With all of the threats in the cyber world today, all companies should follow a valid IT security plan. Whether you work with ICS on our 6 Point IT Security Plan or you work with another vendor or internal IT, remember that negligence in protecting customer’s data can have carry stiff financial penalties. As the old saying goes, failing to plan is simply planning to fail.
What Are the 6 Points?
ICS views minimum standard security for companies from 6 different viewpoints. Keep in mind that this is the minimum recommended security plan for an organization. Financial institutions or companies housing large amounts of sensitive customer data should deploy further methods to protect their users.
Security Point 1- Cloud Based Protection
ICS is a big proponent of protecting a company from threats before they ever get to your office. (I apologize in advance for speaking of just one specific product, but it is the only product I am aware of that accomplishes this tasks.) The easiest and most cost-effective way of doing this is through Cisco Umbrella. Cisco Umbrella makes all users web requests web go through their cloud services. How does this help? Well, by processing billions of requests for different companies, Cisco Umbrella can analyze this data and blacklist websites that house malicious data. Therefore, when you request to go to www.shouldnotgothere.com, Cisco Umbrella will block the request and you cannot resolve to the website. The Cisco Umbrella has a few more important features too.
- Once on a network, most viruses are replicated via DNS. Cisco Umbrella sees this unusually high DNS activity and blocks a virus from spreading to other areas of the network.
- A client can be loaded on remote computers to protect user’s devices while outside the office. This way, when the road warrior returns to corporate, a virus is not spread to the network. Remember, a lot of viruses sit and wait for you to join a network before trying to replicate.
- You get reporting of who goes to what website, how many time, etc… and can block each user accordingly along with blanket policies.
Security Point 2- Cloud Managed Entry Points
Cloud Managed Firewalls
In point 1, we protected your company from threats ever reaching your office. Now, we reach the first line of defense of your physical office building- your firewall.
Now, every company will say, “I have a firewall” since it is a basic network device that runs at every company. Even a best buy router has a built in firewall. There is a massive problem with these firewalls though. Firewalls are security appliances. New security threats are found ever day but how often is your firewall updated? For example, just recently a security threat was found on Cisco ASA’s utilizing the WebVPN feature.
If you have a good internal IT staff, they are hopefully on top of this and can probably show you the last time the firewall was updated (all firewalls can provide the last firmware update). If you are dealing with a Managed IT company and that company does not do Cloud Management of the Firewall, then you are at high risk of the firewall not being updated.
Cloud Management allows companies to auto push updates to all firewalls at the same time. These updates can be new security policies or firmware updates that specifically stop a new threat to the device. Either way, if a company has to manually go and touch each device for every customer during every threat, then it will be impossible for the company to keep this up as they grow.
Ask if your company is managing the firewall through the cloud and what software they use to do this. It never hurts to ask questions and to make sure your out-sourced IT company is properly managing the network.
Cloud Managed Access Points
Another entry point some companies ignore is the WiFi access point. This is simply another entry point to your network. For all the reasons that you install a cloud-managed firewall, you would do the same for an access point. In addition, make sure you maintain a guest access (blocked from your network) and your corporate WiFi that is not shared with non-corporate employees.
Security Point 3- Managed Anti-Virus
Everyone knows the importance of anti-virus. Everyone has also heard of horror stories of anti-virus not protecting their network. Anti-virus is extremely important and should not be taken lightly. It is also a software that needs to be updated immediately upon finding new threats and you have to make sure it is on all devices at all time.
The best way to accomplish this is through a central management dashboard for your ant-virus program. This allows you to see what computers have anti-virus installed, who’s is updated and most importantly, what computers are connected to your network that do not have anti-virus installed.
Furthermore, almost all anti-virus companies have a free version of their anti-virus with no management console. This is find for home use, but this should never be used in a corporate environment. It simply gives a false security of whether or not your computer is up to date.
The last thing to consider on anti-virus is to not use the built-in Windows Defender and feel like you are protected. Most viruses are written around vulnerabilities in the OS. Microsoft is a great company but I believe in checks and balances and therefore always recommend a third party quality anti-virus company.
Security Point 4- Managed Patch Management
Remember when I stated above that a lot of viruses exploit vulnerabilities in the Operation System and you should have a third party anti-virus monitoring this? Well, the way software developers of the Operating Systems fix their vulnerabilities is through patches. Patches are software updates that are pushed to computers to keep them up to date on features and bug fixes.
The problem with patches is that they can a) be turned off and b) can be ignored by the end user since they generally require a system reboot or are disruptive to the end user. For various reasons, when users are given an option, they typically attempt to skip updates.
By utilizing a patch management software, as a company you can control what patches are deployed, when they are deployed and report on what computers are missing what patches. This is a much better method than the typical “patch all” that computers are equipped with out of the box.
For example, Microsoft could deploy an update that has fixes for 5 bugs but also forces you from IE 10 to IE 11. As a company, you are aware that your business system uses IE 10 and you are not sure if it will work in IE 11. You therefore want to deploy the 5 bug fixes and NOT the IE 11 update.
Furthermore, it is common for a manufacturer such as Microsoft to push patch updates on what is called Patch Tuesday. They then send updates to these patches on what I call “Oops Thursday” and “Sorry About That Friday” to fix the previous patch. Patch management software allows you to delay the patch update for a few days to make sure it does not have production issues but still ensure they get installed.
Finally, for patching, try to get a software that does 3rd party patching. For example, lots of software does Microsoft patches, but does the software also manage Adobe, Chrome, Firefox and other common 3rd party software? This is an important question to ask before purchasing and keeps the entire computer suite up to date.
Security Point 5- Regular Security Scans
You should have regular network security scans for your company. These scans should scan your company internally and externally for vulnerabilities. This should be done at least once a year and after every major project.
Why? Well, things change. For example, maybe a new software program was installed and needed access to a web based application. There was a problem getting the software running and as part of troubleshooting, inadvertently opened up a super highway in your firewall vs. a pinhole. Unfortunately, this happens a lot more than you think.
Maybe a new application, installed by a third-party, was not properly patched and has opened up a security threat to your network? Maybe a device is running an unsupported OS and needs to be updated? Someone has domain rights that should not have them? There are an array of items that can happen throughout a year or during a project that can open up a vulnerability to your organization. The larger the company and more critical the data, the more often they should be run. There are even software programs that run daily and/or real-time.
Since I did not want to bore you with a 20 point IT security plan, the security audit is kind of my catch all to help managed a lot of the other details you need to address in your security planning.
Security Point 6- When All Else Fails
No matter how hard we plan, there is always the risk of things going wrong. For our final point, ICS highly recommends regular scheduled backups of your data. Google how many companies go out of business when they lose their data. Better yet, here is a nice little calculator that will help you determine the cost of lost data for your organization.
The level of backups you have can vary based on how crucial your data is, how much it costs your company per hour for an outage and how easily it can be manually reproduced.
Backups can range from tape backups (makes me cringe) to full blown disaster avoidance plans. The plan provide you access to your data within minutes and avoids down-time altogether as your issues are being resolved. Solutions like these have gone down in cost tremendously over the years and are now affordable for any size company.
Remember to plan for the protection of your data at all times. A proper IT security plan is a must for all companies. If you ever need our assistance or would like to see our security plan in action, simply contact us and we will gladly help!