Information security is essential to your organization. You store data in spreadsheets, Microsoft Word documents, an ERP or CRM database, and human resources and payroll systems. This data represents your business and the way it operates, its performance, its future plans and its personnel. These items are unique to your business and pose a threat if lost or compromised, it is therefore essential to your organization, and must be protected.
You might think of it similarly to how you put locks on your doors, but this is oversimplified and does not adequately address the problem. Unlike the doors of the building which remained static over a long time period, information is fluid and changes daily and has new threats on a regular basis. Consider the fact that antivirus software vendors release updates daily to detect new viruses, or that your employees are changing over time and their access and policies are shifting. And these are just the internal problems. Consider also that new information theft tools, and those who we refer to as “hackers” are rising up every day to attempt to get into your systems without ever even entering your geographical environment; in fact it is likely they are doing this from another country.
This all presents an environment which is much more difficult to manage than simply considering it like “locking the doors”.
In this article we want to share with you the three factors that you must consider as you attempt to secure your environment. These are the policies you implement, the the tools used to protect your environment, and people that affect your information security.
The Policies of Information Security
When we speak of policies we are considering this in two ways: the written philosophy and policies of information security, and the enforceable policies due to system settings or tools that are implemented.
The first is your written policies and philosophy about information security. Some organizations consider this an afterthought and do not direct their information technology team or their employees to consider security important or behave in a certain way to protect it. Does your employee manual have specific language about what information is allowed to be accessed? Do you have a published directive on what the Internet can be used for while inside your network? These types of questions and many others must be answered and a specific philosophy developed through written policy to inform your users of what they should and should not do. This also elevates the importance of information security because it is being published. Finally, it serves as a way to enforce your policies through potential employment disciplinary actions if they are not followed.
The second type of policies are implemented in the tools that are intended to protect your environment. For example, your organization likely has a “firewall” and this device manages the traffic in and out of your organization, permitting some and preventing others. These are known as firewall rules and are intended to limit the exposure your environment provides to the outside world. A specific example of one of these rules would be to not allow access to third-party public email servers from inside the network. This would be intended to prevent viruses from coming in through Hotmail, Gmail, etc. This may be a written policy that says employees should not access the systems from their company supplied computer, but the firewall helps you enforce the rule by preventing access. Other examples would include a password length or complexity requirement (including a time requirement to change passwords), file directory security on a shared folder, and many more that your information technology team would implement. These would likely be very unique to your business and should be considered carefully and then monitored for changes as time goes on.
You can see where these two types of policies are an important consideration in your organization. If you are not talking about these at least on some level annually it is highly likely that you have an insecure environment. It is important to consider them both to provide information security, as well as provide access to your authorized users to what they need to efficiently perform their duties.
The Tools of Information Security
The tools of information security are the technology components which are intended to protect your environment. These include the ones you probably know about like antivirus software or your firewall, but they also include things like active directory security, monitoring and logging tools on system access, server patching for vendor supplied security updates, and many more.
Keystone has found that no one information security tool can effectively provide peace of mind by itself. If you have a great firewall, it also has to be effectively managed, and your users who bring a USB stick from home have to be prevented from accessing it on a work PC. In other words, the firewall by itself does not protect your environment. In fact, we tested all of the popular antivirus tools and found that none of them could trap more than approximately half of the attacks they encountered. We determined that we had to use multiple tools in the environment carefully aligned together so that they would not prevent users from working effectively, while at the same time reducing the surface area of the risk. Some of the tools you should consider for continuous review include:
- Patch process and level of all components particularly servers and firewalls or routers
- Physical security particularly to servers
- Antivirus and Antimalware software
- Active Directory configuration (this controls who can access data)
- Personal computer updates
- Administrative (or “root”) access on any system
- Security and Access logs
Once again all of these should be reviewed on a regular basis because new threats arise, and new tools are available to counter them.
The People of Information Security
The people of information security include your users, and your information technology personnel.
Information Security and Users
A good IT team can go a long way towards protecting you, but unfortunately users can undo a lot of their efforts.
We recently had a third party perform a security audit of one of our client environments. This environment includes over 50 servers and 300 workstations. The audit was limited to perimeter testing, which means that the firm performing it was not inside the building or on the internal network and instead was posing as a hacker from outside. We received the results and were pleased that out of the entire environment there were only seven issues, two of which were previously known. What surprised us is that some of the issues referred to internal server names, as opposed to how they may be accessed from the outside. Further investigation revealed that the servers which were accessible to the security audit firm were behind the firewall and in no way available from outside. We asked the security audit firm to clarify that they did a perimeter security check only and they revealed that they had done phone calls to users posing as somebody who was authorized to receive their account and password and were told that over the phone. This then gave them access to inside the network where they ran scanning tools to find vulnerabilities.
In other words, the servers of concern were inside the network and were “protected” except for the fact that users had given out their credentials to somebody who requested them over the phone.
It is essential to train users and keep them continually updated on the policies you have written and threats they may encounter, and also the importance of information security for every individual. We recommend at least annual training, and regular bulletins to users about common security threats.
Information Security and your IT Team
Your information technology team will need to have two essential attributes:
- IT Security Skills
- IT Security Mindset
The first, IT security skills is the knowledge and capability to secure all of the components in the environment. This will not be possible with one or two IT people, as they will not understand the deep components of the technology involved in order to lockdown everything adequately. They may understand firewalls, but not know how to secure the email server which is available through the firewall. They may understand how to update antivirus on a desktop, but not know how to implement a server policy to audit for unauthorized access by internal employees. You should have an inventory of all of your systems and identify those people who are capable to secure them. Once again this is an ongoing process as the systems, and the threats to them, change on an almost daily basis.
The second is an IT security mindset. This means that the personnel who manage your systems and support your users have a top of mind awareness that information security is important. They will be making decisions on a regular basis as they design, implement, and allow access to systems. For example, if a user is having a problem editing a document some IT employees with a low regard for security will allow wide-open access so that that is no longer a potential inhibitor for the employee. A person who has IT security as their mindset will consider this as a potential issue, but would never remove all access rules. You may have a person on your team like this, but it is essential that everybody who manages systems and access is aware of this. Your IT team also needs regular training and outside assistance.
Information security is essential to your environment, but it is difficult to attain and maintain. The constant new threats, varied and changing systems and personnel, and ongoing business needs make this difficult.
Keystone can help you with this. We have a security mindset because we understand you look to us to help you attain a good business flow of data and keep it secure. We have a large team of individuals with skills in all of the common systems in your environment, like email, firewalls, network file shares, etc. Once again all of these have to be considered, or else it is similar to locking nine of your doors and leaving the tenth unlocked. We have a large enough staff to consider all of them.
We work with numerous companies and therefore get an opportunity to see all of the types of threats that you may encounter: the threat we see today and respond to is the one you may encounter next week. We often already have a plan to stop it before you ever see it. We help you develop written policies, provide user training, and create an environment where information security is interwoven in a way that assists your business rather than prevented from performing basic functions.
We constantly review and refine our toolset, and usually include the entire package of tools in our services so you have a comprehensive mindset, team of people, and toolset to protect you.
Contact us today to see how we can review your environment and help you implement an information security solution that adds value.