Cybersecurity – Understanding the Vulnerability Management Process
As a member of the River Run team, I am able to spend time meeting with our clients during Road Map planning sessions. One of the main topics discussed is Cybersecurity and Data Loss protection. It is important to be aware of Cybersecurity risks and the need for network security. The cost of a breach could be detrimental to your business.
Some of the questions we are often asked during the Road Map planning sessions are:
1. How would hackers gain access to my system?
2. Why would they want to access our files? We are so small.
3. What information would they want? We have no client financial information.
4. What can we do to decrease the chance of being hacked?
5. How much will this cost if I am hacked?
6. What does a data security solution cost?
7. Where do we start?
A strong cybersecurity strategy will improve your data loss prevention risk. A proactive approach to threat and vulnerability management includes several strategies, some you can implement yourself. Others, such as network monitoring, will need the time and service of experts. We hope you reach out to the River Run team!
Passwords: A strong cybersecurity plan involves a password policy that covers length, complexity, change frequency and secrecy. At a minimum, a password should be 9 or more characters and include upper- and lower-case letters, symbols and numbers. To ensure data protection, end users should be required to change their passwords quarterly and a password should never be shared nor emailed.
When IT support asks for a password, the end user should put the password in when possible. If an end user does have to provide their password to IT or a security professional, the end user should immediately change the password after the service is complete. A password is the one secret you are allowed to keep guilt free!
Training and Coaching: The objective of regularly conducting training and coaching sessions is to create a security-focused workplace culture where end users protect themselves and the company in real world situations related to their jobs. Users are not aware of the vulnerabilities created by opening an “evil” email or when they allow a vendor access to an application or when they “try to help out” by purchasing and installing a wireless device on the network without the help of the busy IT person.
Training and coaching should include:
1. When to use and when not to use unsecured wireless
2. Safe remote access when traveling domestic and international
3. Safe storage of company equipment
4. Safe surfing and avoiding unsecure sites
5. Storing files and secure cloud storage
6. Password protocol
7. User owned equipment
Human error is the leading cause of breaches. By training end users, we greatly decrease the risk of a data leak. We suggest using the services of a third-party trainer to train your users. Studies show that the effectiveness of the training increases because the outside resource is perceived as the “expert” and there is no baggage between the IT team and the end users to get in the way of learning. Training should be conducted, at a minimum, annually, and especially when a new person starts with the company.
IT Security Policy: Yes, another policy… is what we are strongly recommending you add to your employee handbook. In a recent survey conducted by ShredIT, 30% of employees surveyed admitted they do not know where the company’s IT security policy is stored. More importantly, 13% say they have seen the policy but do not actually remember its details. It is very important for users to see and understand what the company’s policy is regarding safe computing.
The policy should cover items such as taking equipment home, using personal equipment in the office, connecting remotely to the company applications, personal use of company equipment for shopping and planning vacations. The policy should even outline standards when someone is leaving a machine in their car or at home. The usage policy must include no sharing of passwords.
Physical Security: Strong passwords are not the only way to enhance your company’s vulnerability management. Physically securing your equipment and software is another. If you are in a coffee shop and walk away “just for a minute” you take the risk of your company being exposed to network penetration and data loss.
Where possible you might even want to physically secure machines to desks in order to prevent physical loss of equipment. There are locking systems that are subtle and are not easily noticeable.
Using a shared thumb drive or portable drive to share files exposes you and your company to cybersecurity vulnerabilities. USB ports on workstations and portable devices are openings for data to be stolen or viruses to be loaded. Lock down USB ports where possible.
Unsecured data jacks are also an area overlooked through day-to-day maintenance. An open data jack is comparable to leaving the front door of your house open just a crack. One hacker technique involves a hacker physically accessing the office and plugging a wireless device into a live data jack and then hiding the wireless access point. This allows the hacker to work on gaining access to the building remotely at their leisure. To be safe, any open data jacks in your office must be locked down.
Additional Best Practices:
1. Running the automatic Screen Lock is common practice, but it is also something that the end user can circumvent. It is critical to have a screen lock automatically within 5 minutes of no use, and when a user walks away from their machine, they should manually lock the screen.
2. Data Encryption: Preventing data loss is the number one priority and encrypting critical files helps prevent access to the data if stolen. By encrypting your data, you are making the data virtually useless to the hacker. Your encryption practice should include client information, client lists, financial information, employee information, legal documents, vendor information, business partner information and any proprietary formulas or processes your company has developed.
3. Limit network administrator rights to only a small number of users and make sure those rights are a separate account than the users’ standard user account to protect the network from compromise.
4. Shred all documents with company, client, employee and other important docs that could be used to compromise the company or client’s identity and systems.
1. A firewall with built-in AV and other security tools is a must for all networks. We suggest that an appliance firewall be installed at end users’ remote locations including homes if they access the business systems on a regular basis.
2. “Find my device” tools can assist with the recovery of equipment and shut down a potentially bad situation.
3. Managed antivirus software loaded on both your servers and workstations is a must and needs to be managed to help identify trends.
4. Disk wipe: tools should be run whenever swapping out a machine within an office and definitely when swapping out a machine that will be sent to a recycling company. There is no guarantee where that machine will end up, so you should wipe the drive on your own.
5. Firewall protecting the office and a firewall should be used to protect your home if you perform a lot of business from your home.
6. Phishing tools such as KnowB4 allow us to test the end users for a nominal investment and identifies users and areas where we need to enhance the end-user training.
7. Password vault to store network passwords and for end users to store their individual passwords. This system will decrease the need for people to write down their password and store it under the keyboard. The password vault allows a network administrator to store all the company-pertinent passwords in one place and gives that person access to the passwords wherever they are in the world. River Run offers a password Vault solution to our clients and the clients make it available to their employees, which is a differentiator for our clients.
One phrase to remember in the world of Secure networks “More Means Less.” The more you put into your cybersecurity, the less chance you have of being compromised. Cybersecurity is a moving target. We can work with you to review your security regularly to keep your companies and your people safe. If you have any questions regarding the items in this article please reach out to me and I will put you in touch with our team to keep your cybersecurity at an effective level.
Learn more: download our free whitepaper 5 Major Security Threats You Can’t Afford to Ignore
Share this article