Last month, we talked about a lot of the potential problems your business could face if you do not create a culture of awareness about cyber security risks. Now we will review the steps you can take to operate more securely.
The most important item in your arsenal to fight cyber criminals is education. Please make sure you are taking the time to talk to your users about the potential hazards and common attacks. Adhere to policies in your company that create additional layers of security when monetary requests are made via email. At Level Green, our company policy is that the owners will never ask for gift cards and that all monetary requests should be verified through a phone call or text message. Show your users what a spoofed email looks like (it’s harder to spot on phones) and compare that to a real email. Talk to them about getting emails from unexpected people with attachments. You need to constantly talk about it until it becomes culture.
Another great tool for fighting email attackers is a spam filter. There are lots of them available on the market. Some have very granular configurations, while others are very easy to set up and manage. Some even use artificial intelligence to help predict problematic patterns. Both Gmail and Microsoft Exchange (Outlook) offer some rudimentary filtering capabilities, but I would highly recommend increasing your protection level by adding a third-party filter.
A great way to be more protected, which you have probably already done, is to move to cloud platforms.
A great way to be more protected, which you have probably already done, is to move to cloud platforms. With most cloud platforms, your data is stored in a secure database, backed up and replicated by the platform provider. If you use cloud platforms, you have less to worry about because you are not storing and therefore needing to protect the data. The onus of that lies with the platform. I say “most” of the time because you need to read your terms of service with each platform and truly understand how your data is being kept and backed up. Some providers may not be backing up data, or they may not be following best practices for data storage. One of the most important questions you want to ask is: How are they storing sensitive data? You want to make sure anything sensitive is being stored using encryption and not in plain text. That way, even if the database is compromised, the data is still protected.
Another benefit to cloud platforms means that you no longer need to maintain and protect on-premises servers. When you run an application or store data within your network, you need to make sure you have great firewall protection so that people cannot break in. You also need systems that can detect if data is being accessed in a strange manner (such as large volumes of data being moved outside the network or to a flash storage device) so that an alert can be triggered. As more of your systems move to cloud platforms, the need for hardening your incoming network defenses drops since there is nothing within your network to protect. If you do not have an on-premises server to run your applications, email, file storage or active directory, then the complexity of your network topography will also decrease. There is no need to set up site-to-site virtual private networks if your shared files are stored with a service like Dropbox or Google Drive, where files are accessible from anywhere. Most cloud platforms also allow great management so you can set up different permission levels to grant different people within your organization access to specific items, i.e., setting up a folder for only the sales team. As your network complexity decreases, you will likely not need a managed services provider to help administer your network, which can lower your IT costs.
The culture of security awareness should not stop with your managers or administrative staff. Your crews and field staff are important components of your security posture as well. A mobile device manager will allow you to manage company phones handed out to staff to prevent unauthorized data usage, block unwanted app downloads and remotely wipe a device if it gets lost or stolen. If your field staff uses company email, they need the same training as you are giving your office staff.
With these practices in place and a strong security culture within your company, you can rest a little more easily with technology.