OK for the last little bit I’ve focused mostly on users and cyber security, now it’s the work week so lets focus on business risks now. Businesses have different cyber security risks because of two things, more exposure and what they do.
On the surface businesses have the same problems as users, because they are made up of a large number of users so firewalls and antivirus and malware and browsers and deciding what to do about windows. (No I won’t answer that question, I’m doing enough for you just asking it.) But everything is scaled up and there is probably traffic going both ways over the perimeter of the network. On top of that your business generates data of some sort, and you may have data owned by your customers stored on your servers. Your risks are more than some criminals trying to steal some credit cards. Risks include losing computers to bot nets, losing proprietary data, losing data owned by clients and denial of service.
As a business you are best served by getting either enough people in your IT department to properly assess and implement a cyber defense Or if your IT department can’t get big enough then hire in some experts; Don’t just do what I say but get someone to look at your situation and give you a proper plan. I can’t possibly put everything you need to consider in a single blog post and you should not just rely on one person’s single post to develop your cyber security.
BUT that plan has to include some basic things; perimeter defense, firewalls and intrusion detection. Secure web facing servers with only traffic using secure protocols and encrypted traffic for everything. All databases backed up, secure access and encrypted. Backup everything and use configuration management.
Then implement everything we have talked about before, antivirus, malware protection, email spam and phishing filtering systems, make sure everyone is using modern patched and updated software, os, browser, email, everything.
Employees are your biggest asset and your biggest worry; They can cause problems, mostly not maliciously, by deleting things and changing things without knowing enough about what they are doing or brining a virus into your network. Your best bet when it comes to security and users is to teach them everything you can about security. Trying to force users to be secure does two bad things, 1 it doesn’t actually make them secure and 2 pisses them off making them less productive and costing you a ton of cash. SO instead of telling people how to work within a confined set of tools, let them use what they need to use to do their jobs and support them with the proper tools, even if it means supporting multiple platforms, it will cost you less in the end. Educate them how to spot phishing attacks, especially your management. Educate about what is a security risk, what they can do at work and what they shouldn’t.
Use a diverse set of tools and platforms. Many of the attacks that have been crippling for companies have been because of so many systems with common mode failures. Yes there is a a small risk of having more platforms makes you open to more attacks, but in practice that is not the case. Attackers want to do the least work possible to get results and they generally stick to a the lowest common denominator and if your attacker can’t be sure what platform to attack they are much less likely to effectively attack.
Security for your company is not any one person or groups responsibility but everyone in your organisation must be involved, educated and engaged.
I never said I would tell you how to make your network secure. And there is no way anyone could put everything in one post. If you have a specific question or want to see something on a specific item please post to the comments.