The combination of a growing number of mobile devices and apps, coupled with our growing dependence on both them and the cloud, has created a vexing new challenge for IT and security professionals: nobody really knows where the perimeters are anymore.
As organisations cede increasing amounts of power and control to staff so that they can access and share data from virtually anywhere, sometimes even from their own devices if there’s a ‘Bring Your Own Device’ (BYOD) policy in place, has led to a loss of control and greater confusion about what company data is accessible by whom, what can access it, and where is it located.
This challenge isn’t new, but the urgency around getting a handle on it is growing not only because security threats and regulatory burden are becoming more weighty, but because the decentralisation of operations isn’t slowing down – it’s speeding up.
But act how?
The six steps to securing your perimeter
1) Audit and rank data according to its importance
The pain-points outlined above expose a key failing for most businesses: knowing exactly what data they have and a proper understanding of how important each data set is for operations. For instance: accounting, sales and sensitive customer information needs to be given a higher consideration than other data sets.
Credit card numbers, health histories and other forms of personal information are prime targets for hackers and regulations like Australia’s NDB and the European Union’s GDPR mean organisations are more accountable for protecting it in particular.
2) Create an incident report system
After some sort of calamity strikes a business, it’s often possible to trace the problem back to things that did or didn’t happen in the past.
A good way to avoid the embarrassment, or worse – organisation and brand damage – is to maintain an incident report documenting every event and/or experience that might be relevant from a security perspective. It might be noting a staff member who’s received a Nigerian ‘scam’ email or a computer/ mobile device that’s been lost or previously affected.
To further enhance your security and identify weak-points, pre-empting security breaches by conducting regular vulnerability or ‘PEN’ (penetration) testing, and then carefully documenting the results, is an ideal way to create a wider, more-rounded view.
3) Stick your head in the clouds
Cloud computing has completely democratised business computing. It’s a fast and easy road for organisation’s wanting to scale down and generally operate within the same technology.
The downside is that the freedom that cloud computing brings is often concealing what employees are up to. What information are sales or accounts people entering into what system and which cloud platforms are being used? What’s the true number of cloud platforms and/or web apps in-use? What versions is everyone running? What are the service levels and security capabilities? Are they being properly utilised?
It’s also important to know something about your cloud service provider, for instance how long has it been in business? What’s its financial situation? What do other customers say about it?
4) Conduct a mobile device audit
Today’s mobile devices are so powerful and capable that most people don’t need much else to do their jobs well. For remote workers who want to connect immediately with co-workers, their customers, and access business data at any time, it has never been easier; but research papers published in the last few years reveal that people are using as many as three or more devices to do so.
For IT and security managers this is a classic ‘herding cats’ dilemma.
As a starting point, organisations need to create a Mobile Device Management (MDM) framework that establishes effective policies and procedures for handling portable technologies, which is then properly communicated regularly and accessible to relevant employees at any time.
The ability to wipe and destroy data sitting in mobile devices that can no longer be accounted for is also a fundamental part of any MDM framework. Be it through loss or theft, today’s mobile devices can store large volumes of data, which often includes sensitive information that could pose serious risks in the wrong hands, and so every organisation needs to have some sort of fail-safe that it can rely on in a worse case scenario.
5) Determine the security postures of third-party suppliers and partners
It’s true that the more successful an organisation becomes, the greater the number of third-party suppliers and partners it comes into contact with.
This has important implications for security given that an increasing number of these interactions are now conducted digitally. It’s therefore not only important for an organisation to have its own security house in order, but also to communicate its security settings to external entities, while having a good understanding of their individual security postures.
6) Conduct assessments of what technology products are in use
A logical place to start assessing which technologies your organisation and its staff are using is to zoom-in on the actual security products currently in use and/or installed.
Security products and your technologies behave differently and are constantly needing to be updated, so ask yourself: do you have the right security technologies for your needs? Do they provide ‘advanced’ malware protection utilising Artificial Intelligence (AI), Machine Learning (ML) or even heuristics? Do they allow you to protect mobile devices? Are you aware of all the features and are they all switched on? What versions are you running and are they still supported? Are they updated with the latest patches? What about passwords, authentication and identity management? What and how many ‘web’ apps are in use?
Looking more generally at your IT environment, it’s important to do a proper audit of all technologies. Even office equipment like printers and scanners need to be assessed given many products store business data. If they’re decommissioned or sold into second-hand markets, these drives need to be wiped.
Creating the best cyber security plan for your organisation takes time, effort, thought, and the right business culture; encouraging staff to understand the risks and how they can mitigate them.
It also means having the right technology and managed service provider on your side.
Brennan IT is one of Australia’s most trusted and experienced business technology specialists, ready to help you and your organisation come to grips with its perimeter and reign in the ever-growing number of security risks.