Create an effective cyber security plan by including regular employee training
Cyber Security has been a hot topic for several years now. It seems like you can't turn on the news without seeing a report of some new ransomware creating havoc for businesses around the globe.
Surprisingly, a great deal of these events are completely preventable with a strategy that involves multiple layers of protection, regular system maintenance and updates and most importantly, regular end user training.
IBM published an alarming statistic that 95 percent of all security incidents involve human error, yet week after week I meet with local businesses who have no strategy for keeping their employees regularly trained on how to better protect the company they work for.
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." - Former Cisco CEO John Chambers
So what's a company to do if everything seems hopeless? It's not all doom and gloom. This is by no means a complete plan but rather it's meant to encourage thought and discussion with your IT department or IT Service provider.
1. Work Outside In: The more you can mitigate outside your network the better. A lot of businesses now have data and applications running in the cloud which makes a comprehensive security plan even more critical. Cloud security services like Cisco's OpenDNS can create an external layer which filters information before it hits your firewall and network.
2. Educate your workforce: Remember that 95% statistic? This is where you can have a major impact on security. A well run IT department or service will provide training to the end users in short, easy to understand communications, at least once per month.
3. Protect the Perimeter: Enterprise class firewalls are a must for businesses today. But in addition to having a good firewall, more important is the process put in place for monitoring and updating the firewall. Things change quickly in cyber space so it's imperative that you have real time updates and a system in place for identifying unusual behavior in your network traffic.
4. Protect the Endpoints: It's not enough to just put anti-virus on your computer anymore. You may need to supplement with newer technology that addresses Ransomware. This is where a multi-vendor approach may have added benefits. Your IT professional can help choose products and services that are right for your systems and vertical market.
5. Limit permissions: Your network should be designed so that information is stored based on department or job function. The same applies to your workforce and their domain accounts. By limiting what users have access to based on their job function, you can limit the exposure your company has if something like Ransomware does manage to penetrate the environment.
6. Curb Administrative rights: Your users don't need it (even at a local level) and the only accounts that should have Administrative rights should be used only when performing Administrative functions on the network. Otherwise your user accounts should be limited to the lowest permissioned account to perform their work functions.
7. Wi-Fi strategy: If you need Wi-Fi in your business, make sure you have a well-structured private network and only allow a public channel if absolutely needed. Depending on your industry you may have clients or guests that expect Wi-Fi, which should be completely segregated from your internal network.
8. Continuity Planning: Most businesses will experience a security event of some kind. This could be a full blown data breach down to a small virus that is more annoying than damaging. Much more than just data backup, a true continuity service will be segregated from your production network, have an encrypted off-site component, provide frequent snapshots of your data and be fully tested on a regular basis (nightly is preferable). Your written plan should be reviewed at least annually and a copy distributed to all key management personnel in the business.
9. Use Encryption: Encrypting your data, both at rest and in motion, can save you from major headaches, especially if you have regulatory or compliance requirements.
10. Patch & Update!: This was never more evident when the WannaCry Ransomware hit over 150 countries and brought Brittan's health care system to its knees. The first variation of that attack could have been prevented had a single Microsoft patch been applied to systems.
11. Include IT in Planning: Most of the businesses I speak with look at IT as an expense rather than an investment. A lot of times a budget isn't even created, yet IT is expected to keep the business running, without incident and without any road map or knowledge of where the business is actually going. It sounds ridiculous when you read that out loud but unfortunately that is how many businesses operate. Give IT a seat at the business table and clue them in on the business plans.
I hope this information has been helpful and sparks conversation in your organization. Together we can create more secure environments which limit the amount of unplanned outages and increase productivity and the bottom line.
• Eric Rieger is president of WEBIT Services Inc. in Naperville. Contact him at erieger@webitservices.com