Information Security: Essential To Your Organization

Information security is essential to your organization.  You store data in spreadsheets, Microsoft Word documents, an ERP or CRM database, and human resources and payroll systems.  This data represents your business and the way it operates, its performance, its future plans and its personnel.  These items are unique to your business and pose a threat if lost or compromised, it is therefore essential to your organization, and must be protected.

You might think of it similarly to how you put locks on your doors, but this is oversimplified and does not adequately address the problem. Unlike the doors of the building which remained static over a long time period, information is fluid and changes daily and has new threats on a regular basis. Consider the fact that antivirus software vendors release updates daily to detect new viruses, or that your employees are changing over time and their access and policies are shifting. And these are just the internal problems. Consider also that new information theft tools, and those who we refer to as “hackers” are rising up every day to attempt to get into your systems without ever even entering your geographical environment; in fact it is likely they are doing this from another country.

This all presents an environment which is much more difficult to manage than simply considering it like “locking the doors”.

Information Security Venn Diagram

In this article we want to share with you the three factors that you must consider as you attempt to secure your environment. These are the policies you implement, the the tools used to protect your environment, and people that affect your information security.

The Policies of Information Security

When we speak of policies we are considering this in two ways: the written philosophy and policies of information security, and the enforceable policies due to system settings or tools that are implemented.

The first is your written policies and philosophy about information security. Some organizations consider this an afterthought and do not direct their information technology team or their employees to consider security important or behave in a certain way to protect it.  Does your employee manual have specific language about what information is allowed to be accessed? Do you have a published directive on what the Internet can be used for while inside your network? These types of questions and many others must be answered and a specific philosophy developed through written policy to inform your users of what they should and should not do. This also elevates the importance of information security because it is being published. Finally, it serves as a way to enforce your policies through potential employment disciplinary actions if they are not followed.

The second type of policies are implemented in the tools that are intended to protect your environment. For example, your organization likely has a “firewall” and this device manages the traffic in and out of your organization, permitting some and preventing others. These are known as firewall rules and are intended to limit the exposure your environment provides to the outside world. A specific example of one of these rules would be to not allow access to third-party public email servers from inside the network.  This would be intended to prevent viruses from coming in through Hotmail, Gmail, etc.  This may be a written policy that says employees should not access the systems from their company supplied computer, but the firewall helps you enforce the rule by preventing access.  Other examples would include a password length or complexity requirement (including a time requirement to change passwords), file directory security on a shared folder, and many more that your information technology team would implement. These would likely be very unique to your business and should be considered carefully and then monitored for changes as time goes on.

You can see where these two types of policies are an important consideration in your organization.  If you are not talking about these at least on some level annually it is highly likely that you have an insecure environment.  It is important to consider them both to provide information security, as well as provide access to your authorized users to what they need to efficiently perform their duties.

The Tools of Information Security

The tools of information security are the technology components which are intended to protect your environment. These include the ones you probably know about like antivirus software or your firewall, but they also include things like active directory security, monitoring and logging tools on system access, server patching for vendor supplied security updates, and many more.

Keystone has found that no one information security tool can effectively provide peace of mind by itself. If you have a great firewall, it also has to be effectively managed, and your users who bring a USB stick from home have to be prevented from accessing it on a work PC. In other words, the firewall by itself does not protect your environment.  In fact, we tested all of the popular antivirus tools and found that none of them could trap more than approximately half of the attacks they encountered. We determined that we had to use multiple tools in the environment carefully aligned together so that they would not prevent users from working effectively, while at the same time reducing the surface area of the risk.  Some of the tools you should consider for continuous review include:

  • Firewalls
  • Patch process and level of all components particularly servers and firewalls or routers
  • Physical security particularly to servers
  • Antivirus and Antimalware software
  • Active Directory configuration (this controls who can access data)
  • Personal computer updates
  • Administrative (or “root”) access on any system
  • Security and Access logs

Once again all of these should be reviewed on a regular basis because new threats arise, and new tools are available to counter them.

The People of Information Security

The people of information security include your users, and your information technology personnel.

Information Security and Users

A good IT team can go a long way towards protecting you, but unfortunately users can undo a lot of their efforts.

We recently had a third party perform a security audit of one of our client environments. This environment includes over 50 servers and 300 workstations.  The audit was limited to perimeter testing, which means that the firm performing it was not inside the building or on the internal network and instead was posing as a hacker from outside. We received the results and were pleased that out of the entire environment there were only seven issues, two of which were previously known.  What surprised us is that some of the issues referred to internal server names, as opposed to how they may be accessed from the outside. Further investigation revealed that the servers which were accessible to the security audit firm were behind the firewall and in no way available from outside. We asked the security audit firm to clarify that they did a perimeter security check only and they revealed that they had done phone calls to users posing as somebody who was authorized to receive their account and password and were told that over the phone. This then gave them access to inside the network where they ran scanning tools to find vulnerabilities.

In other words, the servers of concern were inside the network and were “protected” except for the fact that users had given out their credentials to somebody who requested them over the phone.

It is essential to train users and keep them continually updated on the policies you have written and threats they may encounter, and also the importance of information security for every individual. We recommend at least annual training, and regular bulletins to users about common security threats.

