Limit Access
Physical and digital access to information and tools should be limited to an as-needed basis.
- Is your CEO’s, Controller’s, HR office open to anyone to rummage through? If so, it’s a disaster waiting to happen. Locks: on doors, windows, drawers and file cabinets prevent access by those who shouldn’t see what’s in them—unless they’re left open or the keys handy!
- The same goes for files on the network. Yes, there are those who will seek out info they should not have access to, but in most cases, accidents account for inappropriate data access. Restricting people based on job function and keeping passwords unique and private can protect digital access. Letting everyone have full access to all files across the network is another recipe for mayhem.
- A clean desk! Not having sensitive information displayed on a physical or computer desktop where others can see what they should not is important, simple to implement and doesn’t cost a penny.
- Conversation: encourage careful communication whether it be verbal in the office, on the phone or by digital means. Sensitive items should never be discussed near “listening” electronics such as smart speakers and unmanaged mobile devices.
Be sure that access to resources is removed immediately when an employee leaves an organization or roles change and they no longer need to access particular programs, data or machines.
Layer Protection
No single solution will provide encompassing security. Networks and forms of digital data are complex and diverse. In most cases all devices should have managed and monitored end-point protection that looks for active exploits, but also for signs of things trying to run undetected. Perimeter firewalls, whether physical or virtual are also essential. ISPs are in the business of delivering internet service and security is not their specialty, so trusting your ISP as a firewall is not a good practice—especially in business. Doing so would not be considered due diligence. Another bad practice is using consumer-grade equipment for firewall services. A business-class firewall has capabilities above most consumer-grade devices, one of the most important of which is the ability to inspect encrypted traffic. HTTPS traffic is encrypted and many older, low-end and consumer-grade devices can’t crack the packets.
VPNs can offer protection, or not. A VPN is only as good as what’s at either end and the encryption it provides. When you subscribe to a VPN service, what does the provider do with your data? How is their end of things protected? What’s on your system/network that might compromise your end of the tunnel? What are you accessing at the other end? Using a VPN to go to Facebook or Yahoo really doesn’t protect you against anything on those sites. In most cases, it is recommended that a protected device outside the network, connect to a secured network and initiate a specific VPN connection to a business resource. These connections are specific to particular uses at both ends and offer security to both ends.
Identity management can be quite complex, but at its base it limits access as noted previously based on various identity verification methods. These can be as simple as a user name and password, a PIN and a key card. Since user names and passwords are routinely compromised, multifactor authentication (MFA) adds a third distinct piece of required information to the requirement for access (think texted, emailed or phoned codes or one-time-passwords (OTP) from authenticator apps when logging into a site or tool). When your users have multiple resources requiring MFA, it can take some time to get logged into various tools for their jobs each shift. There are solutions to consolidate logins called single-sign-on (SSO), but realize these add complexity and cost to your network management. You want to ensure correct configuration and careful management or the purposes of identity management are thwarted. It’s like outfitting your building with state-of-the-art security and then leaving all the doors and windows unlocked. We recommend MFA in all instances when sensitive data is involved.
In our next post we’ll continue with some recommendations to up your game.
