05 Dec Security is more than having a firewall
Some aspects of IT security get a lot of attention while other areas get neglected. Take Edge Security as an example. Almost all companies have gotten the message that having a firewall is a good idea, this is great news. However, the bad news is security is as strong as the weakest link, and so those neglected aspects of security can render that investment in a firewall moot.
There are a host of security issues we have seen time and again forgotten. Let’s look at a couple that are critical and are often overlooked.
- Offboarding procedures. This is a step which is often overlooked. When you are separating an employee from the company there are a lot of things that need to happen and if even one of them is missed you may have a big problem. Did you collect keys and laptop and phone? Those are the things that most companies are very good about remembering. But what about disabling remote access, what about removing access to any third-party software? What about disabling e-mail access?
- Documented Policies. Having well documented company policies will help greatly in IT security, this is one of the areas we see too many companies are completely lacking. Acceptable use policy, incident response policy, personal identifiable information policy. Many of the items on our security check list are policy driven.
- Multi-Factor Authentication. This is one of the most critical security steps that I see missed and it is one of the most effective. As more and more services move to the cloud MFA is more and more important. At a minimum all e-mail and VPN access should utilize MFA. This is a method of verifying identity, therefore even if your password is compromised your account will remain secure.
- Third party processes. Many attacks can involve your company indirectly. Make sure you have a documented process with vendors to verify financial requests. If your payroll company gets a request from your Controller requesting a change for direct deposit, make sure you have a documented process to verbally get approval. Establish strict procedures with your financial institution on wire transfer requests.
- Training with your team. Every study on security shows end-users are still the biggest risk factor. Work with your team to educate them on security risks and make continuing education an important part of your security plan. Train your team that cyber-attacks use urgency as a weapon. When they get a request that says it can’t wait for proper procedures, this should be a red flag.
- Don’t forget to secure your cloud accounts. Most companies do a good job of securing their networks, but often forget about securing their cloud services. Just like your internal systems you should make sure you have separate administrative account for all users. Ensure you have auditing enabled so you can track what happened in case of a breach. Setup notification so you will know when you are under attack, and setup auto-block rules to prevent brute force attacks.
- Don’t forget your phone system. Phone systems are often connected to company networks and if they are not protected it can be a gateway into your network and bypass all your security efforts, not to mention potentially getting hit with huge toll charge.
Over the course of this year, we have seen a huge spike in attacks from almost every attack vector. Some of these attacks have been successfully thwarted, while unfortunately others have been successful. Make sure you talk with someone with whom you trust to get an assessment of your IT systems before you are involved in a breach.