Information Security and your IT Team

Your information technology team will need to have two essential attributes:

  • IT Security Skills
  • IT Security Mindset

The first, IT security skills is the knowledge and capability to secure all of the components in the environment. This will not be possible with one or two IT people, as they will not understand the deep components of the technology involved in order to lockdown everything adequately. They may understand firewalls, but not know how to secure the email server which is available through the firewall. They may understand how to update antivirus on a desktop, but not know how to implement a server policy to audit for unauthorized access by internal employees. You should have an inventory of all of your systems and identify those people who are capable to secure them. Once again this is an ongoing process as the systems, and the threats to them, change on an almost daily basis.

The second is an IT security mindset. This means that the personnel who manage your systems and support your users have a top of mind awareness that information security is important. They will be making decisions on a regular basis as they design, implement, and allow access to systems. For example, if a user is having a problem editing a document some IT employees with a low regard for security will allow wide-open access so that that is no longer a potential inhibitor for the employee. A person who has IT security as their mindset will consider this as a potential issue, but would never remove all access rules. You may have a person on your team like this, but it is essential that everybody who manages systems and access is aware of this. Your IT team also needs regular training and outside assistance.

Conclusion

Information security is essential to your environment, but it is difficult to attain and maintain.  The constant new threats, varied and changing systems and personnel, and ongoing business needs make this difficult.

Keystone can help you with this. We have a security mindset because we understand you look to us to help you attain a good business flow of data and keep it secure. We have a large team of individuals with skills in all of the common systems in your environment, like email, firewalls, network file shares, etc. Once again all of these have to be considered, or else it is similar to locking nine of your doors and leaving the tenth unlocked.  We have a large enough staff to consider all of them.

We work with numerous companies and therefore get an opportunity to see all of the types of threats that you may encounter: the threat we see today and respond to is the one you may encounter next week. We often already have a plan to stop it before you ever see it.  We help you develop written policies, provide user training, and create an environment where information security is interwoven in a way that assists your business rather than prevented from performing basic functions.

We constantly review and refine our toolset, and usually include the entire package of tools in our services so you have a comprehensive mindset, team of people, and toolset to protect you.

Contact us today to see how we can review your environment and help you implement an information security solution that adds value.

 

Learning from the New York Stock Exchange’s Technology Failure

The New York Stock Exchange (NYSE) experienced a serious technology failure this week of approximately 3.5 hours, after experiencing reduced functionality for the first 2.5 hours of the trading day.  The NYSE is of course a very high profile, internationally critical component of our financial systems.  System wide failures are extremely rare, and when they do occur they are publicized.  This allows us to consider what happened, and what we can learn from it that may help you.

What was the Technology Failure?:

The NYSE has numerous software applications that are integrated to provide a cohesive system for access and control.  There is the core record keeping system, systems to manage the process, customer systems to control accounts and execute trades, systems that monitor activity for fraud, etc. These systems exchange data with each other at various levels, and are dependent on being compatible and reliable.

On Tuesday evening, July 7, 2015, NYSE administrators applied an update to one of these systems to support a change in how the industry timestamps transactions. On Wednesday morning, July 8, 2015 the NYSE started noticing issues with communications between systems and applied an update to the customer system, this in turn created more issues.

The problem was not resolved, and at 11:30am the NYSE shut down trading and continued to work on the issue. At just after 3:00pm, non-updated backup systems were brought up in place of the production systems and operations resumed.

A quick synopsis can be seen here: http://www.cio.com/article/2946354/software-update-caused-nyse-suspension.html

What do we learn that is applicable?

What does you SMB sized organization take away from this?

We may be able to continue operations. The NYSE must have a level playing field to allow everybody to execute trades at the same time, or else fraud or inequality of opportunity become an issue.  Your business may be able to continue operations without a complete shutdown if one function is limited or creating any data issues.  For example, if your customer service system is down and orders via the web cannot be taken, it may be possible to place a message holder informing customers they can call customer service to place an order.  You may need to temporarily reallocate staff to handle more call volume, but customers can still be serviced and a more intimate conversation take place during the transaction.

Systems are complex, especially multiple systems that communicate with each other.  Software, especially software designed for a specific organization and use, can be complex. The luxury of waiting for others to test it in the real world is not present.  So testing is essential and it must reflect the real world: real data, real transactions, real systems that mirror the production system with the changes tested applied.  The testing must be broad, rigorous and deliberate, and results must be tracked.  Automated test tools can make the process more efficient, but they are just pieces of software and must be setup and used correctly. When multiple systems are involved and dependent upon each other, they all must be exercised.

Disaster Recovery works, but is a choice to execute.  In this case, the NYSE decided to cut over to the backup systems to continue operations.  This is not the same thing as pulling a server out of the closet and installing everything and going back to operations.  This is a “hot system”, one that has all of the live data but was not updated with the errant code.  It is not a small decision to cut over, as there is normally a cut back process when issues are resolved, but one they could make because they had designed the systems for it.  This allowed them to resume operations while still dealing with the issue. Most small organizations do not have this capability, but they can, and can have it for a very economical price.  My firm, Keystone Technology Consultants, offers this for even very small clients of 20 users. It is not just a peace of mind issue; it literally allows an organization to continue operations and keep the flow of work and money, and maintain their reputation and client relationships. It is essential.

