Security continues to be a hot topic according to numerous surveys, as well as reports from analysts who talk to large numbers of end users. The concern is understandable, as the harm done by a data breach can be catastrophic to your business, damaging the public perception of your organization. This can lead to significant financial implications as the public loses trust while your customers, particularly those whose private information is exposed, choose to do business elsewhere.
Breaches can also be damaging to the careers of not only technologists, but to those at the executive level, who are more frequently being held responsible for breaches at their firms. A breach can be a compliance nightmare, potentially leading to a loss of hard-won certifications critical in the ability to do business in certain industries (particularly financial processing and healthcare), and especially with government entities.
With all that in mind, it is worth taking a look at a few elements of your security stance you may wish to analyze.
Physical Security: The more people with access to your facility (employees, contractors, delivery people, etc.) the more you need to pay attention to physical security. A few questions worth asking about access:
- Who can get to an employee’s workstation?
- Do your people logout every time they leave their desk?
- How restricted is access to your onsite data center?
- If your data center is in a colocation facility, how tight is their security?
- How well screened is that contractor or that employee before they are hired?
- Is your staff paying attention to who is roaming around?
- Do they know to address the issue if someone without proper credentials or reason is in an area in
A secure environment, well-thought out policy, and effective adherence are all important in maintaining physical security. When it comes to adherence to policy, how does reporting of potential issues take place? From a social engineering standpoint, there needs to be a way to quickly bring concerns to the attention of someone in a low-key way that doesn’t make it look like they are “narcing” on a visitor, colleague, or contractor. If reporting is non-confrontational it is more likely that concerns will be voiced.
Passwords: This is likely an area you’ve harped on before, but are your employees listening? A recent study of over 2 million leaked passwords from hacker sharing sites crowned “123456”, “password”, and “12345678” as the most popular passwords. Sharing this WSJ.com article listing the top 25 with your staff would serve as a good reminder that passwords should be complex, memorable enough to not need written down and changed periodically. Using the same password across multiple sites can make it difficult to protect yourself when one of those sites is compromised. A password “wallet” such as 1Password can help, but consider avoiding solutions that store your passwords in the cloud.
Patching and Updating: A remarkable percentage of organizations ignore patches and updates of software and equipment, and not just the frequent updates of Microsoft products. In recent years Java and Flash have frequent announcements of flaws that can result in users being significantly compromised, leading to a surge in success for bad actors participating in ransomware schemes. Along with passwords, this should be a point of emphasis in educating the users on your network.
Explore New Cybersecurity Tools and Outsourced Services: The available market of IT security tools and services continues to expand rapidly. With many of these services cloud-based, it can help you stay one step ahead of the hackers. Outsourcing the job of your security requires a significant level of trust in a consultant or other outside vendor, and they should be screened thoroughly. But for many smaller organizations an outside expert might make more sense than hiring the same skill set and knowledge base as an employee.
Adopting a Security Framework or Standard: Government regulation or industry compliance standards may have required you to adhere to a security framework or standard. But even if you are not in a regulated industry, adherence to a security standard is a sensible way to buttress your data security. Risk-based security frameworks like ISO 2700-series, NIST, HIPAA, PCI DSS and similar standards both institute a sensible and complete set of standards (or in some cases, expectations) and allow for collaboration outside your organization to improve your security stance.
PCI-DSS is sensible for security-conscious organizations, even if for a business that doesn’t process credit cards. It is tiered (A, B, C, D levels), and the practices called for are very well defined and rooted in good security fundamentals. But whatever you choose, the basic building blocks of most security standards have significant overlap, so if future opportunities require you to expand your compliance standards and achieve various industry certifications, you’ll be better positioned to do so.
This is far from a complete “to do” list for your security. But these are basic areas that can be the source of a lot of breaches of both logical and physical security.