Cybersecurity in the Digital Age
There are a huge number of potential cybersecurity threats to your business today. If you have a computer at your company, then the company is at risk. The bigger the company, the more risk there is, as larger companies could be specially targeted. But every company is going to receive emails which attempt to take customer data, spread their viruses, or encrypt computers on the network, charging a fee to get your data back.
The biggest worry about the constant onslaught of these attacks is that attackers only need to be successful once, while the company defenses need to be successful every single time. There are ways to prevent your company from falling victim to an attack, with little to no disruption to the employee processes.
1. Multi-factor authentication and USB tokens
Multi-factor authentication (MFA) isn't new, in fact I was using it at my first IT job in the late 1990s and it was commonplace even then. Now, though, the set-up is more complex. Today we use a phone app or a single device.
When you log into a website using an MFA phone application, the system will send a push notification for you to approve. Or it will prompt you to enter a code into the website.
A physical USB token is more secure, but more expensive. This key stores a digital certificate that matches the account you are trying to sign in to. For systems like email or banking, MFA or a USB token is imperative to ensure that you, and only you, are accessing the system using your credentials.
The upside to the USB token is that you must have the physical device. With traditional MFA, if an attacker gets someone's password, they can call the person, pretending to be an employee of the company's website, and ask for the code. With a USB token there is no code. If you are logging into the site from a computer that doesn't have the USB token physically attached to it, you can't log in. All the major email authentication systems support both MFA and USB tokens.
The biggest downside to USB tokens is the cost, about $50 each. Employees should have two, in case one is damaged. When employees leave, those tokens probably aren't going to be returned. Some companies have their IT teams and senior leadership use the tokens; the rest of the employees use MFA on their cell phones.
MFA is highly recommended. Note that websites or systems using email or text messages to deliver MFA codes are not secure. Email can be compromised (unless secured with proper MFA) and text messages can be easily intercepted or redirected to a different phone.
2. User Account Controls
Microsoft introduced User Account Controls years ago in Windows Vista. The idea is that when doing something in Windows which requires administrative rights in the operating system, even if you are an administrator, the computer will ask if you really want to do this. While the pop-ups requiring permission to perform some task can be annoying, they tell the operating system that it needs additional rights and to ask the user for permission.
Unfortunately, this won't stop all viruses. The "effective" viruses will be able to do their work without asking for administrative rights, but it will stop some from running.
3. Reduce or remove permissions
In the IT world, we work within the concept of "least privilege." This means that you only give an employee system rights for what they're tasked to do. No more access, and no less. While this can be a lot of work up front, it gives a greater level of control and security to ensure that employees can't access things they shouldn't be accessing.
Least privilege should apply everywhere in the IT environment, not just to sensitive parts of the network, such as where the finance department stores employee salary information. Most employees don't need access to other employees' home directories on the network, for example. IT systems administrators, however, might need this access so that they can perform audits, backups, etc.
While gathering employee permissions information about their duties will be cumbersome, the end result is a more secure environment for the company.
4. Internet blocking
The least popular change for employees is implementing (or increasing) internet blocking at the network edge (the routers which connect the company to the internet). By increasing internet traffic inspections and blocking suspect traffic, you can stop viruses and ransomware from accidental download or from phoning home to their command-and-control servers to get instructions.
While this will help stop malicious activity on the network, there is a chance (depending on the fine-grained control you have over the blocking process) that you'll block legitimate websites as well. There is a workaround for this, which is to whitelist any blocked legitimate websites. This requires employees to report the legit websites to someone in IT who can fix the problem.
A successful internet blocking process involves a solid communications plan with employees and an easy way for them to report blocked websites to whitelist.
Part of turning on internet blocking also involves inspecting the network traffic between the users and the internet. This will usually increase the network router's CPU load and slow the maximum network traffic speed the device can support. Depending on the router's current load, you may need to upgrade to a more powerful router to enable these features without impacting network performance.
Companies can increase their IT security using these four fairly simple techniques, while reducing cybersecurity threats. Most will cause little to no change in how employees work. However, a network change or MFA implementation will require a one-time set-up by each employee, followed by a slight change in how they work on a daily basis. All are worth the additional effort to prevent a data breach.
Connect with an Old National Small Business Banker for more insights to help your business grow.
This article was written by Denny Cherry from Inc. and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.