Every year, many companies, large and small, invest a large amount of resources into their information technology (IT) systems including, but not limited to, costs for computers and related hardware equipment, software, Internet access, cybersecurity, and personnel training. Businesses rely on IT systems for storing and processing important financial and other sensitive information, accessing the Internet, communicating through email, and running programs they need to use on a daily basis.
All the systems that run on a network and use the Internet to gather information and perform cloud services should be protected from unauthorized, inappropriate, and wrong use. Protecting IT assets is a duty that falls not only on IT teams but also on the executives who can allocate the right resources to protect the corporate network.
In light of increasingly sophisticated threats and ransomware attacks against local governments and financial institutions, management is responsible for ensuring that the right IT internal controls are in place and performing as intended.
But where a small business should start in evaluating the cyber security of its network?
A security self-assessment should be the first step towards evaluating the effectiveness of the whole IT operation.
1- INTERNAL CONTROLS
Internal controls are policies and procedures that involve authorization and oversight of the IT operations. In this role, the Chief Executive Officer of a company works with the Chief Information Officer to elaborate and enforce procedure to help staff achieve optimal cyber security results. It is also not uncommon to see that CEO and CIO use a third party vendor to assess and establish the rules governing internal controls.
2- THE MAIN CYBERSECURITY MODEL
The main information security model is based on three key areas:
1) CONFIDENTIALITY: this section is linked to privacy and trust. Confidentiality is a set of policies that prevents or minimizes the unauthorized access to the company’s sensitive data and assets.
2) INTEGRITY: Integrity deals with the quality of the data that is stored and handled on a daily basis. Accurate and complete data are essential for good decision-making.
3) AVAILABILITY: if data cannot be accessed when needed, there will be little value. The most secure systems are those that are also the most available at all the times against power outages, natural disasters and attempts by individuals with malicious intent.
3- BUILDING LAYERS OF DEFENSE
A network system should implement multiple layers of security to protect its assets and data. If there is only one layer of security, a single attack can have access to the network and compromise company’s assets. A combination of structured layers can reduce the risks of breach to a minimum and safeguard the corporate network from intruders who always try to gain control.
4- IT POLICIES
IT policies define the correct use of the equipment and the appropriate use behavior. In this scenario, IT admins explain the consequences of policy violations but also provide the means of communicating the users the policies that are in place and how to be compliant with the general network security rules.
For example, a policy that deals with Internet and email use, should describe what constitutes
appropriate and inappropriate use of IT resources, along with the expectations employees have concerning personal use of IT equipment and user privacy (e.g., management reserves the right to examine email, personal file directories, web access history and other information stored on
corporate computers, at any time and without notice). It should also describe the consequences for policy violations (e.g., an employee found to have violated the policy may be subject to disciplinary action, up to and including termination of employment).
5- MOBILE DEVICES
As explained in my post regarding part 1 of cyber security for small businesses, given the increase relevance and use of smart phones and tablets in a corporate network, I recommend to lay out a specific policy for mobile devices that stresses the importance of Mobile Device Management. MDM is an access control policy that prohibits certain apps in a corporate environment and monitors the use of those that are already installed in the smart phones. A policy related to mobile devices should also have provisions about reporting lost or stolen devices and contemplate rules about the approval of new devices that get connected to the corporate network.
6- IT PERSONNEL AND STAFF TRANING
Cybersecurity is a process that leads to training two categories of users:
1) IT Personnel: IT personnel needs to be constantly up to date about the evolution of threats and how to harden the IT systems used by the help desk as well as by the regular employees. In this context, it is paramount to learn from reputable resources how to stay abreast in the cyber space.
2) Employees: if employees are not trained to observe the security policies in place, they will end up being the weakest line of defense. Management should set up training for IT admins as well for employees who most of the time are unaware of the attacks perpetrated to a company network. Internet safety and email security are the first line of defense employees should learn about.
The failure to provide IT security training and raise awareness increases the risk that users will
not understand their responsibilities, putting the data and IT resources with which they have been entrusted at greater risk for unauthorized access, misuse, or abuse. For example, without training and awareness, employees may not understand how their Internet browsing could cause their computers to become infected with spyware that may compromise any personal, private, or sensitive information.
The discussion about IT security and training should focus on the following matters:
If training and real time alerts are made available to IT admins and users, the risk of compromising a network will become minimal because everyone will get involved in training and displaying a proactive behavior.
7- MORE IT WORK TO DO
A network that is really secure is the one that properly identifies and locates all the devices in a network. If a single device is not tracked and tech support does not know where it is used and who is using it, that can become a larger issue and a potential launching point for further network attacks. An accurate inventory made by IT personnel will also record patch management and software licensing compliance. When a device is easily identifiable in a corporate network, it will be faster to apply patches and address known vulnerabilities. If the company prefers to contract with a vendor to address patches and vulnerabilities a Service Level Agreement should indicate which applications and operating systems are covered and when patches will be applied to the devices.