The recent changes in the IT environment caused by the COVID pandemic have brought a new focus on business IT Strategy, particularly Information Security. The major moves have been to staff working from home, providing remote access to systems for staff and customers, coupled with many businesses moving to e-commerce. The Cloud has gained a new significance.
Unfortunately, the shifting nature of the work environment has been fortuitous for hackers. Systems quickly opened up to home working and remote access have often proved insecure. In general, malware attacks have increased in virulence and frequency, and ransomware is a real threat, not just to large businesses, but for small operators as well.
A group of Russian hackers were arrested over this; they are suspected of masterminding ransomware attacks that pulled in many millions of dollars in cybercurrency. The FBI said in a recent report that ransomware is the fastest growing malware threat.
It’s clear that the IT Leader must ensure the safety of both their own and their customer’s data. Trust is a key metric in the new Cloud environment. If a customer does not trust a site, then they will simply take their business elsewhere. Theft of customer data, particularly financial data, could put the organization out of business.
Here are some strategies for protecting your business from information security threats:
The FBI say that the greatest security threats happen between the keyboard and the chairback. Users do things deliberately or unintentionally that compromise security. They click on links in emails that lead to false sites that download malware, they bring in malware affected media from home systems. They fall prey to phishing scams.
Education and training from onboarding to termination are vital. Users must know how to identify a phishing email, what to do in the event of receiving one, and what not to do if they see an e-mail they suspect is phoney. Regular reinforcement by email and on-site training is essential.
Password management can be a lottery. Users have often used popular choices like their birthday, car registration numbers or even qwerty and 123456789 as their passwords. They write them down in easily found places. This is becoming more common as users must remember several different passwords for different systems.
Implement a password management policy, supported by software. Passwords need to be a minimum length, a mixture of numbers, letters (upper and lower case) and symbols. Force a change regularly.
Single Sign-on is a double-edged sword. While it helps the user by their needing to remember only one password, it gives a hacker unrestricted access if they know it. SSO must be backed up by solid password management. Consider implementing a two-factor authentication system, so even if unauthorised users access your codes, they will still be prevented from accessing your data.
Portable Media and Cloud Storage
Users often have home systems, the anti-malware status of which is unknown. They also bring portable media like flash drives to the office to share pictures of a recent event, or a game their child has downloaded. This poses a significant risk of introducing malware into the office network.
Two approaches are possible, the first is to disable all USB ports on desktop computers. That may be impractical especially if they are needed for attached devices. The other way is to make sure that the desktop anti-malware software is configured to block access to the flash drive until it has been scanned.
Another issue with flash drives is the theft of confidential information. It is easy to download information to a flash drive then leave the premises with it in a pocket. For full security, it may be necessary to prohibit their use.
Many users have personal Cloud Storage areas in applications like OneDrive, DropBox and the like. They use them to make sure that their work is accessible from different locations using different equipment, and that it is not lost should they lose a smart device or laptop.
Online Cloud Storage can been hacked and information stolen. It can also be used to hold stolen information by uploading it from a corporate site. It is important to restrict the ability to upload information, other than to trusted sites by trusted staff, and by preventing user access to online storage areas like OneDrive, and DropBox.
Induction and termination
While a continuous rolling programme of anti-malware education and training is essential, induction and termination are particular hot points. Inductees need education on company policy and procedures concerning malware, and what to do if they suspect they have been compromised. In short, they need their awareness horizons raised.
Employees who resign, and particularly those who resign under a cloud need to have all their access rights revoked immediately. A disgruntled employee who has just been fired could cause all kinds of trouble if able to access systems and data.
At a practical level, remote workers will use several different communication methods to log onto corporate systems. These may be private connections, or connections enabled using public facilities especially WiFi in public spaces like malls and shops.
Staff working from home and road warriors will need access to systems and data as if they were connected to the corporate network over the internal network.
It is absolutely essential that their connections are secure, both from access at the client end, and from man-in-the-middle attacks. This objective can be achieved using virtual private networks and secure encryption technology. There are several applications packages that can be used to create the VPN and provide authentication and encryption. Some configuration work will be needed at the host end to manage authentication and secure routing.
Casual visitors and e-commerce clients will use a webpage interface. It is essential that this is a secure (https://) connection. Behind this, a validation process is used for returning customers, and a registration process for new. The key point, particularly with e-commerce payment information is that it is held as securely as possible. Customers must feel secure in handing over their financial information.