by Matt Thompson, Infrastructure Consultant at UKN Group
Every day, businesses, government agencies, schools, charities, hospitals and thousands of other organisations are attacked through the Internet. Cyber criminals are relentless, often supported by criminal organisations, even foreign powers and countless automated bots probing for security weaknesses.
From well-known consumer brands to small businesses and political organisations in countries across the world, cybercrime presents a real and present danger to millions of people. Small businesses are in just as much danger as consumer brands (Wonga, TalkTalk, Yahoo, etc.), except the majority of those cases go unreported.
In recent years, IT security has started dealing with threats from dozens of new directions, as a consequence of new technology trends. Hackers can reach your organisation using dozens of new devices, through the Internet of Things (IoT) to poorly secured employee and contractor phones, tablets and laptops. Known as the Bring Your Own Device (BYOD) movement; employees are just as likely to use their own devices than one owned by an employer, resulting in numerous new avenues into an organisation that could seriously undermine security and data compliance.
Assuming you want to avoid suffering an embarrassing and potentially costly data breach, you need to consider the security implications of connected devices – from fridges to vending machines (the IoT) and employee devices. How can you secure them? What about 3rd party providers, such as business telephony, IT support, and professional services? Are your providers’ cyber security and data protection policies aligned with yours?
Here are a few things you need to think about.
#1: Do you have an IT security policy in place?
And if so, does it already cover the use of employee and contractor devices, either on-site or when accessing secure documents or your network? If not, now is the time to ensure this has been updated?
Remember, even if your on-site network is secure, these devices wander across other public networks, taking your documents and email with them. Assume some of these networks are compromised or could pose a serious security risk. Acting on that assumption is safer than thinking your employee’s devices aren’t a threat to your security integrity.
Refresh your IT security policy. Assume there are weaknesses and design a strategy to counter them.
#2: Password protect internal files
Legacy technology and systems are designed to keep internal documents on-site and safe. Unfortunately, fast-moving consumer habits and out-dated IT policies are proving that legacy technology is the enemy of productivity. Staff and contractors want to work around the clock.
Consequently, they are moving and sharing documents and files into third-party services, such as Dropbox, Box, Google Drive and other cloud-based software solutions. On the whole, these are fairly secure. But they are high profile. They pose an attractive and lucrative challenge to cybercriminals, which means for every pound they invest in security, considerable efforts are being made to crack these systems. It is a technical arms race between Silicon Valley and the world’s smartest cybersecurity experts and the criminals who badly want to steal your data.
Work on the assumption that staff are moving documents into their own folders, through email and direct transfers. Set up a system which protects documents, using passwords and an accountability process, to ensure that only those with a high-security clearance can approve the transfer of a document.
#3: Introduce encryption
Encryption provides another layer of security. There are dozens of potential solutions for secure file transfers, with some incorporating two-factor authentication, bio-security and the blockchain.
For peace of mind, make sure the policy for remote access to files is across a secure-VPN, an encrypted SSL or IPsec connection. It is the only way to avoid employees transmitting files across a potentially insecure or already compromised Internet connection or public Wi-Fi hotspot. Take extra care to enforce this policy for staff that regularly go on the road or attend conferences, such as the field sales team.
Make sure your staff understand the rationale behind these policies. Tell them about the very real dangers organisations face. Articulate and enforce these policies clearly and fairly. Include them in the employee handbook, and work with an IT partner who understands the risks your organisation faces and has taken pro-active steps to safeguard your staff, systems and customer data.