By Jared Humiston
Maintaining a secure business is no small
task. With so much demand on everyone’s time
it becomes easy to overlook the small details
that protect your business. This task should
never fall on one person’s shoulders but rather
on the organization as a whole. Here are some
helpful tips to keep your organization secure.
It is widely believed that anti-virus, a
firewall, complex passwords and some web
content filtering software will keep you safe
a secure. While these are all critical components
of keeping data secure, these are only
part of the equation that is security. Law
enforcement experts estimate that 50 percent
of breaches result from employees misusing
access privileges, whether maliciously for
unwittingly.
You have to be as conscientious about
both internal and external threats. User with
elevated privileges can accidentally delete
data that causes harm to the organization.
These acts do not have to be intentional to
be harmful. Periodically reviewing who has
access to what information. We come across
a lot of situations where all company data
is put into one folder and shared out. This
gives users access to files that should remain
confidential.
Another area of security that is often over
looked is training the “human firewall.” Most
spyware is the direct result of user behavior.
This could be using Facebook, checking personal
e-mails, instant messaging programs
and other user/employee provided devices.
Have a policy, plan and/or solution in place to
address these areas is necessary in any sized
organization.
Educating and training your employees on
the dangers of these behaviors can help the
user identify a potential threat before clicking.
A way that an employee can commonly
be socially engineered is outlined in the following
example: If a person comes in for an
interview and they ask the front desk person
to take this USB stick and print out the file
called resume real quick because they were
running late because their kid was sick.
Your employee wants to help, so they plug
it in, pull up the resume and print it out
and hand it to the interviewee and they are
delighted. The person goes into the interview
and comes out says thanks and that’s that.
What the employee did not know is that the
USB stick contained malicious code that will log all of their keystrokes and send them to
the attacker. It will gather passwords and
could even provide a backdoor into the network.
If a policy was in place to never accept
a devise from non-employees or had a device
control application been in place, this could
have been prevented. The employee is as
vulnerable as the desktop or laptop.
You see security is a layered approach and
it is different for every organization. Not to
beat analogies to death in this article but this
analogy describes security in laymen’s terms.
When you go to bed at night, you would never
leave your front door wide open and lock just
your bedroom.
This would allow the would be attackers\
hackers free access to your house. Normally,
you lock the all the doors and may even have
a bolt to provide extra security. Closing these
doors provides another barrier for them to
have to break down to gain access. Hearing
the racket will prompt you to call police.
They now have to break down a secondary
bed room door.
Having two doors should provide time for
the police to show up and thwart off the attacker
or eliminate the threat all together.
If you are running out of time, you have a
secondary escape route out the window.
Without these secondary measures in place,
something much worse could have happened.
The same applies in your business environment.
You want to have a plan of action on
how to prevent attackers from gaining access
to your network and be prepared for if they do
and how to properly respond to eliminate the
damage to your files and reputation.
Security does not come prepackaged, it is
tailored to each and every network environment,
large or small. It includes every member
of the organization to ensure that your business
is safe. Firewalls are good until someone
initiates a download. Web content filtering is
good except for when a policy is forgotten to
be applied. The “human firewall” may know
that the .zip file from an unknown source in
their personal Yahoo e-mail should not be
viewed at work because they were trained
properly.
This is why you scratch your head at night
wondering why one of your users was down
half the day because of a virus when you paid
for anti-virus and a firewall.
Humiston is president of Adirondack
Technical Solutions in Argyle.