All organizations are at risk of a breach in IT security, whether externally (by a party outside the organization’s computer network) or internally (by a person connected to the organization’s computer network); studies show that even small companies are targeted externally, primarily because they are more vulnerable than larger organizations who can dedicate resources to combat external threats.
Organizations take great efforts to secure their data; they have firewalls, spam blockers, anti-malware applications, intrusion detection, etc. However, the greatest threat comes from within: End-users often inadvertently introduce malware (via web browsing or email-attachment clicking), which can spread across the network or attack confidential data.
Effective IT security requires a layered approach; it is comprised of multiple solutions at different points-of-entry and areas of concern. It must be setup properly, but must also be continually monitored and then updated as appropriate. Security should be periodically reviewed by an IT expert and, if budget permits, tested to ensure what is expected is what is received.
Effective IT security also requires ongoing training for all users and monitoring and enforcement of usage policies.
For an overview on IT security, I recommend viewing Derrick Hughes’ Ten ways to prevent a data breach and secure your small business in The Globe and Mail.
Here is our checklist, organized by security concern:
1.) Computer network:
- Deploy, update, and monitor stand-alone firewall(s) between all external networks (IE: Internet) and the organization’s network.
- Deploy, update, and monitor an email/spam-protection capability.
- Deploy, update, and monitor an event-log management capability.
- Deploy, update, and monitor intrusion-prevention/detection capability.
- Lock-down wireless access points.
The first line-of-defense from external threats is a professional-grade, stand-alone firewall configured to refuse unwanted traffic from external sources while permitting only desirable connections. It should be supplemented with email/spam protection; either as a Cloud-based service or via an internal appliance. Event-log management and intrusion prevention/detection are also available either as a service or appliance; both are recommended, but budget versus benefits must be considered.
Enable Service Set Identifier (SSID) for internal-use wireless access points.
2.) Servers, their operating systems, and their applications:
- Test and then install all recommended security patches/firmware updates.
- Manage operating system and application security-updates continually.
- Deploy, update, and monitor anti-malware application on all servers.
- Monitor continuously and review periodically for anomalies.
Servers, whether in-house or Cloud-based, contain not only valuable data, but also end-user information (usernames, passwords, profiles, etc.) that can be manipulated and used to infiltrate. They, their operating systems, and server-based applications, must be aggressively patched, protected through anti-malware, and monitored continuously.
Anomalies in performance and event logs can highlight potential security risks; both should be reviewed periodically.
3.) Data:
- Identify at-risk data and its location; keep only what you need.
- Outsource payment processing to a reliable, third-party partner.
- Verify security of vendors and partners with access to your data.
- Where performance permits; encrypt data at-rest and in-motion.
- Deploy an encrypted backup solution with onsite and offsite storage.
Company data should be classified as to its value and stored accordingly. It is best always encrypted, although many organizations might not have the processing power to permit such.
Rather than process payments onsite, many third-party vendors provide this service, but they should be verified before engaging.
Data backups should be encrypted and follow the 3-2-1 rule for reliability:
- Three copies of important data
- Two different media types
- One copy offsite
4.) End-user devices, operating systems, and applications:
- Manage operating system and application security-updates continually.
- Deploy, monitor, and update anti-malware app(s) on all end-user devices.
- Test and install security-required firmware updates to end-user devices.
End-user devices are a primary target; they are difficult to secure and change continually. However, end-user tools also share some blame: Karen A. Frenkel of CIO Insight writes in “How Malware Bypasses Detection Tools” that 81% of IT professionals believe that web-browser-initiated malware can remain undetected by security tools and that the primary attack vector is an insecure web browser.
End-user devices, their operating systems and their applications must also be aggressively patched, protected through anti-malware, and monitored continuously.
Occasionally, a manufacturer will issue an alert for a security-required update to an end-user device, which should be applied as soon as possible.
5.) Usage:
- Lock-down user rights to restrict data access to as-needed basis.
- Require complex passwords with forced, periodic changes.
- Enforce periodic time-outs when computer is left unattended.
- Separate social-media browsing from financial-data handling.
- Require two-factor authentication for all online transactions.
- Create end-user policy detailing appropriate Internet use.
- Create end-user policy on how-to protect sensitive data.
- Enable web-monitoring capability to enforce policies.
- Protect email via encryption (as needed).
Data should be restricted, preferably by need-to-know. (Crypto Locker can initially only attack data available to the end-user introducing this virus.) Complex passwords with periodic changes can restrict untrusted access while forced time-outs keep private information from unwanted eyes.
Setup a separate login account or device for access to financial-data. All online financial transactions must have two-factor authentication.
Policies should exist to inform end-users; they can be enforced through web-monitoring solutions.
Sensitive emails should be encrypted (via a service or appliance) while sensitive documents can be transferred via a secure FTP site.
6.) Training:
- Define an organization’s best practices for IT security.
- Demonstrate how to spot an unwanted ad while browsing.
- Train users how to verify a website link (before clicking it).
- Show how to verify an email attachment (before opening it).
- Train users to check the address of an email’s sender/source.
Data breaches occur due to the inadvertent introduction of malware, sometimes through the failure to comply with policies designed to limit inappropriate behavior, but often through a lack of IT-security knowledge and training.
50% of corporate employees do not consider IT security to be their responsibility; Millennials are at greater risk than Baby Boomers due to their use of company devices for personal use (64%) and willingness to change default settings (35%). (These findings are highlighted in Karen A. Frenkel’s of CIO Insights “Millennials Pose a Greater Security Risk”.)
The more training, the better. Initial training should be acknowledged by the recipient and then tested for knowledge gained. Security training should be repeated periodically; preferably at least annually.
7.) Maintain a Written Information Security Plan (WISP):
- Assign a responsible person.
- Define and announce the WISP.
- Review WISP periodically (at least annually).
- Document changes to WISP when they occur.
- Periodically test, assess, and rework policies and procedures.
The Commonwealth of Massachusetts, under statute 201 CMR 17.00, requires a WISP for all organizations that hold personal information on any Massachusetts resident. The WISP must be assigned to an Information Security Manager, periodically reviewed, and changes must be documented. All WISP policies and procedures must be periodically tested, assessed, and reworked as needed to ensure maximum, ongoing protection.
For details on 201 CMR 17.00, visit Bryley Systems’ 201 CMR 17.00 Seminar.