Cybersecurity is on everyone's mind, but it can be difficult for businesses to sift through the thousands of options for data and network security. Many clients tell me they're concerned about it, but they're not sure where to start. So I went to the experts - TekLinks' Cybersecurity Consulting team leads Nick Van Gilder and Will Enochs - for help.
Step 1: The Crown JewelsNick and Will have years of experience performing penetration testing and securing networks for billion-dollar organizations. Their suggestion for a first step - and the most important - is for a company to think about what they need to be protecting. Consider what is the most important information. We'll call this the "crown jewels" of a business.
"Most folks understand that credit card numbers and social security numbers are valuable and should be protected," said Nick, "but what about intellectual property such as confidential designs or engineering ideas, customer lists, business leads, research and development, competitive information? Ask yourself, 'If an intruder were to enter my network, what would they be after?' "
Step 2: Where do they live?
A business' crown jewels should be treated the way you treat your most important possessions in your home. You know exactly what they are, and you put some thought into where to keep them.
Which brings us to step 2: Find out where the crown jewels reside (within software programs, on desktops, on servers, in the cloud, etc.) and plan your security strategy around protecting those places where your most important data lives. This sounds easy, but it takes some time and energy to thoroughly evaluate and inventory your crown jewels.
Nick and Will say that sometimes you'll find surprises such as:
- Healthcare organizations know they have valuable data in their EMR system (electronic medical records), but may not realize that these records are also often in scan folders on desktops, as employees are sending the records as part of their jobs. If an intruder is trying to break into a system, they're not likely going to try to get into the EMR, which is sophisticated and buttoned-up. They're going after the scan folders, which are easy to access and usually neglected from a security standpoint.
- Call centers take phone calls that are recorded for quality assurance and often contain sensitive information. Most companies give much less thought to storing their historical audio recordings than they do to sending the data gathered to a final database.
- A Network Attached Storage (NAS) or other network-connected hard drive is used to store backups of servers or databases. Aside from the consumer class of these devices being notoriously vulnerable, they often have many unneeded features and protocols enabled by default to create a “plug and play” user experience. These features and protocols contribute negatively to the overall security of the devices.
- A business decides to implement multiple security cameras, which are marketed as easy to install and configure because of default settings. These settings include standardized user names and passwords. That means intruders can fairly easily hack into cameras individually and quickly gain access to all the cameras on a network.
Now that you've taken the time to discover where your most important data lives, you should also consider consolidating those places. "For example," says Will, "if a company has many remote employees using different portals and doors for entry to the network, a better solution may be to put all those portals behind one strongly-protected door that's monitored (think Citrix, VMware VDI or Microsoft RDS) to create less points of entry and exit."
Sometimes companies with many locations will connect the networks of all the locations back to a central location and out to one firewall (protection from the Internet). Nick and Will say this can be a more expensive set-up, but is usually a net gain for security because it reduces the number of entry points into the network.
Step 3: That One Feature
Step three is the one security feature that makes sense for every single business today: multi-factor authentication. While it won't solve all the security problems of the world, it will help verify that a user is who he says he is by requiring an additional factor (such as a token in their possession) for authentication. "This means simple or stolen passwords won’t allow entry into a network -- and more than 80% of intruders use passwords to get in," says Will. "Implement multi-factor for every path that leads to the crown jewels, giving yourself two layers of authentication."
Will points out that many applications your business may already be using include multi-factor, but it's turned off in default settings (Office 365 is one of them). Businesses could consider using a solution from Duo (it's a popular multi-factor authentication app and fairly easy to implement).
"Once you've spent time and money on implementing multi-factor, be sure to use it," emphasizes Nick. "Don't allow employees to disable it (they will for the sake of convenience) and plan for a little manpower to manage access."
If you're looking for more tips and info on securing your small to medium business, message me at firstname.lastname@example.org
And be sure to check out Nick and Will's Cybersecurity Consulting Group at TekLinks.com.