To take after Charles Dickens, ‘it is the best of times and it is the worst of times’ for Cyber Security. The bad news is that Cyber Terrorism is on the rise. The potential loss of your corporate intellectual property (IP) and personal identity is greater than ever. The good news is that by using cloud technology (and configuring this technology appropriately) you can protect your business and yourself easier than ever. In this blog I’ll give a couple of simple things you can do to help you sleep better at night.
It’s important to take a 4 prong approach to securing your data and your online identity. The 4 components of such an approach are Physical Security, Technology, Process and People:
Physical security: A must-have first step
Physical security is often a series of locks, keys, biometric scanners and environmental controls. These measures protect your servers from disasters such as break-ins, fires/floods, etc., that have the potential to completely wipe out your servers & data. Beefing up your own security can be extremely expensive, especially if you do it well. The best move is to hand off the responsibilities to dedicated pros.
- Move your own on-premise servers to a hosted facility that provides all the physical security services for you, or move your servers to cloud infrastructure & confide in data storage experts like Google, Microsoft, Amazon, etc.
Technology: The groundwork for everything
From a technology standpoint there a number of straightforward things you can do from a business and personal side to protect yourself:
- Don’t store any data locally. I’m sure you guessed it from my bias, but going through a browser for all your work can protect you from data loss when your computer is stolen and from malware that is propagated via client side applications. The unwary news for some is that you are now trusting the protection of your data to a SaaS company. To be confident in the SaaS company you choose to go with, you need to vet these companies’ infrastructure for their security policies. These policies should be publicly posted and readily accessible – if not, buyer beware!
- Use complex passwords. Our recommendation is to use at least 8 character passwords. These passwords should consist of at least 1 upper case and 1 lower case letter, at least 1 number and at least 1 symbol (such as ‘!’, ‘#’, or ‘$’).
- Along with complex passwords, use a single sign-on (SSO) solution. This will allow you to use one system to grant and revoke access for all your systems and applications.
- Always ensure your data is encrypted at both rest and in transit. Look for ‘https’ or a lock symbol in your browser’s address bar.
- Use a Data Loss Prevention Tool that allows your business to classify information and create appropriate sharing policies. Pro-actively protect against specific information being shared.
- Ensure all your applications can use 2-Step Verification (2SV). 2SV means that you have 2 means to authenticate – usually something you know and something you have – like a password and a cell phone that gives you an access code. Enabling 2SV may be the simplest and most effective thing you can do to protect your data.
Process: The low hanging fruit
From a process standpoint, there are some immediate actions that you can implement fairly painlessly:
- Have a bulletproof off-boarding procedure to revoke access immediately to all of your systems when someone leaves your organization. This can be done by inventorying your systems and keeping track of which system people have access to. It’s easiest if you do this on a role basis, that way you know the role and what systems each role has access too. There are now tools that help with workflows for provisioning and deprovisioning users and these are often the best way to go.
- Develop an InfoSec Policy and place it in your employee handbook. This policy doesn’t have to be volumes, but you should at minimum include sections on appropriate use of technology, privacy of data and expected behavior.
- Train people during on-boarding and periodically through refresher courses on the appropriate use of your company’s technology.
- Review usage from logs and activity reports of your current tools and systems. Ensure that these reports are easily accessible and understandable.
- Work with a trusted partner that can give you independent reviews and advice on how you’re doing and where there is room for improvement.
- Don’t allow use of external flash drives.
People: They key to it all
The most important component and the hardest to control is the people aspect. Social engineering is the highest threat and the hardest to control in regards to security. Here are a couple of things that can help:
- Vet your people with a simple background check.
- Train them regularly on your Infosec policy.
- Monitor behavior via logs and reports for suspicious activity.
- Use management as an extra set of eyes.
No security system is fool-proof, so it's always a good idea to mitigate your business’s financial risk from a security breach. One of the best methods for mitigating this risk is to work with your insurance broker and get the appropriate level of cyber-security insurance that can protect you financially against a data breach.
Need to get connected?
We’re excited to be working with Microsoft, Spanning Backup (an EMC Company) and Victor O. Schinnerer & Co. (a leading underwriting manager) to deliver the ultimate cyber-security solution to companies like yours. Coming together with Cloudbakers, these industry leaders are providing a handbuilt security solution that covers the above checklist and much, much more.Originally published on July 14, 2016