By Dr. Daniel Ostergaard
A successful cybersecurity program should be integrated into all aspects of firm security. The first secretary of Homeland Security, Tom Ridge, used to say, “We have to be right a billion-plus times a year…and the terrorists only have to be right once.” Whether terrorists, mother nature, or a 13-year-old hacker trying to impress her friends, there is a seemingly infinite number of threats challenging our cybersecurity efforts every day. Nevertheless, there are many actions firms can take to protect their networks and, thus, their very livelihood. Five simple steps include awareness, encryption, data retention policies, network segmentation, and enterprise mobility management.
The first step every one of us should take is awareness. Simply, do not be intimidated by technology and the emerging terminology. If the strongest chain must rely on its weakest link, business leaders owe it to themselves to learn the basics of cybersecurity. While “awareness” seems obvious, words like enterprise resource management, the cloud, and legacy systems have joined the lexicon of 21st century business. Not only do the words mean something, decisions about these words may have long-lasting impacts on the overall viability of your firm.
The next step we must consider is encryption. Whether your smart phone, tablet, computer, or server, nearly all modern ‘devices’ have an option for encrypting sensitive data within local storage. Ensuring that the data you are carrying around is encrypted is a simple fix to a major problem – that is, having your sensitive data fall into the wrong hands.
Beyond local storage, however, encrypted communications can be a bit trickier, but are just as important. After all, we can all lock our important papers in a safe deposit box at our local bank, but secure transmission of these papers to our clients can be a real challenge.
New (and often free) services have sprung up recently to solve such transmission problems. Several downloadable apps now offer individuals and businesses highly-secure Instant Message (IM) and Voice over Internet Protocol (VoIP) solutions whereas other offerings include a secure email system provided by a Swiss-hosted service. Likewise, emerging companies are offering near “bulletproof” storage. These emerging systems work off a “zero-knowledge” premise (unlike their bigger competitors), meaning that only you (and not even the hosting company) can access your information. To return to the safe deposit box analogy, if a robber broke into the bank, they could breach the vault but not access your box because the bank does not even have the key. Therefore, even if a cloud system is compromised, your data remains safe (unlike most of our larger “free” email providers).
DATA RETENTION POLICIES
According to Jacob Dustan, a South Carolina cybersecurity expert, “We quickly become digital hoarders, amassing huge stockpiles of personal information within walled gardens protected only by a password and [in some cases] a text message (if we are even dedicated enough to suffer entering a code every time we log into free internet email account).” As the three billion hacked Yahoo accounts demonstrated, when a hacker gets into most systems, they can see everything – ranging from your grandma’s favorite cute cat videos to your bank’s “I forgot my password” login reset emails.
The solution? Immediately set strict, appropriate, and legally compliant data retention policies. Unless the law requires you to keep a message or you REALLY think you will need it later, press <delete> as soon as is prudent. Purge those old emails from 2006. Those old emails are the equivalent of moldy bank statements in the garage. Securely “shred” the data permanently and enjoy both more available storage and peace of mind.
Networks should be built like citadels – investments need to be prioritized based on a function’s importance to the business. Mission-critical data and systems go in the heart of the fortress, while ancillary functions reside behind weaker defenses on the perimeter. Unfortunately, when a siege occurs, the serfs are the first to go…but can alert the emperor’s guard to prepare for the real battle.
Proper permissioning can greatly increase the effectiveness of such defenses. For example, the average employee does not have access to your company’s banking information. Why should your network be any different? Perform regular access reviews and ensure that employees only have privileges to access systems absolutely necessary to perform their job function. After all, nothing good ever comes from a disgruntled employee poking around in the dark corners of one’s network. Similarly, see the previous section on data retention policies.
ENTERPRISE MOBILITY MANAGEMENT
Mobile devices are gateways into a firm’s network and should therefore be secured as one would a laptop endpoint. You cannot rely on internet service providers alone to protect your network. Take basic steps to increase security by enforcing certain rules for mobile devices, containerizing apps connected to corporate systems (putting them in their own walled gardens to prevent data leaks), or simply denying mobile access for those employees without a valid need to check email 24/7.
If you routinely deal with sensitive information, it might be time to make employees carry work-dedicated devices. Separate devices may be inconvenient but may also be one of the few ways to ensure endpoints are totally secure. At a minimum, key managers and employees with mobile access to sensitive data should be considered for this option.
Finally, just be smart and use common sense. Do not allow downloads of sketchy apps or files, keep a tight grip over those who have access to your network, install an advanced antivirus/malware solution, and replace that old first generation router in the basement that still has ADMIN as its password.
An integrated cyber-security solution is as strong as its weakest link. We may not be able to stop every threat, but we can surely do more to ensure that our weakest link is not indecision or lazy policies.
(Note: Mention of specific companies is not intended as a specific endorsement or criticism but rather as illustrative examples.)