Security has always been an important part of technology strategy. However, with the emergence of cloud technologies and increased mobility of the workforce, the business of securing your valuable data and the applications that drive your business has become increasingly complex. Gone are the days of buying a network firewall, installing it, brushing off your hands and calling it a day; our information assets are now at risk at many new exposure points.
News of security breaches are all over the headlines today. Ransomware attacks, blackmail, phishing and social engineering are all too common. The accountant mistakenly wires $20,000 to an unknown recipient posing as a legitimate vendor via a phishing e-mail. The company president clicks on an email link claiming his password is going to immediately expire if he doesn't take action immediately, subsequently sharing his credentials with a group of hackers. The sales guy returns from a sales conference, connects to the company network and delivers the malware he picked up while on the road. These are just a few examples of many types of security breaches, but the interesting part is that none of them would have been stopped by a traditional firewall.
Whether your business has compliance requirements or not, the reality is that all businesses have sensitive data representing years spent creating, reviewing, improving and sharing with clients, vendors and internal employees. We rely on this data every day. The man hours we have spent building our intellectual property (IP) are impossible to calculate. Reproducing the data and the IP value is simply unfathomable—in fact, theft or loss of significant IP is proven to sink the majority of businesses impacted.
To help frame the significant risks to your business today, I have broken them into a few categories:
THE RISKS: Malicious E-mails (CEO Fraud, SpearPhishing), Malicious Websites, Social Engineering (e-mail, phone), Password or Identity Sharing
THE RISKS: Unauthorized data sharing (cloud, e-mail), unauthorized/unregulated cloud storage, version history and change control, segregation and security controls
THE RISKS: Data sharing, Malicious websites, device theft, outdated security patches, access to public networks
THE RISKS: Outdated security patches, network ports open to public, physical access, external vendor access
Without addressing the above risk categories, you leave your business susceptible to: loss of IP, regulatory penalties, loss of competitive edge, lack of recoverability, lawsuits, loss of client trust, financial loss, and tarnished business reputation, just to name a few consequences. There are very real consequences to not taking security seriously.
OK, we've established that securing our data is important. Now what? How do we completely protect our data and IP from all the threats out there? Unfortunately, there isn't a single answer to that question. Much like common insurance risk management, the key is to first identify and prioritize the risks by exposure and relative impact, then focus on those that have a cost-to-impact ratio that is feasible to address.
Looking at the risk categories above, a layered approach should be taken. Beginning with effective employee training is always a great start. This is not to say that your employees must sit in a classroom. There are some very effective "in-line" training tools that can test your employees during their workday, requiring very little effort, but providing you with the ability to monitor and improve the threat landscape of your employees.
Second, protecting your data is different now since your data is active. It's moving around to different locations every day, including the cloud, devices, and e-mail. Providing authorized cloud data storage and sharing is a must, restricting all other cloud sharing systems where possible. The most effective way we see is to leverage a secure cloud file system that allows for a good mix of security, shareability and auditing of access. Remember, the key to security isn't to restrict employees from doing what they need to do; it is to enable them.
Third, we must protect the devices, the endpoints. The key to protecting the endpoints is to have transparency. What security patches are installed? Where are they? Who has what device? Having the ability to immediately wipe all company data from, or restrict access to, a specific device at any given time is a key capability. There are excellent endpoint management services available to allow you to do all this and more. This type of system must be coupled with a support team to manage it.
Last but not least, the servers must be protected. Much like the endpoints, a systems management service can be leveraged to gain visibility to patch status, open network ports, and overall health of your server infrastructure. Coupled with malware protection, active systems management, and secured physical access, servers can be protected.
By now, chances are you are thinking: "This all seems really complicated, expensive, and unnecessary!" I can certainly understand this thought process. But you need to ask yourself one question: "If I didn't protect myself, and I lost my business tomorrow as a result, what would I do?" The reality is that breaches in security often DO cause complete loss. In fact, statistics show that 1 in 5 unprotected businesses hit by major ransomware cause a complete shut-down of the business. That's a big deal!
The good news is that if you have a forward thinking, highly qualified technology partner, you can breathe easy because we have your back. And if you want to be sure that they do have your back, send them this article, and request a meeting to walk through how they are protecting you at each are of exposure. If something doesn't smell right, get a second opinion. Your business is your lifeblood; you need to protect it. Your family and your employees will appreciate it if you protect it too.