- August 11, 2017
- Posted by: Normand Brien
- Category: Information Security
Small to medium-sized businesses are struggling to reduce the complexity of cyber security management while maintaining defenses against a growing threat landscape. Companies traditionally have layered multiple security technologies to bolster their security posture, but technology alone can’t keep up with recognizing and stopping emerging threats. Cyber security is now a corporate business continuity concern and should be a line-item in a recovery plan or policy.
Many smaller organizations are increasingly the targets of cyber attacks, and operate in highly regulated industries, driving a compelling need to protect assets, client information and intellectual property. The hacking nonsense still continues in 2017 and is becoming more aggressive.
The point? Our thinking styles and online habits about information security have to change, again! After all “humans are the weakest link”. If you haven’t experienced a breach, you are very fortunate. But just because you have excellent barriers to intrusion, most breaches occur because of lax internal controls.
Here are 4 effective methods that assure the front and back doors remain “locked”:
Create a security culture in your organization:
CEO Chris Romeo of Security Journey details an approach to developing and living a security culture that is suitable for personal and business use. In this post, Mr. Romeo provides four defining features about “how things are done around here” vs “how things should be done around here”. Because this is the human element, changing culture can take years of commitment. Believing in and acting upon a company’s mission and vision to safeguard corporate data will require executive and departmental leadership.
Develop an information security posture:
Endorse strategies, and at the same time enforce policies and procedures that protect proprietary business and customer information. Strikingly, businesses are heavily investing in hardware and software security solutions, but it’s not enough. Regardless of the business vertical you operate in, compliance requirements define regulations surrounding access controls. Business stakeholders should welcome frequent financial and technology audits to be sure that you are adhering to these approved policies and that you modify procedures during these rapidly changing times.
Using these governance tactics within any business vertical gives you the advantage when addressing a purposeful data security plan. Part of the security strategy should also include the hiring of first rate, certified professionals. Their mission is to keep pace with the ever change threat landscape and implement solutions that provide a high level of insurance to the organization.
Employee education and security awareness:
The constant attempts to hack are normally associated with malware, ransomware, phishing, vishing and all their variants will not dissipate, they’ll just get more savvy and aggressive. In your design of the security posture, sustained education on the current security threats and solutions should coincide with repetitive, aggressive training. The program must include simulation testing of employees to ensure they understand the potential ways “cyber-bullies” can damage personal or corporate information.
When building a training program or model, consider these points:
Your program should continually improve and adapt, as your risks and threat vectors change constantly. By nature of the effort and expense made, maximize results by reviewing and modifying the content to key risk areas on a continual basis.
Associate training and testing with corporate policies and procedures. Because the employee is the last line of defense, an employee can take the training and reinforce the training can be redirected to the corresponding policy or procedure as a reminder.
Use a reputable training program solution – Just in the last couple of years, security vendors had added training programs to their portfolio and not all of them are created equal. These providers have similar features and functions, some are quite expensive. Develop your own criteria and ask questions.
Passphrases, Passwords and Two-factor authentication
Stepping it up – all three of the methods mentioned above are extremely important. However, this particular aspect of information security is where the “rubber meets the road”. Unless we instill a habit of changing “passwords” frequently, then we should just leave the front and back doors unlocked. Whether we take on the responsibility ourselves or ensure applications and system administrators enforce the practices, hackers will easily decrypt systems using sophisticated software tools.
Understanding most websites require passwords, they often will set guidelines about a length and use of special characters. Others, like some financial institutions, give you the ability to create your own.
However, there are several philosophical issues about using passwords:
People just don’t want to be bothered about changing “passwords”, period;
Employees should be forced to follow policy and procedural requirements about password safety;
Employees will consistently use simple signons, placing them on sticky notes where visible to any fleeting eye;
It’s a fact people use the same password for all of the online experience.
It’s a fact: people will not change their online habits until their own personal data is compromised. Why wait? When it comes to cyber-security, procrastination is dangerous. It’s time to raise our awareness about how we protect our systems and online experience. Remember that regardless of what you use for signing in, hackers will find a way to intrude. The idea is to make it as difficult as possible through frequency and the complexity of your password.
Use techniques such as passphrases – in this shared article, Password Dragon explains some of the benefits of using passphrases over passwords. While there you’ll learn (through the comments) the pros and cons of using passphrases.
Have you used password or passphrase generators? You can use passphrase creators such this complex solution or a password generator that you can customize to meet your needs. These types of access controls, though not always perfect, give you a chance to make it that more challenging to the criminal.
When using these generators, you have the options to make as your entries as complicated and lengthy as you need to; just remember to write them down in a discreet location.
Two-factor authentication (2FA), explained here by CNET, is used by many financial institutions (credit cards, banking, Social Security) and social media giants. Some would consider this as another inconvenience, but it does add one more layer of security. It allows an online provider to send you SMS (text) access codes to your iPhone or email that you then enter/reply.
Another handy “tech tip” about passwords or passphrases – use productivity tools (Word, Excel, etc.) to log and categorize all your passwords in a secured file. Keep it on the desktop hidden by using these tips for Mac and Windows systems. Refresh this file at least every month or so.
Sadly any one of these control points discussed here is not fool proof. Cyber-bullies are an inventive bunch, always on the offense. As consumers of technology, we must go on the offense to protect what information comes in and out of our home or organization. The more we become aware of the seriousness and harm that malware brings, it will be up to us to make intrusion efforts more difficult to happen. Malwarebytes summarizes the importance of protecting your information; and while you may not need 27 different passwords, the idea is to use a variety of solutions, standards, and practices that keep the front and back door of your organization vaulted.
Norm Brien, IT Channel Lead for Concentric Business Solutions, LLC is an independent consultant that provides technology insights to consumers and organizations. Connect with Norm on Twitter, LinkedIn, and Google+