Email Christina Meek
Email Jenny Fish
Newsroom HomeBlogsStoriesSoundtrack ProjectNewsroom ArchivesChamber Home Page

Security Simplified: 5 Best Practices for Business

7-24-17-ProTech.jpg

There is a difference between what people perceive as enough cyber security and what the industry recommends as best practices. The problem, especially in small to mid-sized businesses, is the notion that good security is impossibly expensive and/or complex. 

So ask yourself: How much security do you really need? The answer will help drive the right focus and the right solution for your business. Because let’s face it: security can be complex.  Just look at a sampling of security frameworks and regulations in existence (cue the “Star Wars” opening crawl music):

CCA
CSC
COBIT
Defense-in-Depth
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability & Accountability Act (HIPAA)
HITECH/HITRUST Common Security Framework (CSF)
IEC 62443
International Basel III
ISA/IEC 62443 (formerly ISA 99)
ISO 15408
ISO/IEC 27001:2013
ISO/IEC 27002: 2013
Internet Engineering Task Force RFC 2196
Information Security Forum (ISF) Standard of Good Practice
Information Technology Infrastructure Library (ITIL)
NERC CIP (CIP-002-3 through CIP-009-3)
NIST 800-53 v4
NIST CSF
Payment Card Industry (PCI) Data Security Standard (DSS) v3.0
Safe Harbor Int'l Info Privacy Protection
Sarbanes-Oxley Act of 2002 (SOX)
Security Trustmark+

That’s a daunting list and each category represents its own focus and purpose. But there are common denominators, and in an effort to simplify, we’ve narrowed it down to the top five security areas. These are the areas that should be addressed and applied in all businesses, whether you’re NASA or a donut shop.

1. Data Security

What year is it?  Do we really need to talk about backing up data?  Believe it or not, there are still businesses with no backups, or tape backups stored in the trunk of someone’s car and labeled as their “off-site” solution. Whether they’ll work when needed is anyone’s guess.  Some businesses still have backups connected to the network that can be encrypted, deleted or exfiltrated during a data breach. 

Consider a cloud-based system that keeps your data backed up and safe from any attacks on your local drives. And make sure your employees are using it!  We’ve seen instances of vast amounts of critical data stored on employees’ local drives — sometimes years’ worth of lost data in the aftermath of a Ransomware attack.

2. Physical and Logical Access Controls

Sometimes physical security gets ignored in all the excitement and drama of cyber security. Yes, locking the doors still deters criminals. You would be amazed at the businesses that leave server room doors propped open or unlocked. Some don’t even have locks or the doors won’t shut.

But, locks alone won’t keep you safe — you also need access controls to limit who can enter and when.  You also need a policy that prohibits tailgating — we’ve all seen employees letting others slide in behind them when entering secured areas.

3. Secure Endpoints and Network Devices

Unattended but still-connected endpoints (end-user devices), such as desktops, laptops, smart phones, tablets and wireless APs, are a security nightmare waiting to happen. Even a five-minute delay before time-out can be risky. Five minutes leaves plenty of time for someone to walk over and take control of a device. The best practice is to lock screens anytime they are unattended – even for a few minutes.

We often find that network devices such as switches and routers have easy-to-guess default passwords such as admin, user, or even password. It’s bad enough to leave these default passwords in place, but it’s just as bad to change them to something equally as easy to guess.
IT pros, practice what you preach! Complex passwords are not just for your end-users. Create passwords that are unique and contain capital letters, lower-case letters, numbers and symbols. There is some debate as to how many characters a good password should include.  Kevin Mitnick, known as the world’s most famous hacker, recommends creating passwords with 25 characters.

By the way, don’t initially configure equipment properly and then forget about it. You want to constantly update and patch to ensure that you have the latest security updates. This includes life-cycle planning for when the operating system is no longer supported (I’m looking at you Windows XP).

4. Safeguard Email and Web Usage

It’s been said that 91 percent of data breaches begin with a phishing email. That makes email one of the most important focus areas to keep your business safe. There are many anti-virus applications and SPAM-reducing tools available, so consider working with an IT company to ensure that the appropriate solution is tailored to your business needs. 

Obviously staying safe when browsing the Web is important. Simple web filtering can prevent end-users from venturing onto sites that are, at minimum, productivity-killers, or worse, vectors for malicious content. Other tools can prevent malware from “phoning home” by checking a database to determine if the target website is known to be malicious.

5. Continuous Assessments and Training

Last, but certainly not least, implement on-going security assessments and training. A one-and-done security assessment is not enough. Neither is a once-a-year security training session for employees. You cannot have a “set it, and forget it” approach to security and expect to keep your business safe. Cybercriminals are constantly changing and constant vigilance is required to adapt to emerging risks.  For security assessments, know and understand your regulatory obligations; then, implement an assessment of your entire operation – one that encompasses both the physical and logical security aspects of your business.

Your security training should have two objectives:


  • Educate employees to be skeptical and learn to spot cybercriminal red flags.
  • Develop a culture of security awareness that deputizes end-users to act as a “human firewall” to spot and stop potential compromises. 

To accomplish these goals, continually test end-users to see how many fall for social engineering attempts, such as phishing emails.

Don’t let the perception of complexity keep you from attaining the level of security your business needs. 

ProTech is the Chamber's official technology partner. Learn more about their services here, and be sure to take advantage of the free technology assessment available to all Chamber members through the Affinity program.


Posted: 7/26/2017 12:16:03 PM | with 0 comments
Filed under: CyberSecurity, ProTech



Comments
Blog post currently doesn't have any comments.
Leave comment Subscribe



Is eight = one ? (true/false)

THE M BLOG
The latest news from the Greater Memphis Chamber. For more information, contact Director of Communications Christina Meek at (901) 543-3504 (cmeek@memphischamber.com) or Communications Specialist Jenny C. Fish at (901) 543-3558 (jfish@memphischamber.com).

 

Syndication

RSS