How to Protect Your Business by Following The Ten P's of Security
By Michael Meyer, Chief Risk Officer (CRO) and Chief Security Officer (CSO), MRS BPO, LLC
How many times have you heard from your staff – buy this technology and all of our (and your) worries and problems go away? Maybe it sounded like this instead--this is the latest and greatest technology; we need it to solve every security issue. Stop for a second and ask yourself, is it possible that any single technology can completely secure a business? How can I let you down easily - NO! To completely secure a business (if that is even possible), requires multiple layers of defenses using different tools, techniques, and technologies. These layers need to be woven and interlocked together to create a real “defense in depth.” The goal of “defense in depth” is to reduce the overall surface areas to attack and minimize the weaknesses for attackers to discover and penetrate. To strengthen your security, follow the Ten Ps of Protection.
The overall way to best protect your company is to prevent attacks in the first place with a defined plan. Coordinating everything together into a cohesive whole is the role of management. Management’s importance to strong security is often overlooked and lost in the noise of having to buy things. Management of security is critical and rarely mentioned as a cause or even a contributing cause of a breach, even when it should have been called out. Security is no different from other essential roles in an organization. The best way to manage this function is to dedicate management and staff to it. If you cannot do that due to cost or company size, then work with an outsourcer to help mitigate this management risk. Most larger companies have already split out or are planning to split out dedicated senior management roles and responsibilities.
We all know that people are the most critical assets that we have. So, do you push your security staff to learn more? I mean do you really encourage and expect that your staff will learn and know more a year from now? Do you expect them to earn a certification? Do you set the example for them? We know security people are hard to find and getting harder to afford, so do you try to grow your staff to fill any vacant roles? Knowledge is available everywhere now via channels such as YouTube, iTunes, Udemy, Coursera, and many others, encourage your staff to use them. Once you encourage your security staff to grow and learn--your company will be more secure as a result.
Policy and Procedures
Policies and procedures for security are something that a lot of companies don’t have or could get a lot better at. Some have a one or two-page document for the entire company, and some say why worry about creating and updating documentation--because it changes so often. These are valid points only if you have a small company. For most of us, this lack of documentation creates a gap in our security. So, what do you genuinely need to have documented at a minimum? Probably the most essential technical pieces of security documentation are the physical and logical network maps along with all of the controls that you have to protect your physical offices and data. Usually, this information should be about 5-10 pages minimum. Then you need to document what happens in case you suspect a hacker got in (called incident response) and what you will do if an actual breach occurs. These two things are about another five pages minimum.
Practice and Play
Too often the only time most security staff does major work or get their hands on equipment and configurations is during a production issue. Some companies have a test environment for developers, but few have a duplicate test environment for security, even one with older equipment. So, this is a challenge to overcome, because the best way to learn about security is through practice and playing with the configurations to see what happens. The value of this can’t be underestimated because when an issue occurs in real life (and they will), the person who has practiced and played around will usually solve the issue much faster than a person who hasn’t had this hands-on experience. Said another way, increased experience directly translates into increased confidence and capability, which results in reduced downtime and loss of revenue.
Prevent Perpetrator Penetration
There are a lot of simple process controls that can be implemented to stop hackers in their tracks--without spending a dollar. Some financial examples are: requiring dual authorization for all international wires over a certain amount, requiring senior management approval before anew international vendor is added to the accounts payable system, and giving Finance staff the ok to question all emails involving money or banking information from C staff or senior management (even when they are marked urgent or emergency). Another great example is that most of the people reading this article can still send an email or a data file using their company’s systems to any number of hostile or hacker friendly countries without it being blocked. Also, most companies still allow these same rogue countries to email your corporate users because they are not being blocked. So, is it any wonder that hackers can get into companies and get the information out so quickly? If your business is still allowing any type of unrestricted data transfers to these countries, it is way past time to put some blocks in place. As an added security measure, you should block every country that you are not doing business with or need for tech support. This stuff is not rocket science, but common sense.
Penetration and Vulnerability Testing
No matter how good you think you router (or external) defenses are, you need to test them to make sure they are working and can withstand an attack. Penetration testing not only looks for holes, gaps or weaknesses in your defenses (like an open window or door)but actually tries to go in that opening(penetrate) and see what else it can do—just like a hacker would. It will go as far into your defenses as possible to see what the full extent of the damage would be without harming anything. This test is usually run once a year due to its expense, the time it takes and the potential impact to systems. When this type of extensive testing cannot be run due to cost or potential impacts, another more straightforward non-intrusive test called vulnerability scanning (or testing)can be substituted instead. This less or test is quite effective at finding surface holes, gaps or weaknesses as well. Its hould be run quarterly at a minimum with monthly being better. It is a great low-cost and low-impact option, whereas penetration testing can be very costly. Quarterly scanning may seem excessive to some, but hackers are getting better, so you want to find the issues before the hackers--so you can fix them.
If you have any technology device – even a smartphone, you must keep it up to date with patches (aka updates) and the latest or newest versions. Why? Software always has weaknesses, and over time, even more, weaknesses will be found. By updating your software, you close off those weaknesses.
Just in case you do join the unfortunate ranks of those that are hacked, you need to make sure your insurance coverage covers breaches and their associated costs. Why? Many policies do not cover breaches directly, so it is best to ask in advance of something happening, to be prepared.
Even if you have everything mentioned here in place, there needs to be a quality or audit process checking the security processes and their monitoring. Instead of a team, this monitoring could also be performed by a person who is very detail conscious. As a recent example of why this is security monitoring is necessary, some individuals and companies are continually searching for unsecured Amazon S3 servers. When they find them, they publish the weakness in the press so everyone can see it, harming the company with the weakness (even though the data was not breached or taken). They do this under the false guise of public service, but they are often selling security monitoring services for cloud-based data. Since your company is in their crosshairs, your defenses must be perfect and work every time whereas these individuals or hackers only have to find a problem once with your defenses.
Continually improving all of the above areas will help stay ahead of the hackers because they are always getting better. If you choose not to improve continually, then the hackers will eventually find and make you--their prey.
Welcome to the new era of cyber warfare. Get smart or get hacked…the choice is yours.