|5 Best Network Security Things You Should Be Doing |
By Steve Meek
No one thinks they are a target, until they are. Verizon’s latest Data Breach Investigations Report (DBIR) shares some great analysis about security facts and figures that are helpful to protect our organizations. Their research showed 61% of the 2016 victims were businesses with under 1,000 users.
The report also revealed that attackers were generally opportunistic, using broad based attacks against everyone, to find starting points to compromise businesses for passwords, access to systems and data. Think of it as checking houses for unlocked doors and hoping for easy scores.
Twenty years ago, I would have told you buy a firewall and anti-virus. Ten years ago I would have pointed you towards next-generation firewalls, IDS/IPS, web filtering or other security tools. And while you probably have many of these today, the report shines a light on more “people” oriented avenues, which actually have a bigger impact on preventing compromise.
1. Secure the human
Most employees genuinely want to use computers correctly and safely. In the midst of challenging people to hit production goals and MBOs, asking them to also be security-minded tends to come second. That is why providing ongoing security training is considered a top security tool.
You can find resources on the Internet if you have an in-house trainer and expertise but the challenge has given birth to a variety of online resources for security awareness training. The training can be assigned, tracked and verified complete with a test. You can help your people stay safe with a little bit of training that goes a long way.
The federal government reinforces education each October during National Cyber Security Awareness Month. Check out their Stop.Think.Connect. toolkit, if you are looking for free resources to engage with yourself.
2. Implement security policies and IT standards
62% of the breaches identified featured hacking of the network. These attacks might target open firewall configurations, default passwords, unpatched/old systems or even compromised passwords. 81% of these hacking attempts took advantage of stolen and/or compromised passwords. This fact practically screams for a good password policy!
In other words, most of these breaches were avoidable. There is strategy and structure to securing a network and it is best done comprehensively. That means start with security in mind. IT policies help you figure out how you plan to build and maintain the network. When building a house, you don’t lay foundation, throw in plumbing, electrical and then decide to do blueprints. Structure and planning save you IT budget.
There is also a reason these attacks are rarely done by basement kids any more, it’s because it results in big money. 51% of the breaches involved organized criminal groups. Fast Internet and cool devices are what we want but what a criminal desires is access. Imagine a criminal who can break into your house from anywhere in the world with a PC and Internet connection. The National Institute of Standards and Technology (NIST) was founded in 1901 and has been a government champion for protecting businesses. They offer comprehensive policies for everything at their site, though the challenge for smaller businesses is probably more about scaling the policies to an appropriate level. They recently revised their best practices for passwords but that is a long article for another time.
3. Test users with simulated phishing attacks
Another important statistic Verizon estimates is that 1 in 14 users were tricked into opening an attachment and a quarter of those people were tricked more than once. All it takes is one person to click a bad link and compromise your business.
There is a security saying that “there are two types of organizations, those that have been breached and those that don’t realize they’ve been breached.”
Just like you might offer on-the-job training or role playing, you can simulate fake phishing attacks with emails to your users. Not to blast them, but to try get them to click on a fake link – something that wouldn’t stand out to the average user. The 1980s email protocol was never designed to be secure, so it is easy to send legit-looking (but fake) bank deposit questions, Facebook updates, NetFlix password issues, shipping updates or even emails that look like they are from a friend/coworker. Testing helps all employees learn what to watch for and not be a statistic.
4. Conduct periodic risk assessments
Just like you reconcile your bank statements, audit your tax returns, review financial statements and go in for health checks (or not), it is important to periodically review your network design and layout a risk assessment. This is usually a separate function from normal network management that an IT team does. A good network person is great at making things work like users want and keeping things easy.
General networking and security thinking, I feel, are opposite ends of a single slider. Making things more secure can introduce more user difficulty or complexity, without automated tools. The security mindset is more focused on the triad of confidentiality, integrity and availability.
The risk assessment is a requirement for compliance-bound organizations under HIPAA or PCI. Sensitive organizations would complete one annual (or after major network changes) but smaller organizations would probably be able to edge that to every three years or so.
NIST has released its Cybersecurity Framework, if you have experts at your disposal, and want to do it yourself. You’d probably want to make sure your expert had some sort of security background and certification such as (ISC)²s Certified Information Systems Security Professional, ISACA’s Certified Information Systems Auditor (CISA) or others.
5. Stay abreast of trending threats
In recent months, Internet speed reinforces that some attacks come on so quickly that security vendors take 2-3 days or longer to respond to emerging threats. Malware such as WannaCry and others wreaked havoc but the US was somewhat buffered by Europe getting hit first. Other threats like the business email compromise scams resulted in at least $2.3 in losses, according to the FBI last year. Before these items showed up in the news, they began showing up in threat intelligence feeds.
If you want to protect your organization, you’ll arm yourself with information.
As business owners, we can’t always afford to protect against everything. But, if there is an emerging threat, we can ask IT, “Am I protected against this?” Subscribing to feeds helps accomplish the goal by prioritizing the items that are more clear and present dangers. Among the 20 or so I watch, I find the US government’s site a good less technical site, without too much traffic.
So there you have it, big ways you can supercharge your security without depending on a huge budget to buy brand new, high dollar security tools. While the tools enhance your security posture, your people are your first line of defense.
In security, you have the win 100% of the time, the villains only have to win once. Focus on your people if you want to dramatically reduce the probability of breach.