Simplifying the protection of your business was never going to be an easy business, was it? The technology world has morphed from a back office function to a whole life function covering virtually every area of your business and personal life.
The constant interaction between flexible thus agile working and the requirements for a host of reasons to ensure there is control is a moving and often unseen line.
It is important to remember that businesses are targeted at all levels. It is not just the FTSE 250 of the world that are experiencing these breaches. According to a July 2014 article by Forbes, SMBs are key prey for hackers. In 2013, SMBs collectively made up more than half of all targeted attacks at 61 percent – up from 50 percent in 2012 – with medium-sized businesses seeing the largest increase. In our view the 4 Keystones are:
Keystone 1 – Build a security Plan
Building a security plan is the first, and some would say the most important step in protecting a business network. This should be a methodical process that includes the
IT team and key business stakeholders. Businesses need to not only understand current
security trends in the industry; they need to understand the current state of security
within their own data center. Building a plan will identify current security lapses so
the team can create a comprehensive approach.
Current Policies: A complete assessment of IT and security policies should take place. A security plan will cover many areas and there will be policies around each area; like Acceptable Use, Passwords, Data Access, Backup and Recovery, and many others. Policies should be reviewed on a regular basis to make sure they are current with the business’ plans and goals.
Device and Software Inventory: Every device from mobile phones to servers should be part of a complete inventory. This will allow the business to understand the complete scope of their environment and the devices, software and systems that have to be part of a security plan. Include hardware configuration, installed business software, and current security patch levels. This will identify if any critical patches have been missed or are not installing properly. While this could be a daunting process for a company with
thousands of devices, it is an important step. For example, if it is simply not possible to inventory and check each mobile phone, consider checking at least the mobile devices of top and Executive level management as well as the IT team. Those individuals are probably the most likely to fully utilise their mobile devices for business which could put them at greatest risk.
Regulations: If your business is in a regulated industry take internal advice from your compliance or regulatory team or if these are external advisers ask them for best practice guidelines.
Once the fact-finding portion of the discussion is complete, the team needs to take that information and begin to build the actual plan. The process must be comprehensive and the plan should be by the IT team and key stakeholders. Key points to remember should include:
• Physical servers: Develop a written backup and recovery plan. It should include the ability to restore from
an image with confirmed and tested recovery points. It is crucial to remember that copies of the backup
are kept at off-site locations in order to protect against a catastrophic failure.
• Virtual servers: Virtualisation provides some wonderful benefits from an IT management standpoint, but also from a financial standpoint. However, just like their physical server counterparts, they still require a thoughtful plan for management and security. This should include monitoring and reporting on backup
and replication, fault tolerant design, and carefully planned capacity implementation.
• End-users computers: Make sure every time a new computer is imaged it includes local endpoint protection software (antivirus, antimalware) set to auto-update to keep protection strong. Implement usage policies regarding Internet usage, email usage, installing software, downloading attachments and the like. Human error is a large part of security breaches. If possible, consider desktop virtualization or thin client
computing. These options provide both a flexible and more secure solution for end user access.
• Other devices/Bring your own device (BYOD): While BYOD is becoming a popular solution for businesses; there are also some inherent risks. As the device is not owned by the company, it can be difficult to manage and enforce security policies. Top concerns for BYOD deployment are routinely related to security. It is thought that approximately 22 percent of the total number of mobile devices produced will be lost or
stolen during their lifetime, and over 50 percent of these will never be recovered. Will that device contain your valuable business data? As a result, it is important to consider application risks, password strength and possible encryption, as well as remote wiping for lost or stolen hardware.
• Employee security training: Part of any successful security plan includes employee training. Employees should be trained on the policies and procedures implemented by the company as well as best practices for email usage, internet usage, handling corporate data and any compliance related requirements. As company policies change or new one are instituted employees will need to be trained on the changes.
Keystone 2 – Implement your Security Plan
The selected endpoint protection software should be installed on all computers, servers, and mobile devices.
This software should be updated on an ongoing basis in order to keep protection at a high level. A minimum of two IT team members (for redundancy purposes) should remain active on the email notification list in order to receive notices of critical updates and alerts. It is not uncommon to have “emergency” patch alerts to plug security holes against a recent threat. By staying up to date on security best practices and current
threat news, the software will be kept current and the network will remain protected.
Regardless of the size of a business, a solid firewall is a key part of keeping networked computers and business data safe and secure. A firewall serves two main purposes. It can filter what traffic comes into the network and it can control what users on the network may send out of the network. Just like all the other parts of the security plan, it is one piece of a larger methodology. The specific settings for the firewall will vary based on the type of other security-related processes in place and the business needs.
According to a recent study, in Q2 the percentage of spam in total email traffic increased by 4.2% from the first quarter of 2014 and came to 70.7%. The percentage of phishing emails in global mail traffic totaled 0.0024%. Malicious attachments were detected in 2.3% of all email. Quite possibly the biggest variable when it comes to a business protection plan is regarding mobile devices. According to a 2013 global security study, mobile malware has exploded by 400 percent over 2012. Additionally, on average, today’s employee utilizes three different devices for work-related tasks – and they
all require security and data protection.
One of the biggest potential threats is when an employee uses a public network. Whether at the airport or the coffee shop, the potential for malware and other threats are ever present. When implementing the mobile device portion of the plan, especially in a BYOD model, it is a good idea to sit down with each employee individually that utilises mobile technology to conduct business and review the new security policy and how it directly affects mobile devices.
Keystone 3 – Ongoing Protection
Once the security plan is in place, it doesn’t mean that the job is done. In all reality, it is just the beginning. As mentioned previously, business protection is not a “set it and forget it” type of situation. Protection requires ongoing audits, reviews, and updates in order to keep a network in top shape and data completely protected.
The IT team should regularly conduct security tests to check on software updates for both employee computers and servers. The team also needs to stay apprised of security-related news and best practices. It is a good idea to have IT members participate in security conferences to understand all the nuances and latest technology related to industry best practices in order to prevent digital attacks. Spot checks on desktops are also a good idea to make sure automatic updates are truly taking place. Computers of employees that work with proprietary data should be checked most often.
Keystone 4 – The Cloud
The cloud has been continuously gaining ground in recent years as a safe alternative for ata storage, email management, backups, and more. In a cloud environment, instead of the local IT team charged with maintaining servers in the business location, they work in concert with the cloud service provider to complete these tasks. The servers are physically located at the cloud service provider’s location and can handle running backups, and applying software patches and the like. This approach hands over the management of he physical servers and network infrastructure to the cloud provider, ultimately offering the business a more secure and streamlined environment. A major part of the day-to-day activities of the employees of the cloud provider is to ensure the servers in their charge are completely protected.
As the cloud servers are off-site, it makes the location completely independent, providing the most agile solution for businesses today. If there is a catastrophic disaster and the rimary business location is not available, the users can easily go to a different location and access the data so work can continue with minimal interruption. The cloud service provider keeps the hardware up to date and well protected against malware, viruses, etc. This includes the ability to provide hosted email services in order to gain top-level email security; arguably the most important line of defense against malware. They can also handle backup and scale resources up or down as business needs change. Cloud solutions are a real and viable option for business protection today. According to a new study, 45 percent of participants have moved past the pilot stage of their cloud implementation and 32 percent have a formal cloud computing plan.
In summary whilst designing a plan can be daunting if you break your activities down into these 4 keystones you will find that you have a lot of the information already.
Here at Twin Systems it is what we do every day so if you require any help or advice please contact us.