Protect Your Business
If you own a business, or if you are managing a business, information security (infosec as it is known) is one of the more important issues you face. For the purpose securing the business’ information, pay particular attention to 1.) the people and 2.) the technology of the company. Each represents a broad target of vulnerability for the bad guys, and each has multiple threat “vectors”. In this section we will discuss the matter in broad terms and provide some specific tips and resources to help you.
Information is a target because it can be abused by the bad guys to enrich their ego and financials, as well as embarrass and impoverish victims. Businesses can be a target for innumerable political, geographical or personal reasons.
It is therefore vital that businesses assign a high-priority to their online security, and ensure appropriate resources to support that priority.
Let’s be realistic. If infosec is to be a priority, with priority resources, hard decisions have to be made. Where do you start? What should be the ancillary priorities? Great questions.
A good first step is to think like a target. Think strategically to determine the relative importance of information maintained by the company and the means of accessing that information. Look at it from 10,000-feet up to see (and manage) the entire threat landscape.
An example to illustrate the importance of strategic thinking:
Imagine a doctors’ office that decided not to upgrade the computers at the front desk when they upgraded practice management computers. The older computers with known security vulnerabilities were observed by a patient who later accessed one from the outside and delivered up thousands of patient records over the course of many weeks, undetected.
Impose behavioral responsibility by all in the company to conduct business in prudent ways. It does no good to have a $1,000 lock on the front door if Betty props the back door open to get fresh air. If the cash management account is accessed by 4 people, each with the same global administrative rights to the bank account, ask yourself how all those people remember the access codes and inspect the bottom of their keyboard. (You should also ask why all 4 have the same rights to the account.) Behavior the most difficult thing to change, but in this case, given the generations of people using technology that has been here less than 15 years, it is about the most important thing you can do as an owner or manager of any business. If you care about securing your information. Writing passwords on paper stuck to the computer is a behavior that can not be allowed to stand. Doing the company’s online banking at the community coffee shop, on a borrowed computer, with no thought to who’s looking at the screen should not be happening, either.
Thinking carefully about the security of the end-point, and following-up should be another big priority. By end-point we mean the “client”, the employee computers, laptops, mobile devices and smart phones. By careful thought we mean:
- Windows-based office computers should be running the Professional version of Windows or above, and
- Screen savers should be enabled after a few minutes of inactivity and require the domain user name and password.
- Laptops should have a Trusted Platform Module (TPM) installed so that the information on the hard drive can be protected via a good encryption scheme. That way even if the bad guys steal the laptop and take out the hard drive, they can’t get the information without a lot of very hard industry. Apple doesn’t have TPM technology in its computers, but you can encrypt all or part of the hard drive in current OS X, which will accomplish the same thing.
- Good, and by that we mean better than most, passwords should be required by domain policy.
- Every day each computer should verify that it is up-to-date with current operating system patches, software updates and malware protection.
So, there are your 3 priorities. Think like a victim, influence behavior change by teaching your people to act discretely, and focus on the end-point. If you do this well, you will have addressed maybe 80% of the threat vector.
As for the other “points” such as the web server, file server, etc., if properly configured they tend to look after themselves. For the most part they are built for security. And research seems to indicate they are less likely to be compromised than the end-point. As long as they automatically install patches and updates, and adhere to best practice with respect to architectural frameworks and domain policy enforcement. Set them up, watch them, keep them current, sure. Don’t sue us if they prove to be your weak link. But if you need to prioritize your “threat vectors”, start with the end points and work your way in. By far, the number of information breaches are due to insecure end-points.
Develop your people to protect your business
The people in your company are about the biggest risk to information security you’ve got. And not because they are bad people. Your company’s computers serve at the behest of your employees. Humans make computers do what they do. So, regularly and often train your people in security best-practice. Make it a “top of mind” matter. Devote some money to basic security training. There are some great online courses available.
Here’s a scenario that highlights the need for training:
Somebody reset the wireless access point on the board room table to remove the password because one of the directors was unable to access email via his iPad. While convenient to the director, this action allowed anybody in the parking lot to hack into the mainframe and access sensitive intellectual property.
Oh, and give your employees the tools to do a better job with security than the average person.
Consumer-grade software tools are generally insufficient for businesses.
- That $500 laptop your new employee bought from Staples does not have Windows Professional on it which means it will be unable to adhere to basic network security protocols at your business.
- That little router you bought for home that cost $100 at Office Depot is absolutely inappropriate for your business infrastructure. It can’t handle the traffic well, and is vulnerable to your average 9th grader hacktivist, the one you said couldn’t date your son.
