Corporate cybersecurity policies and procedures must come first.
The news bombards us with the latest cyber-attack stories. Being aware of potential attacks is important, but what can a business owner do? Are you worried that cybersecurity vendors are going to try to exploit these attacks to sell you their products? Are you afraid that IT will ask for more money? Do you just keep doing what you are currently doing and hope a cyberattack never happens to you?
Investing in cybersecurity is important; however, you can’t afford to make a snap security decision based on fear that will do little to no good. Nor can you hope it will never happen to you. Cybersecurity is not all about new technologies. Often a change in policies and business practices can have a greater impact on your bottom line. Before you bring out the checkbook, here are six tips that costs very little, but have high security impact.
- Classify data according to its sensitivity and importance. In the military, we segmented information as “Unclassified”, “Classified”, “Secret” and “Top Secret” to establish access rules. We marked papers with big red letters as to its classification, put them in specially marked folders, and any mishandling was seriously dealt with.By not classifying data you are putting a huge burden and expense on your IT Administrators. They have to try to protect all data, storage devices, computers and networks at the same security levels. Trying to protect everything at the same level will either be very expensive to maintain, or very weak because you can’t afford top level security. Think about it, does a publicly released press release or white paper need the same security level as your R&D data or financial statements? No. Classifying data allows IT to focus their resources and budgets on the important data and networks, while not wasting time on unimportant network traffic.
- Store data on segregated servers depending on its classification. It’s fine to put press releases, white papers and blogs on a hosted cloud shared server. If the server gets compromised, so what, the information is public. However, sensitive data needs to stay within the company so you are not dependent on someone else implementing proper cybersecurity procedures that you have no control over. Finally, operational data like HVAC or data that is managed by third parties needs to be on its own server. The costs for multiple servers versus the costs of a breach is a no brainer.
- If you have to share a server, only put non-sensitive information on that server. Many third party cloud service providers use shared servers. This means that a single server may hold data from many other companies. Because each company may implement its own cybersecurity procedures you are vulnerable to the company with the weakest policy.
- When researching vendors and products, determine what cybersecurity testing (also known a penetration testing) the company has done with their products. Sadly, many vendor products implement cybersecurity as an afterthought or third-party plug-in. Ask for a copy of the final results before purchase.
- Use a technique called “sandboxing” data to isolate data. When it comes to the “Internet of Things” there is never one installer. Different products typically have their own IT service people to assist in the installation. These outsiders don’t know your entire network so they may accidently place data in locations that could compromise other data.
- Only allow mobile devices to access segregated servers that contains unclassified information. Every time any device gets connected to a network or plugged into a computer, a new threat is introduced. IT is having to battle the consequences of employees connecting their personal tablets and smartphones into the computer network. The concern is not with making the interface, but rather users unknowingly loading a virus riddled apps, videos, or files into the network. For employees who require access to classified data, the company should issue devices with app loading disabled.
Technology is essential in stopping cyber-attacks. But, technology can’t do it all and should never take the lead. You always match technology to your desired outcome and environment. For example if you say you want a car to take you from point A to B then there isn’t much difference between a Bentley and a Yugo. Both run on gas, have four wheels and all the technology required to drive. But if point B is the red carpet at the Academy Awards, which car do you think is the right one?
Corporate cybersecurity policies and procedures must come first. Start by classifying data, then determine where data needs to be stored based upon the classification, and finally the authentication procedures required to access the data. After that has been accomplished, now IT can tailor the best, most cost effective technologies needed to keep the data secure.