Enterprise Security- How To Defend Against Your Biggest Threat
As Alexander Pope wrote centuries ago “to err is human”. There is no denying it is true, in fact is it a flaw that hackers depend on, and sadly we haven’t failed them yet. A report by Kaspersky Lab states that:
When it comes to human factor, sensitive data suffers the most. Around nine-in-ten SMBs (88%) and enterprises (91%) that have experienced a data breach affecting the public cloud infrastructure they use, said social engineering was part of the attack.
It’s also true that your defense is only as strong as your weakest link. So when we talk about securing the enterprise assets in the age of the Internet of Things (IoT), we are really talking about securing the enterprise from ourselves. Well, it’s time to fight fire with fire and make our weakest link, our strongest asset. It starts with following some well-defined, tangible security best practices, then you enlist your employees with some modern-day marketing.
Device Security
Start with your devices. Identify, profile and secure what you can. For example, if devices run unattended then make them tamper-proof or, at the very least, tamper-evident. Also, consider having several authentication points that must be met before physical access is granted. For those devices, you cannot secure, such as vendor devices and the IoT devices, develop and enforce security policies.
Keep software patches on these devices up to date, if possible. Some of these devices cannot be updated. Find this out before you install the device on your network. If you do decide to install such a device additional security measures in the area of authentication and transaction and data scrutiny will be required.
Network Security
It’s still important to deploy security at the network and transport layers, such as encryption and configuration management because any communications between any devices can potentially be hacked or misconfigured devices exploited. However, it is also important to recognize “the network” is far more porous than it once was.
With a seemingly endless stream of IoT devices hitting the network, security must not only encompass what device is accessing the network, but who is on the other end of that device. Identity and access management provides a digital identity for each individual allowing you to grant, track and report user activities as well as enforce security policies in real-time.
Securing the Data
The IoT devices will undoubtedly send and receive sensitive or personally identifiable information. Therefore it’s crucial that you understand the way your IoT devices interact with your organization’s data. Monitor the data requested and generated by these devices to ensure data is in the correct format and/or to flag unusual activity. In addition, your enterprise should employ the latest encryption technologies for data traveling in and out of your enterprise as well as in and out of the IoT devices.
Audit Trails and Reports
It is imperative you are collecting and analyzing all the details you need to maintain an effective security strategy. With the proper audit trails in place, you can obtain details and report on the current state of hardware and software, data availability, encryption, and compliance. Only by constantly monitoring what is normal can we see what is not normal. And with proactive analysis, you will be able to prove with certainty that you are truly using security controls.
Security Policies
Yes, documentation is mandatory. However, the scope and level of detail of these policies are an exercise in risk management, balancing documented policies and procedures alongside a mix of security technologies and auditable workflows and processes.
Here are some areas to consider:
On-boarding policy on acceptable use of the organization’s IT assets as well as any specific constraints on those assets.
Access controls policy that includes standards for user access, network access, system controls as well as password requirements. Remote access should also be addressed, Detail acceptable methods of remotely connecting to the organization's internal networks as well as policies on the use of personal devices (BYOD) with the organization’s assets. Give extra consideration to those BYOD assets and the ability to connect to the organization’s internal networks via insecure network locations, such a coffee shop, airport or home network.
Guidelines for email, social media and other communication channels that detail what is considered the acceptable (and unacceptable) use of any corporate communication channel or technology.
Change management controls outlines the process for changing any IT asset.
An information security policy that lists specific rules, regulations or compliance on sensitive data to which the organization must adhere and to which both the organization and individuals will be held accountable.
Incident response procedures that outline the organization’s approach to and management of, an incident including remediation.
Disaster recovery plans should consider how the above security policies can be maintained during times of crisis and what, if any, exceptions to those policies can be made and when, as well as who can grant that exception.
Penetration Testing
This practice can seem counterproductive when we are highlighting human error. After all, it’s more than likely a human was the one that opened the door for the hacker. No one likes to be singled out as having made a mistake. However, how else can you determine how well your organization is defended? The answer is you really can’t.
However, your IT group is more likely to gain an enemy rather than a friend if this failure is not handled properly so approach penetration testing with a healthy dose of empathy for anyone who fails the test. After all, have you ever made a poor decision before that first cup of coffee? Understand that while this person or group of people made the fatal mistake, that anyone in the organization could have made the same mistake. It is not just a lesson for one, but a lesson for all.
Also, be prepared for the results because they may be overwhelming in the number of flaws that are found. Remember the IT group is human too. With today’s every sprawling, multi-faceted, IoT devices web of an enterprise network, it is increasingly harder for IT to keep all that locked down. As with everything IT related – minimizing network downtime, keeping network performance steady, deploying new releases and software updates – attacking the list of discovered flaws is an exercise in risk management.
Social Media Marketing Campaign
Yes, a social media marketing campaign for enterprise security. Think about it. Companies like Facebook, Amazon, and YouTube influence our beliefs, buying habits and behavior with their algorithmically generated selection of news, product ads, and videos. Celebrity, politician and Fortune 500 CEO endorsements sway votes and attract brand adoption. Even Instagram Influencers have the ability to direct our social efforts and spending dollars.
Why can’t an organization use social media to mobilize its own employees into a loyal, vigilant security community – to “buy” the enterprise security brand? The answer is you can.
A brand is not just a logo, but a mental and emotional connection your customer has with your product. Basically, to get people to become loyal to your brand they need to feel good about it. From an internal context, you will not gain loyal followers if your employees think you are tracking their every online move looking for violations of security protocols. Instead, you need to become a security influencer and that means creating meaningful content for them to consume.
This does not mean creating content for the sake of having content. Tweeting the latest security policy will not interest followers, let alone engage them. Your followers are looking for something more personal, authentic, and easily consumable. You also need to be transparent. Right upfront, you need to tell them what this campaign is all about.
Remember employees have no choice but to follow the security procedures dictated by the organization. They do, however, have a choice in the amount of personal investment they are willing to make and that is where you have the greatest influence.
Provide content that is valuable to them, not just the organization. Give your followers information that will help them:
Understand the latest trending apps with regard to security and privacy,
Apps found to have security issues,
Make sense of privacy settings for popular apps,
Securing everyday IoT devices like refrigerators and baby monitors,
Review the latest smartphone software update,
Give them fun ways to create effective, strong passwords they can remember or,
The pros and cons of security questions,
and they’ll be sure to keep coming back for more. Read and respond to any feedback!
When you encourage engagement and spark conversation you promote unity. It’s no longer just about securing the organization, it’s about securing our community. Then keep empowering your employees by encouraging them to share content or even better, encourage them to create it. User-generated content helps engagement and further builds the community around your security brand.
Adults today research everything online. They are also sharing, liking, pinning, tweeting, snapping and commenting on their findings with the online communities to which they belong. If you are sharing their content then you’re interacting with your community on a personal level increasing your authenticity. Also, security brings peace of mind, not just for the organization, but for the personal lives of the employees as well. People contribute to causes they believe in, that make their lives better, and are thus more vested in the outcome.
Security best practices are crucial to any organization, but your security measures are bound to fail miserably if you do not consider the human element. You will never be able to eliminate human error, however, you can improve your odds against a breach by building an engaged, committed security community. After all, there is strength in numbers and your people will fight harder for something that matters to them.