5 Steps to Security - Navigating Security Risks and Business Technology in Today’s World


Published:

 

Do you feel secure? According to Google (which itself could be an entirely different discussion regarding security), one definition of “security” is “the state of being free from danger or threat.” Using that definition, few of us feel secure these days.

Cybersecurity, protecting your computer and networks, has been a big deal for years, but it is important to understand how the world we find ourselves in today impacts our risks. So when we narrow our discussion down to network security, what does that really mean to you in today’s world? Is it possible to feel secure, or at least secure enough, that it doesn’t keep you up at night?

The dangers or threats to your business technology are vast, yet there are steps you can take to at least minimize your risk. The industry you are in has a lot to do with the amount of risk you are exposed to, but again, there are some basic principles that hold true for pretty much any industry.

"Keep in mind that the following information is NOT intended to be all-encompassing or to replace the assistance of a trusted IT advisor. Your IT company should be a partner that understands your risk areas, your fears and your goals, and helps you craft an infrastructure security plan that works best for your situation. And a plan is a good place to start."

1. Start with a Plan

For a lot of companies, an Incident Response Plan (IRP) is an afterthought. But it really shouldn’t be.  Your IRP is simply a written answer to the question, “what do we do if the (stuff) hits the fan?”

  • If an employee comes in and all their data is corrupt or missing, what steps should they take?
  • If you get a message that says your files have all been encrypted and an uber-hacker wants $10,000,000 to get it back, what should you do?
  • If an employee leaves under bad terms and you suspect they stole key client information, what are your best actions?

An incident response plan saves you from having to figure all of that out when it happens, when emotions are high, when not everyone may be thinking straight or even be available.

In an even more likely scenario these days, what if your two key employees call in tomorrow and say they (or their spouse or kids) were exposed to a COVID-10 positive person? They can’t come to work for a couple of weeks. What do you do? Do you have a process in place to answer that question? Your Incident Response Plan doesn’t have to be fancy, just a bit of thinking ahead.

 

2. Get a Handle on the Hardware

Speaking of COVID, let’s talk a bit about how the security landscape has changed due to the pandemic. Obviously, we have a lot more people working remotely. It may be that you’ve done everything your IT provider told you to do in order to get your corporate network up to reasonable security standards. You replaced workstations and servers and bought that new expensive firewall. These are great steps and maybe even the right steps at the time, so you’re all set, right? Unfortunately, the pandemic caught us all by surprise, at least the breadth of it did.

Everyone has been in a ‘rapid response’ mode since February/March. Humans tend to overlook things when we’re in that mode. What things? Well, do you know what machines your staff started using for remote work purposes? Were any of your employees going home to their 2005 Windows 7 computer that hasn’t been patched in years and runs no anti-virus on it? Going a step further, are they using VPN software to open a nice, secure tunnel into your network, so the bad guys can hop on their old computer and walk right into your up-to-date network? Oops. There are ways to mitigate this, but you need to be aware of it so it can be addressed.

 

3. Encourage Healthy Employee Behavior

Socially engineered attacks rise dramatically whenever there is headline-grabbing news; there are always bad actors that prey upon people’s fears. And this pandemic is not limited to Savannah or Georgia or the US. It’s global, which means exponentially more attacks.

These attacks are no different than any other fear that is used against you in the cyber world, but their effectiveness is increased by threatening the target’s loved ones and their security. There are reports every week about a new threat that comes in under the guise of a ‘cure’ for COVID or a secret vaccination or new information, and on and on. Sometimes these are just scammers trying to sell you snake oil cures, and sometimes the intent is to get you to click something that will allow malware or hackers into your system. Phishing schemes are rampant, and everyone in your company that uses a computer should be made aware of what they look like, what to watch for, and what to do if you are not really sure about an email or a link.

 

4. Manage More Effectively

There is also no doubt that working from home requires better management. Notice I didn’t say MORE management, just better. Many jobs are well suited to be done remotely. But working remotely is difficult for some people to adjust to. There are a lot of distractions, and it’s easy to just drift on over to checking your Facebook or Twitter. In the office, we know that others are around and may notice that we’re lingering just a little too long or seem a bit too distracted. But at home, who’s watching?

There are certainly technology solutions to monitor screen time and activity on the computer. We generally recommend these as a last-resort since the goal of good management really isn’t to be punitive, but to ensure your team is living up to the high expectations you have of them. Measurement of output is often a much better indicator of value provided than monitoring keystrokes.

Suggested Reading: This isn’t an article about management styles or corporate culture, but if you are interested in ways to measure employee performance, you might check out the book Traction by Gino Wickman www.eosworldwide.com. No, I don’t make a cent if you click the link or buy the book; it’s just a tool we’ve found useful that might help you, too.

 

5. Look at the Bigger Business Picture

So let’s assume you’ve secured your network, you’ve dealt with equipment you don’t own but that your staff uses to access your network, you have your incident response plan started, and you have implemented all of the things you learned by power reading Traction. Time to relax on the beach, right? Well, not exactly.

What about your supply chain? How vulnerable is their infrastructure? If you are like most of us, you can’t really do much about that other than lining up multiple suppliers, and even that isn’t always possible. However, you probably should pay close attention to what your suppliers do with data you share with them. If you share financial information or customer information, you have a right to ask how they protect it. Again, in this season of change, it is easy for important details to slip, so do whatever it takes to think about all areas of the business. Pull your team together, make lists, add to and update your plan.

Finally, don’t forget about employee privacy. I’m not just talking about doing the right thing by your team, I’m talking about knowing and following the law. Do you know how to handle communications with your team if one of them is diagnosed with COVID? You have to tell them they were exposed, right? But can you tell them who they were exposed to? Can you tell them when, so they know how to handle it? But doesn’t telling them when tell them who as well? Hopefully you have experts to guide you; make use of them and don’t guess at the right answers.

You are probably asking why this last part is even included. It isn’t a technology issue, is it? Employee privacy extends to all areas of the business, from leaving that sick report up on the screen, to having discussions in the hallway that may not be appropriate. Technology touches all of these areas and is touched by all of these areas.

Our job as a Managed Services Provider is to guide our clients through the maze, even if on some issues we need to say “go speak with your attorney,” or “your HR consultant might have the answers you need.” We’re big fans of expert advice, and we are not your expert in legal issues. But armed with the proper expert advice, we can implement the technology you need to make compliance easier (think access control and sleep timers on screens, for example). The end result is to help our clients stay healthy and advancing towards their business goals, regardless of what the disaster potential might be.

 

Chuck Brown is the founder and CEO of Infinity, Inc., providing IT services and business strategy to help businesses grow since 1999. For more information, go to infinityinc.us.

 

Add your comment: