By Gregory Grant — August 31, 2015
Network security and data protection have always been critical, but with the rise in cyber criminal activity, they’ve moved to the top of the priority list for most businesses. Although one article won’t give you all the tools and information you need, every business decision maker should consider these five things when it comes to network security.
1) Know Your Assets: Understand the cyber assets you have and protect them first! Many companies still struggle with this concept, but it’s critical that every stakeholder know what hackers are after and why. The obvious choices are credit and debit information, followed closely by personally identifiable Information and personal health information. The latter two are primarily used to perpetrate identity theft. For example, a health club membership application is scanned and stored on computer system that has Internet access. Often, the membership information provided includes not only personal details, but also banking information (debit card, checking account, etc) for auto-drafting of monthly dues. Hackers can “sniff” around networks and gain access to folders largely undetected. Unless these types of data sources are secure, criminals can and will take whatever valuables they find.
In addition, a large number of business owners and decision makers feel they are too small for a hacker to target. The reality is that nothing could be further from the truth. Hackers don’t care about business size, they look for holes in a network via scanning tools. They don’t discriminate between a luxury car and a clunker. If there’s something of value in the front seat, it’s theirs for the taking! So, business owners should take the time to inventory the business and make a priority list of the highest valued assets that could be on the network and connected to the Internet. From there, it’s much easier to isolate, defend and protect the business and its patrons.
2) Put security first. Focus on security first and not regulatory compliance. This may seem counterintuitive, but compliance mandates such as PCI DSS, HIPAA and others, are simply a way of testing a company’s security posture. Businesses should take a top down approach – meaning – secure customer information and the remaining items to meet compliance standards are minimized. These standards are based on security best practices so by implementing them, compliance requirements are effectively addressed by default. Of course, there will be remaining areas that need to be addressed such as physical security of assets and employee issues. However, the network will be largely secured, leaving more time and resources to address other aspects of the security program.
3) Leverage available tools. Businesses often underutilize third party vendors and online resources. A great example of this and a largely underutilized tool is the security policy builder offered by most merchant services providers. If a business accepts credit cards, they are supposed to submit a yearly self-assessment questionnaire (SAQ) through its service provider or partner. In most cases, tools such as policy builders, employee awareness training and many others are offered as part of a PCI SAQ package. Too often, businesses rush through the questionnaire process to get certificate of compliance. That’s not security and hackers could care less about it. Instead, they should look around the provider’s website and take advantage of the tools they offer. They were developed around strong security measures and practices, and will elevate the security posture of any business regardless of size.
4) Understand the technical proficiency of the existing IT and/or security staff. This can be a little bit of a sore subject, but the reality is that not all IT personnel are really good at security. In fact, the same can be applied to some certified security personnel. Often, they do not “practice” security on a daily basis because they double as IT and are busy keeping desktops, printers and wireless devices operational. Guess what? Hackers do practice their craft every day! They live and breathe security countermeasures and see weak security posture as a challenge that needs to be conquered! It’s often a game to them and they are willing to expend all of their resources (which are vast) to break down your defenses. Every company is limited by its resources and IT/security is no exception. Businesses should make a plan to discuss security with its staff, realizing that it’s a touchy subject and one that can invoke feelings of job insecurity. It’s rare to find technical personnel that are willing to openly state they need help (beyond financing security tools) in their area of expertise. But a word to the wise – take a look at recent breaches that have made the headlines. Every one of those companies had very good security technologies and resources in place and they still got hacked. Everyone needs to be willing to accept help from other professionals.
5) Consider managed security services. Look to outsourcing critical security functions to managed security providers. managed security services providers (MSSPs) are a great way to extend security resources without the capital outlay that accompanies a do-it-yourself approach. Let’s be real for a moment. Beyond just investing in the hardware and software, it’s going to cost roughly $500K per year just to staff a security team because vigilance must be around the clock, every day of the year. This assumes security resources willing to work at this rate are available. And by the way, there is a critical shortage of trained security experts available to the market. By focusing on the steps above and realizing which cyber assets need to be protected, the required compliance mandates and existing IT/Security limitations, businesses can effectively come up with a list of “must have’s” when looking for an MSSP.