The 10 Commandments of IT Security
IT Security Commandment #4: Thou Shalt Not Expose Thy Data
Q: Do you know why you should never stop exposing your IT staff to COVID and/or flu jokes?
A: It is the best way to achieve nerd immunity!
Now that we have your attention, let’s discuss the fourth commandment of IT Security—Thou Shalt Not Expose Thy Data. In simple terms, the exposure of anything sensitive and/or confidential within your organization to the outside world can be a risk. This can include financial reports, bank account numbers, credit card information, usernames, passwords, customer records, health care data and so on. But, in truth, almost anything that is important or proprietary within your organization that you do not want released to the outside world should be protected and secured.
Time for Some IT Security Strategy
The first thing to do is a Strategic Exercise. The purpose is to identify important data across your organization and put in place policies and procedures to protect that data from both accidental exposure and from an outside attack. Each organization essentially has three kinds of data: a) financial records of the business, b) business property, which is everything from copyrights and patents to sales and marketing plans to customer and supplier information and so on, and c) personal identifiable information (PII) which is everything from birth dates to license plate numbers and everything in between. Each of these types of information should be evaluated to determine how accessible it should be within the company and how much it should be protected. This is the first step in creating a sound Data Access and Privileged Access Policy. This puts you on the road to never committing the sin of violating the 4th commandment!
Time to Put IT Security Tactics in Place
Now let’s review several tactics to put in place that lower the risk of data leaks or attacks:
Encrypted Backups. Backups are important, and the internet makes offsite backups even easier. But it is vital that all backups are encrypted, because with any storage, local or in the cloud, there is risk of exposure. Encryption conceals the real information within a backup and maintains confidentiality.
Avoid Public Wi-Fi and Use VPN. It is risky to using any business device on a public wireless network. It should be avoided at all times. Many networks appear to be legitimate but are not, and even the legitimate ones are usually not encrypted at all. In cases where such use is unavoidable, use a Virtual Private Network (VPN) tunnel or secure HTTP connection to keep things safe. Additionally, when working remotely with a wireless mouse, be aware that mouse jacking is possible. That is when a criminal uses an antenna to connect to your dongle enabling the wireless mouse to work. Try to use your touchpad instead!
Separate Internal and Guest Wi-Fi Networks. This is very important to reduce exposure within your own network. Guests or employee-owned smart phones often want to access a wireless network while at your location. Segmenting out a guest network for their use is a smart move. Keeping your guest Wi Fi separate and isolated from your internal network is important to ensure unwanted users or devices are not able to gain access to parts of the network used by your internal systems.
Multi-Factor Authentication. Putting in place a policy and system software that ensures that an end user successfully identifies themselves in multiple ways before gaining access to a business site and/or business data is a crucial method to reduce security risks. It is an extra layer of protection. In our view, anything that can be protected by MFA should be!
Password Management and Security. With the requirement of passwords for everything coupled with the fact that these passwords should be complex, the need for an organization to put a Password Management System in place has arrived. Typically, cloud-based password management software keeps a secure, encrypted online database of all passwords and has an important logging/tracking function built in. Why? So that audits can be produced to identify who accessed passwords and when. The added benefit is that users only need to recall one password—the one to access the password management software—in order to gain access to all the credentials required to do their work.
Activity or Event Logging. While not always needed in every organization, firms with higher needs for security and detailed knowledge of activity will put in place event logs on their networks or cloud services. Historically, this was used to enforce worker productivity, but it has also become a way to record access to information as well as understand the scope of an incident.
Awareness. Nothing will work better than educating your staff and training them on how to properly secure your organization’s data. In fact, it is a commandment in and of itself, so we will not belabor the point here. Just remember your staff, when aware, is a great layer of security because most breaches or leaks are caused by human error.
Log Out! Finally make it a practice for yourself and your staff to log out whenever you have completed work within a program or on your device. Having too many websites and/or windows open on a screen and then forgetting they are there just leads to trouble. So, give yourself the joy of logging out and moving on whenever you complete something!
Remember this commandment because exposing your business data to the world is just plain indecent! Contact IT Radix today for more information on how to protect yourself and your team.