It’s widely accepted that achieving perfect security is a pipe dream, but that doesn’t mean investing in better security for your business is something that should be ignored.
Many times, businesses play the “bad luck lottery,” thinking the odds of being a victim of a cyber attack or breach are too small to worry about. However, as any James Bond movie has shown us, even a sophisticated MI6 operative — with a nearly limitless array of hi-tech gadgets and budget — has to take the implemented security measures into account when formulating a plan to infiltrate a building or system.
While most of today’s online criminal organisations don’t have limitless funds, they are quite sophisticated and well funded, which means companies need to up their security efforts in order to reduce the threat surface area of the business.
As you begin planning for 2016, here are 007 tips for bringing your business closer to an MI6 level of security, without a nation-state budget:
- Auto expiring credentials for new recruits:
While we hope your corporate hiring process isn’t as intense as that of a secret agent, at the end of the day not everyone who signs up ends up making the final cut. To minimise your risk of rogue access, implement a policy that system admins always create expiring credentials for new hires.
It’s best practice to implement this for any temporary hires, but if your company offers a grace period, consider applying the expiration for the end of that time period, just in case. It’s always easier to re-implement than revoke once things have gone awry.
- Two-factor authentication (2FA) to deter shadow ops:
Having multiple forms of identification is an accepted standard for accessing highly secure systems, but it’s not something that’s strictly reserved for government agencies. If your employees’ credentials do get phished or stolen, having 2FA on your Internet facing applications will keep them from being used. What most people don't realise is that government-level, or a similar, high-level of 2FA is available to protect most of their organisation’s information today and it’s far less complicated or expensive to implement and use than one may think.
- Encryption for your eyes only:
Since communicating in code or sending self-destructing messages everyday would be incredibly inefficient (and likely dangerous), your best option is implementing a system that automatically encrypts your emails after it filters and scans them helps protect your company against data loss.
For the more “top secret” missions, consider investing in advanced systems that also allow for policies to be configured to encrypt, send, return to sender, or delete messages with insecure content. Because it is a hosted solution, there are no upfront investments in hardware, certificates or other expensive yearly certificate renewals. You simply pay a monthly fee per user and receive military-grade encryption.
- Fort Monckton-esque training for all:
According to a recent Intel Security study, 96 per cent of users couldn’t tell the difference between real emails and phishing emails 100 per cent of the time. The main reason cyber attacks are frequently successful is because they rely on human error; whether it’s ignoring an alert to install the latest software update, or being careless when clicking on links.
While you don’t need to ship your users off to Fort Monckton, you can still keep their security acumen high by periodically checking to see who within the organisation needs more awareness training. Consider sending fake phishing emails to your own employees and see which ones fail. An additional training exercise is to leave non-company branded USB flash drives around the office and see who plugs them in to their laptops. Load the drive with a simple word document explaining how the device he or she just plugged into the laptop could have infected their machine (and likely the company’s network). The goal isn’t to chastise employees, but show them how quickly a simple misstep can quickly put them at risk.
- Identity and Access Management to prevent double agents:
Spies aren’t the only ones worried about being double-crossed. A recent survey by Intermedia found that 28 per cent of IT professionals have accessed systems belonging to previous employers after they left the company, and nearly 1 in 4 millennials said they would take data from their company if it could positively benefit them. Thanks to advanced identity and access management tools though, businesses can not only monitor and disable the use of specific features within applications, but also capture screen shots of particular actions and create details audit trails of what a user does once they log.
- Single-sign-on to simplify the mission at hand:
Forward-looking businesses are constantly exploring new tools and apps to provide employees in order to empower them and make them more productive, but not even James Bond himself can create and remember strong passwords for the 14+ cloud services today’s employee typically accesses.
Deploying a single-sign solution will provide your users access to their web apps with just one password. Furthermore, premium versions can automatically create strong, unique passwords for each user that are periodically changed — automatically — without users ever knowing. This increases security and productivity; all your employees have to worry about is remembering whether they like their martini shaken or stirred.
- Third party vendors; your allies in arms:
The CIA, MI5, MI6, FBI etc., all occasionally work together on a single mission, and so too should businesses with their vendors: Many businesses don't realise that the vendors they work with can help the business (and also put it at risk).
If you're planning to store company information in the cloud, work with a cloud provider that has a strong reputation for security and also helps migrate and protect your data seamlessly.
Ryan Barrett, VP Security and Privacy, Intermedia
Image source: Sony Pictures