I would love to hear your view of this, feel free to comment below.

 

 

World Class IT

Ever see a mission statement? Your own or other organization’s? Most reflect the same sentiments – “world class” in everything we do… unmatched service… excellence.  Setting lofty goals is admirable – hyperbole or not – but it’s always important to examine the outcomes and goals you have for each initiative. Businesses today, from small to large are all stretched thin – and losing touch with what really impacts reaching your business goals can be detrimental to your company’s success, if not deadly.

So we make choices every day: what is critical to success and what can we live with as “good enough?” But be careful when deciding which is which, because it is not always clear cut. It is easy to know what is “core” to your business – but do you know all of the other areas that are critical to deliver excellence in your core business?

Often inefficiencies with technology and infrastructure are where organizations settle for “good enough?” What we lose sight of are the efficiencies in time and money that the right technology solutions can have across the organization.  “Good enough” just isn’t to deliver your products, services, and support with excellence.  Your competitors can achieve better than you – in everything you do – simply by having an infrastructure that strives to be world class, enabling them to be faster, better, and cheaper.

World-class does not have to be expensive, but it does require thought. More specifically it requires strategies and people committed to rightsizing the IT function  and making sure it is aligned with your business goals. Understanding that the organization may be small, or may not have information as a core part of its offering may cause them to consider outsourcing to gain the advantage of a world class IT function without the cost of a wholly owned unit. The best news is that the cost savings and gains in efficiencies turn your IT from a cost center to a partner in your business.

Researching and considering what makes a “World Class IT” function has led me to believe that it embodies the following characteristics:

  1. It creates and maintains a platform that is stable and robust that business units can reliably employ through all business cycles and functions.
  2. It has people that are skilled in their roles, committed to the organization’s success, and is a stable team with low turnover.
  3. It provides the needed systems and tools to enable all business units to understand processes, and measure and manage them for improvement.
  4. It spends just the right amount, with measures in place to understand costs.  In other words, it has a budget in alignment with the rest of the organization – and has demonstrable value.
  5. It takes its knowledge of the organization through the lens of data movement and helps define and improve business process for the betterment of the whole organization.

I came across a book recently that has been helpful many CIOs, and is aptly titled for our discussion – World Class IT by Peter High.  In it he develops five principles for IT which are different than I had thought of them.  His five principles are:

  1. People form the foundation of an organization. Without the right people doing the right jobs at the right time, it is difficult to achieve excellent performance.
  2. Infrastructure distinguishes between a reactive organization and a proactive one. If software, hardware, networks, and so on are not consistently performing their tasks, the IT organization will become lodged in reactive mode. If the infrastructure works reliably, then a greater percentage of the organization can think about the future.
  3. Project and Portfolio Management is the engine through which new capabilities can emerge within the company. It is important to ensure that the portfolio collectively supports the goals of the business and that projects are delivered on time and on budget.
  4. IT and Business Partnerships are vital. It is the IT executive’s role to ensure that different groups within IT function as a team, communicating efficiently and effectively. It is equally important that IT develop partnering relationships with executive management, lines of business and key business functions to ensure ownership of and success for IT initiatives.
  5. External Partnerships are increasingly important as outsourcing becomes more common. By contributing to the discussion about business strategy, IT is in a strong position to determine which aspects of IT are best handled by external partners. Further, IT must be adept at managing those relationships to be sure the company gains the expected value from its outsourcing activity.

There are some overlaps with my list, but the differences point to areas that we need to make certain are not taken for granted.  For example, disaster recovery does not “technically” add business value – but neither does insurance.  Money to protect your business may someday be the best money you’ve ever spent. No one wants to need insurance – but you cannot accept being without it.

I especially appreciated the way High promotes Project and Portfolio Management, as it leads me to think back to the fact that the truly outstanding IT functions I have had the privilege to work with not only did that well for IT-centric projects, they actually led the rest of the organization in this discipline for non-IT projects.

Regardless of how you think of “World Class IT” – it is clear that often good enough just isn’t, and that your IT needs to be:

  • Encompassing of all functions in the department, and outside of it.
  • Measurable and actionable
  • Customized to your organization. World class is not the same for everyone as each organization has different goals and processes that support these goals.
  • Stable and reliable – never a barrier and always an enabler to great work.
  • Contributing to the growth of the business in a true partnership.

And that brings me to a concluding thought – metrics are important.  They should be aligned to the overall business goals, and organized according to whatever system you choose to use when discussing and designing your IT function (e.g. High’s World Class IT or some other system).  And to that end, metrics should also be:

  • Assigned to a person responsible for its improvement
  • Have targets
  • Have the right amount of metrics – too many causes loss of focus
  • Have specific projects and initiatives created and assigned to reach and exceed the metric’s goals.

Over the next few months I will be spending time developing this, and publishing that here.  I hope you find it helpful and welcome your comments below.