Thursday, April 30, 2020

The Hard Truth

photo credits: Dreamstime

The Hard Truth..

Whenever there is a crisis, the vultures and jackals will circle (and I mean no disservice to those vultures and jackals of reputable nature)..  In the days and weeks of the COVID-19 pandemic, the ner’-do-wells have stepped up their game, and cyber-attacks on businesses and individuals has escalated.  While this speaks to the baser side of human nature, that side that would maliciously take from others for personal gain, this post is not directly about that..

What this IS about is what we can do about it.

Sadly, many of us have the tendency to bury our heads in the sand and tell ourselves that “it will NEVER happen to me”.

Well, friends..  yes, in fact, it IS going to happen to you.  Maybe not today, perhaps not tomorrow.. but at some point, you will find yourselves in the cross-hairs of the enemy, and he ain’t flinching when he pulls that trigger.  Whether or not you are the recipient of a cyber head-shot or not is entirely up to you.

In the day and age of a heightened state of cyber-threats, the smart money is on ensuring that you have covered every base when it comes to securing your digital house from the jackals at the door.  As a US military veteran from the Cold War era, I could extol you with stories of the days of foreign agents in trench coats trying to turn people to the dark side.. and while some of the foundations are the same, the tools are far more sophisticated than getting a sailor drunk and offering fat wads of cash for information.

The concepts are not new, but the tools have evolved. Understanding the mechanics of the threat is vital to protecting our assets.  Too many examples exist of a “lock up after the bad guy has been and gone” mentality. One stunning example is the Equifax breach, but that is just one of many examples where the bad actor has been well entrenched. It’s time to have the hard conversation with ourselves about how much risk is too much?

Rather than spout a collection of buzz-words and fall victim to trendy posturing, we need to roll up our sleeves and get down to business. A deep assessment of where we are, and how do we prepare ourselves for those who would do us harm. For starters, we need to ask ourselves several direct questions:
  • Are we ready to take security seriously?
  • Do we have the right policies in place to educate, guide and hold our workforce accountable?
  • What are our strengths, weaknesses, opportunities, and threats?
  • Do we have the right people in place, both internally and externally, to make a move to a more secure footing?
  • Do we understand the potential cost of doing nothing?
  • Are the experts we are paying for doing the job? 

For many, especially in the SMB space, the answers to these questions can be an eye opening experience. No one is too small to be noticed.  No industry escapes the scrutiny of those of malicious intent. The key to a successful security policy is to understand that it is going to change. It has to be able to evolve along with the threats that are present - this means it has to be regularly re-evaluated.  There is no such thing as a once-size-fits-all policy.  Even the NIST Security Framework has components that may or may not apply to your organization.

Like in any 12 step program, the first step is accepting that you have a problem.  We ALL have a problem. Do we have the willingness to address it?  The important thing to understand is that you don't have to go it alone.

If you are ready to have that conversation, we are ready to help. With over 30 years in the information security arena, NetWerks is ready to guide you to a much more secure place.  Reach out to us through our web site to set up a no-cost, no-obligation meeting to get an idea where you are at.

Wednesday, April 29, 2020

How good is your password

How good is your password?

Did you know that having a weak password is one of the biggest security risks you face? This blog focuses on the best practices related to passwords that you can follow to ensure passwords are not your weakest link.

  1. Avoid sequences and repetitions: How many times have you used passwords like dollar12345 or $$$BobMckinley. Passwords containing sequences and repetitions are just easier to hack.
  2. Avoid using your personal data: Do not make your birth date, bank account number or address a part of your password. It puts your data at stake if your personal information is stolen.
  3. Don’t repeat passwords: Make sure you pick unique passwords every time. Unique, not only verbatim, but also in combination. For example, if password one is a combination of number, symbols and letters in that sequence, password two should be letters, numbers and symbols.
  4. Manual password management is not a good idea: Invest in a good password management tool. You can even find some free ones online. But, manually managing passwords, by writing them down on a spreadsheet is a big NO.
  5. Password sharing: Discourage password sharing across the organization. Every employee should have unique access to data depending on their role and authority. Password sharing gets things done faster, but can do irreversible damage.
  6. Password policy: Have a password policy in place and enforce it. Conduct timely audits to ensure the passwords match the specified safety standards. Also, take corrective actions against employees who don’t follow your password policies related to password sharing, setting, etc.
  7. Don’t use dictionary words: Hacking software programs can guess dictionary words faster. The key is to mix things up a little bit--some numbers, some symbols, some punctuation and some alphabets.
Don’t choose passwords that are way too simple just because they are easier to remember, because, more often than not, it can get you into a lot of trouble.

Wednesday, April 15, 2020

Keeping your data safe: Access Control

Keeping your data safe: Access Control

Cyberattacks are a commonplace today. Malwares such as viruses, worms and more recently ransomwares not only corrupt your data or hold it hostage, but also inflict irreversible damage on your brand and business. As a norm, most businesses these days do invest in anti-virus/cybersecurity systems. But, is that really enough? The answer is--NO. Because, they often overlook one important aspect--access. Ask yourself, how easy is your data to access? How can you strengthen the walls that keep your data safe? Read this blog to find out.

Role-based access

Always follow a role-based access permission model--meaning people in your organization have access to ONLY the data they REALLY need. Generally, the higher the designation, the deeper the data access permission and stronger the rights. For example, someone at the executive level may not be able to edit your MIS spreadsheet, but a manager should be able to.

Formal password controls

No matter how good your cybersecurity, you need to ensure the protocols are followed at the ground level. Enforce policies regarding passwords strictly and hold violators accountable. Examples include-
  • Password combinations - Ensure your staff follows the recommended best practices when selecting passwords so there are no ‘easy-to-crack’ passwords
  • Password sharing - Thoroughly discourage password sharing across your organization. No matter who asks for it, passwords shouldn’t be disclosed unless authorized as per the protocols.

Don’t ignore physical security

Virtual security is a must, but so is physical security. Though there is only so much physical access controls can do in keeping your data safe in the BYOD era of today, don’t overlook this aspect. Installation of CCTV cameras on-floor, biometrics/card based access to your workspace/server rooms, etc. also have a role to play in data safety from the access perspective. 

Training & reinforcement

Finally, train...train...train. You need to train your employees on the protocols for data security and access so they don’t mess up accidentally. Conduct mock drills, refresher trainings, follow up with quarterly audits, and use positive and negative reinforcements to ensure everyone takes it seriously. Because, at the end of the day, no cybersecurity software is good enough, if the best practices related to data access are ignored.