The Grim Reality of Data Security and What To Do About It
Security has always been an important part of technology strategy. However, with the emergence of cloud technologies and increased mobility of the workforce, the business of securing your valuable data and the applications that drive your business has become increasingly complex. Gone are the days of buying a network firewall, installing it, brushing off your hands and calling it a day; our information assets are now at risk at many new exposure points.
The Grim Reality of Today's Security Landscape
News of security breaches are all over the headlines today. Ransomware attacks, blackmail, phishing and social engineering are all too common. The accountant mistakenly wires $20,000 to an unknown recipient posing as a legitimate vendor via a phishing e-mail. The company president clicks on an email link claiming his password is going to immediately expire if he doesn't take action immediately, subsequently sharing his credentials with a group of hackers. The sales guy returns from a sales conference, connects to the company network and delivers the malware he picked up while on the road. These are just a few examples of many types of security breaches, but the interesting part is that none of them would have been stopped by a traditional firewall.
Whether your business has compliance requirements or not, the reality is that all businesses have sensitive data representing years spent creating, reviewing, improving and sharing with clients, vendors and internal employees. We rely on this data every day. The man hours we have spent building our intellectual property (IP) are impossible to calculate. Reproducing the data and the IP value is simply unfathomable—in fact, theft or loss of significant IP is proven to sink the majority of businesses impacted.
Today's Business Security Risks
To help frame the significant risks to your business today, I have broken them into a few categories:
- People. People are at the front end of your company, receiving communication from the outside world. People can be manipulated. People make mistakes. People are emotional. These factors make them a prime target for some of the most lucrative and damaging attacks.
THE RISKS: Malicious E-mails (CEO Fraud, SpearPhishing), Malicious Websites, Social Engineering (e-mail, phone), Password or Identity Sharing
- Data. Data is everywhere these days. It's no longer just on your file server; it's in the cloud, too – even if you don't know it (see above, People). Data is on the move, making it much more difficult to protect.
THE RISKS: Unauthorized data sharing (cloud, e-mail), unauthorized/unregulated cloud storage, version history and change control, segregation and security controls
- Devices. Your data is now stored and accessible in more places than you know. Each employee may use a smart phone, tablet, home computer, and work computer to access your company data. Access to these devices, and subsequently to your data, can be difficult to control. Controlling web and e-mail access from these devices simply isn't feasible in most cases, as these functions are required to conduct business.
THE RISKS: Data sharing, Malicious websites, device theft, outdated security patches, access to public networks
- Servers. Yes, amongst all of this, in most cases we still have servers that store a significant amount of data and still offer a potential way into your network, and potentially access to your data
THE RISKS: Outdated security patches, network ports open to public, physical access, external vendor access
Without addressing the above risk categories, you leave your business susceptible to: loss of IP, regulatory penalties, loss of competitive edge, lack of recoverability, lawsuits, loss of client trust, financial loss, and tarnished business reputation, just to name a few consequences. There are very real consequences to not taking security seriously.
Securing Your Data in an Insecure World
OK, we've established that securing our data is important. Now what? How do we completely protect our data and IP from all the threats out there? Unfortunately, there isn't a single answer to that question. Much like common insurance risk management, the key is to first identify and prioritize the risks by exposure and relative impact, then focus on those that have a cost-to-impact ratio that is feasible to address.
Looking at the risk categories above, a layered approach should be taken. Beginning with effective employee training is always a great start. This is not to say that your employees must sit in a classroom. There are some very effective "in-line" training tools that can test your employees during their workday, requiring very little effort, but providing you with the ability to monitor and improve the threat landscape of your employees.
Second, protecting your data is different now since your data is active. It's moving around to different locations every day, including the cloud, devices, and e-mail. Providing authorized cloud data storage and sharing is a must, restricting all other cloud sharing systems where possible. The most effective way we see is to leverage a secure cloud file system that allows for a good mix of security, shareability and auditing of access. Remember, the key to security isn't to restrict employees from doing what they need to do; it is to enable them.
Third, we must protect the devices, the endpoints. The key to protecting the endpoints is to have transparency. What security patches are installed? Where are they? Who has what device? Having the ability to immediately wipe all company data from, or restrict access to, a specific device at any given time is a key capability. There are excellent endpoint management services available to allow you to do all this and more. This type of system must be coupled with a support team to manage it.
Last but not least, the servers must be protected. Much like the endpoints, a systems management service can be leveraged to gain visibility to patch status, open network ports, and overall health of your server infrastructure. Coupled with malware protection, active systems management, and secured physical access, servers can be protected.
So What is My Return on Investment (ROI) for Security?
By now, chances are you are thinking: "This all seems really complicated, expensive, and unnecessary!" I can certainly understand this thought process. But you need to ask yourself one question: "If I didn't protect myself, and I lost my business tomorrow as a result, what would I do?" The reality is that breaches in security often DO cause complete loss. In fact, statistics show that 1 in 5 unprotected businesses hit by major ransomware cause a complete shut-down of the business. That's a big deal!
The good news is that if you have a forward thinking, highly qualified technology partner, you can breathe easy because we have your back. And if you want to be sure that they do have your back, send them this article, and request a meeting to walk through how they are protecting you at each are of exposure. If something doesn't smell right, get a second opinion. Your business is your lifeblood; you need to protect it. Your family and your employees will appreciate it if you protect it too.
ABOUT INSITE BUSINESS SOLUTIONS:
InsITe helps businesses and manufacturing companies get the most out of current and emerging technologies with a customized IT approach to maximize growth, efficiency, insights, and productivity. InsITe is not a typical IT company selling products for short-term, short-sighted fixes. We invest in long-term solutions for a company’s growth by taking the time to learn its products, process, and business goals before bringing tech into the conversation. In this way, we become much like our Clients’ very own internal IT department with familiar faces who understand the business.
If you have any questions about this post please leave a comment. We read and respond to all comments. Or better yet, give us a call and ask to talk directly to our Founder and CEO Mike Schipper 616-383-9000.