- A malware package for your home computer probably doesn’t allow for the central management that a business malware package provides. It is easy you to keep your personal computer up to date with patches and software updates, but how to you know that all the company’s computers are patched and updated? With consumer software it is usually impossible to know. This is unacceptable in today’s technology-centric world.
It is for these reasons (and others) that your nephew is probably not the computer guy you want keeping your company safe. Find a professional who makes his living solving business-grade challenges.
In any analysis, to operate well your business needs good management. That is true of the balance sheet, and it is true of the infrastructure. Therefore your business must be able to manage technology components, preferably from more than once location. Business technology assets that must be managed centrally, not just individually, would include:
- Employee access and control (user accounts)
- Your internet domain name
- Your website (not the same as your domain name)
- Computers (software installation, updates and patches)
- Mobile devices
- The file server
- The internal network traffic (firewalls, routers, switches, et al)
- Wireless access points
- The phone system
Managing such items means they are set up according to company technology policy (you have one, right?), controlled by authorized company representatives (employees and/or 3rd parties), and periodically inspected for updates and integrity.
If your company has a dozen computers or more, protect sensitive information with well-formed, centralized management. In most cases, employees should not be allowed to install software on their computer, or if they do, such installations should be monitored by those who are mindful of the threat risk associated with malicious software. And the company should know when computers on its network are running out date virus software – and be able to fix that problem quickly.
One of the things that security professionals are learning is that many advanced persistent threats (APTs) are too advanced and deploy too quickly for traditional malware or anti-virus software to stop. A new technology, called application whitelisting, helps with this problem. Companies such as Lumension and Bit9 have developed solutions that essentially track in real-time disapproved applications and restrict them from gaining hold within a company’s network of computers. Anti-virus and malware software have to download an update in order to know about new threats.
Here’s why central management and periodic inspection are important. Consider this scenario:
The boss is an impatient man. He doesn’t like to take the time to let his virus software update on his laptop, so he keeps putting it off. Now he is working one night, late, and decides to design the new company brochure. To do this he bought a discounted page layout program online that had a free account to “Free Pictures R US” web site. He installed the program, downloaded a bunch of pictures, and got to work. At work the next day, his laptop isn’t working right, it’s VERY slow, but he can just get it to access his bank account and transfer money to his wife’s account to keep himself out of hot water. 24 hours later all his accounts are overdrawn and his email password isn’t working. Two days later his laptop is inspected and found to have malware that sent his personal information (and sensitive customer documents) to Moldova.
The good news is that you have a new brochure to show people.
Central management has been a hallmark of well-run companies for decades. Even rabid Apple fans will admit that it is for this reason that Apple Computer still hasn’t conquered the business market. Microsoft long-ago developed what is probably the greatest tool for businesses to sufficiently manage users and the access and control they have to other technology assets in the company. It’s called Active Directory and if you have more than 25 users you should have it deployed in your organization. If you don’t, find a qualified Microsoft partner who can assess and suggest an affordable solution. Say what you want about Microsoft, but no software company has done as well and as much in the area of security and audit tools for its products. Nobody. You can take that to the bank.
Other companies offer similar management for related activities. GFI for example provides a central way of installing, monitoring and reporting malware on every computer and mobile device in the company from one console. Centrify has an unbelievably cool way of centrally managing all your computers, laptops, and mobile devices. Bit9 and Lumension (mentioned earlier) are other companies with outstandingly good tools for business technology security management. Such tools are available to ensure that every computer in the company is running the most recent version of its respective operating system and other software.
There is a budding technology called SIEM (Security Information Event Management) that aspires to provide a console look at every security event that takes place in a company. Compliance auditors need that kind of tool, and many shareholders have come to appreciate it, too. A number of well-known companies have entered this space, like HP, Intel, Symantec, RSA and others. LOGbinder provides the only known SIEM solution for security audit log data collection from Microsoft Exchange, SharePoint and SQL Servers. Massive amounts of sensitive information is stored in those applications. Knowing who did what to which data element, how and when, on such big databases, is a huge boon for information security professionals.
By the way, the most egregious offender of software security is arguably Oracle Corporation’s Java program. It is known to have multiple and serious security vulnerabilities, all of which are extensively published. Oracle ignored the problem for a long time and is only recently taking action. The software is installed on most all computers, sometimes with multiple versions of each. Chances are very good that your own computer has instances of this software with its gaping security holes. If you do nothing else with this article, update Java on your computer and others in your company. Better yet, remove it; you may not need anyway.
Small businesses can manage their systems on an individual, ad hoc basis. If your company has more than 10 employees, it should take a good, hard look at the people and the technology that stand in front of (not behind) its information. And do something about it.
Contact us immediately if you think one of your Peoples Bank accounts or services has been compromised.Report Fraud