Cybersecurity Challenges

Too many organizations approach cyber security using one of three methods:

Method #1 - “if I just stick my head in the sand, it will go away” - these organizations do not even try to evaluate and understand the data which they have, where it is stored, and how it is protected. Therefore they are lucky if they even have antivirus thoroughly deployed and configured properly or other routine IT security measures in place.

Method #2 - “if I just get the right antivirus, or the right intrusion detection, or the right firewall, my security problems will go away” - this is known as the silver bullet approach. It doesn’t work well either.

Method #3 - “if I throw everything but the kitchen sink at it, my security problems will go away”

Cybersecurity is an interdisciplinary business requirement and it needs the participation of cybersecurity professionals, IT infrastructure experts, business executives, and users. Regardless of the environment, security is not just a technology issue, but a human issue. This means:

• an objective evaluation should be made of the organization’s information - where is it located, where is it accessed from, who has access, how is it protected from unauthorized access and data loss.

• the executive team should have a solid, written concept for what information is the most critical to continuous generation of net income, and how long they can be without specific data and services (recovery time objective) and how much of a given repository of data (in hours) they can afford to permanently lose (recovery point objective).

• Regarding security all cloud services in use should be enumerated and included in the evaluation

• Understand the key risks to each repository of data - a manufacturer’s ERP system likely has more users accessing it from a wide variety of locations than the accounting or HR systems.

• Often executives and senior managers can be the highest-risk users - by not attending security training, executives can set a poor example for users. Execs have some of the highest data access levels (and highest risk for ransomware)…that’s a scary combination which can be fixed via technical controls and training.

• Pay particular attention to authentication - every cloud service capable of multi-factor authentication or one-time passwords (OTP) should have that enabled. Passwords are a problem for most organizations…some systems (like Internet of Things (IoT) devices do not allow the enforcement of strong, complex passwords. Any system capable of enforcing strong, complex passwords should have that policy set.

• Remote monitoring and management (RMM) systems will report on any devices which do not have antivirus installed. RMM systems can automate the process of ensuring AV is installed on all devices.

• For manufacturers and medical environments in particular take a hard look at Internet of Things (IoT). These businesses tend to have a much higher density of these items (thermostats, cameras, machines, medical devices, etc.) than other businesses. Segment the network so that the devices cannot be reached by devices on the business network, unless they go through specific firewall rules.

• Its no longer enough to have a high-quality firewall…it is essential to use a firewall which provides security features that give visibility into attacks and can act to stop these. This might be integration with a security events or active intrusion prevention system. The firewall should be configured with outbound ports blocked (other than those needed for the business).

• All businesses need to take a hard look at the server and workstation operating systems in their business. Windows 7 and Windows Server 2008 are no longer supported…this can introduce an unacceptable business risk. RMM can be used not only to identify these devices but to automate the upgrade process.

• Consider the use of a security Information and Event Management (SIEM) system to tie together the event logs of all key information resources (servers, firewall, specific workstations) and automate their evaluation. This saves numerous hours per week and provides a cleaner ongoing assessment of risks.

• Cybersecurity is also a human issue - none of us emerge from the womb with either the awareness or the toolset to improve the situation. Based upon your business risks, pursue employee straining which goes beyond awareness. Training should provide living examples and experiences which make the lessons stick. Give your employees the tools they need to understand key risks, and the specific actions they can take to minimize these.

• Working with internal IT staff and outside expertise to take the risk assessment and work towards an integrated approach to solving the issues will provide the best risk reduction at the lowest cost of ownership. Focus on the big-risk items first, especially the ones which could damage cash flow or reputation the most. Every organization which has worked hard to build customer trust needs to expend the effort to maintain it.

An integrated and purposeful security design is the best means to protect your business. Sit down with your organization’s key risk stakeholders…set out a rough calendar for how to define your current information repositories as well as the key risks to each. Then you can work together to prioritize remediation to these risks using internal and external expertise as appropriate. Feel free to call Dolce Vita at 405-348-1192 to find out how we help businesses with this process every day.