with no plan for recovery, you could be out thousands if not hundreds of thousands of dollars to get back to operational status. If you feel that you are completely secured or if your are relying solely on your I.T. person or company to protect you without any involvement on your part – we challenge you to put that to the test. Have DaZZee or any other reputable managed security services provider audit your environment and process. It is almost guaranteed that there will be vulnerabilities that you are not currently aware of if you have not been involved hands-on with security for your organization!