InsITe Blog

Start Your Own IT Security Risk Assessment

Written by Mike Schipper | Dec 17, 2020 2:05:05 PM

Why is Security So Important?

Anyone else going stir-crazy working from home? It makes you realize how much you took for granted at work: the water cooler chats, in-person meetings, actual flesh-and-blood co-workers, even real handshakes - on a personal level, many of us are missing the camaraderie of the office right now. On a data security level, your business is DEFINITELY missing the simplicity of securing a single network. If your business has remote workers, it’s a fact that your data is everywhere these days: Smart phones, Dropbox, shared drives, cloud applications, email clients - you have much less control with so many hosted accounts. More accounts means more vulnerability, so it’s crucial right now for all businesses to understand and measure their IT security risk.

Start Your Own IT Security Audit

The RIGHT Security

Implementing the proper security measures may seem daunting at first, but it’s well worth the effort. In many industries, data security is required for remaining compliant with regulatory requirements such as HIPPA or PCI. Healthcare, DoD, and other highly-regulated industries require strict IT security protocols due to the sensitivity of their data. Did you know that if you process credit cards at all through the course of business, you need to comply with PCI regulations unless your transactions are 100% handled by an outside entity?  The same goes for HIPAA, do you know if you have any health information on your system?  Do you know for sure that you don’t?  Even if you’re not saving lives or maintaining national security, protecting your business’s (and your customer’s) data should be of the utmost importance; after all, you don’t know what you don't know, and what you don’t know CAN hurt you. 

Sometimes, it hurts a lot. In one particular example, a business contacted us because they had lost over $500,000 in a phishing scam. They managed to recover some of the money, but a huge chunk of it was gone, never to be seen again. The attackers had a big payday, and they got away with it because this business didn’t have proper security measures in place, things like: regular employee cyber-security training, multi-factor authentication, automatic notifications of risky sign-ins, and mobile device management could have helped prevent the phishers from accessing those systems and making out like literal bandits. 

A minimal security investment would have helped protect them from such an attack and saved them all that money. After the attack and after contacting us, this business had InsITe implement those security measures and much more. Despite evidence of continued attacks, no breaches have occurred since, and continual monitoring will alert of any attempts. 

Phishing scams are especially heinous since they rely on human error to bypass much of your built-in security protocols. If you’re not familiar with phishing, it can be very difficult to spot and stop. Attackers gain access to a hosted e-mail system by tricking someone into sharing their login, they then sign in as that person and fraudulently disguise themselves as that trusted entity, then request sensitive information via email/text/phone. This could be passwords, client info, requesting a bank transfer, or even request the bank account information. For the rank and file employee, these fraudulent attempts can be tricky to identify. The good news is that there are ways to slow down the attackers, identify when an attack is happening, and prevent it.  This takes a layered approach, but a great first critical step towards prevention is to ensure that your employees are trained and educated about phishing scams. 

What Systems Are Most At Risk?

With more and more employees working remotely, company data is spread out in multiple locations, over multiple services, making it harder to secure. You should pay special attention to the systems your employees are using to communicate:

  • Email systems like Gmail and Office 365 - With the wealth of information shared over e-mail; despite the data being encrypted on the system, the system can be logged in from anywhere, on almost any device
  • File sharing programs like Dropbox or Onedrive - Without the right controls, these services are most likely leaving your files vulnerable 
  • Phones and laptops - Even locally-stored data is susceptible to loss or theft
  • Internet of Things (IoT) devices - Any “smart” or network connected device is considered an IoT device. These devices often connect to a service in the cloud.  Your entire network is at risk if your IoT devices are not installed with the correct segmentation and isolation precautions

Less Cloud = More Security Then Right?

Do accessibility and convenience really make up for the potential risks of the cloud? While part of that answer depends on your individual business and industry, there’s no denying that there are TONS of efficiencies to be gained through leveraging cloud services. It’s no secret that in a competitive environment, agile companies have the edge and cloud services offer superior features, data and services availability and collaboration capabilities.

We have to consider the human part of the equation. People will gravitate towards what takes the least amount of time, whatever is the most convenient, whatever makes completing a task easier. The path of least resistance.  Clarence Bleicher, a former Chrysler executive, put it succinctly: “Whenever there is a hard job to be done, I assign it to a lazy man; he is sure to find an easy way of doing it.” The point is that workers will use whatever tool fits their needs most efficiently, and, in modern-day terms, that means cloud services. We must provide them a secure way to do that, or they will find their own way - it’s a necessity in today’s business environment.  

At the end of the day, investing in security is NOT optional. Whether you embrace the cloud or not, whether your data is in the cloud or stored at your site, every business needs the appropriate security measures in place.  After all, we are all connected to the same global internet. We can understand the thought process that cloud services - services that can be access anywhere, anytime, on almost any device - are more risky than locally installed applications or servers. But contrary to that belief, cloud services can be secured more quickly and easily than onsite servers or services. Instead of buying and supporting more hardware or software installed on your system, we can click a few boxes that can achieve the same (or better results) for a cloud service.  

We all know we can’t get rid of tech costs (ever!), so why not start taking advantage of the productivity and efficiencies of the cloud, and achieve better security at the same time?

How Do You Start Measuring IT Security Risk?

The best way to assess your IT security risk is to take a structured approach.  We recommend using an Assess, Detect, Protect, Recover, Respond approach. In the interest of only deploying the necessary security for your industry and needs we begin first by understanding the applicable regulatory compliance requirements, and what data is stored within a system. We then select a security framework, such as NIST, ISO or other applicable industry-specific standards. With a framework in hand, we can then measure where the systems and services stack up compared to the applicable standard. In the IT biz, we call this a Gap Analysis. 

To get started on this process, use this handy IT Security Risk Assessment Checklist to complete your own mini security audit to make some quick improvements and identify any weaknesses you may have.

Start Your Own IT Security Audit

 

What’s the Takeaway? 

IT security is absolutely a necessity, and it's not as daunting as you might think. If you follow the steps in the IT Risk Assessment Checklist, you’ll have a beginning picture of your security health and have much less to worry about going forward; do nothing, and you’ll have everything to worry about. The bottom line? It’s not hard to take simple steps to protect your business.

Using cloud services? The great news is that cloud services are actually easier to secure than onsite servers or services. The reality is that in today's business climate, you can’t avoid using cloud-based technologies and hope to stay competitive for long. The danger is real, but with a solid understanding of your IT security risks, it’s very straightforward to secure your business across all onsite and cloud services.

Ready to take your IT Security to the next level? Contact an InsITe Advisor to expand on your Security Risk Assessment and give you a roadmap to better network security in the cloud.