We have all heard about the dramatic increase of cyberattacks from criminals who want to steal customer data they can sell, steal corporate secrets, or perhaps access your business partners’ networks. DDoS and ransomware attacks designed to extort money are also on the rise, while malware and phishing attacks remain high on the CISO’s list of things that keep them up at night.
Perhaps you’ve wondered if you might be next. If you haven’t, you should. Every company, from small, one-person consultancies to multinationals are attacked regularly for a variety of reasons.
Have you considered having your network tested to see if you have a cybersecurity vulnerability? Here are some questions you might want to consider. If you can say “no” to more than just a few of them, it might be time for a security assessment.
- Do you know where all of your data is? This includes data that might be stored on servers, in the cloud, on mobile devices, in backups that might be onsite or off, in your business partners’ network, or perhaps on a system or external disk drive that you’ve forgotten about but is still attached to your network?
- Now that you know where your data is, do you know what data is on each device? You might have highly confidential data stored on a cell phone, laptop or server that does not have sufficient defenses — or perhaps any defenses at all.
- Do you have policies that determine where data is stored, how it is stored (encrypted or not), who has access to the data, and who has access to the network segment where there data is stored?
- Do you have sufficient layers of identity management to keep out those who have no reason to access your data?
- Do you protect your data with multifactor authentication and layers of identity controls to ensure that only someone who has the proper personal credentials to access the data can see or change it? Remember, not everyone with the same job title needs the same access.
- Are your users limited to having the least amount of privileges needed to get their jobs done? Not every user needs to have administrative access, nor should every user be able to reach data to which they have no valid need to access?
- Are you certain that every device on your network, be it a workstation, server, router, gateway, or any other device, has had its username and password changed from the default?
- Do you have policies in place that require ports that are not essential to day-to-day business be shut down so that they are invisible to anyone off the network?
- You have a lot of devices that generate log files. Do you currently use automated tools that collect and scan the log files and report anomalies in a format that you can actually use?
- Do you have policies in place to identify and protect shadow IT resources connected to your network?
- Do you have written policies that prohibit an employee from allowing another individual to enter a secure area without first having their ID verified? This includes everything from holding a door open to someone whose hands are full of boxes to allowing another known employee to “tailgate” on another employee’s badge swipe or ID.
- Have you created an Internet acceptable use policy that employees are required to read and sign annually so that they know what is expected of them and what they are allowed and not allowed to do on the company network?
- Have you created an acceptable use policy for corporate-owned mobile devices?
- Have you created policies that inform your employees how and when they may use personal devices on the corporate network? These policies might contain requirements for personal devices to be configured by the corporate IT department with separate storage for personal and company use, along with software that allows the company to wipe company data should the device be lost or stolen.
- Do you have a clear-desk policy that require employees to lock away data at night so that potentially confidential data is not left out when the employee is not at their desk?
- Do you have policies and procedures in place for software change management that must be done on a regular basis?
- If you company is required to meet government or industry regulations, do you employ an approach where security is more important than compliance or where compliance is more important than security? The latter is sometimes called the Checkbox Approach where necessary boxes to pass a compliance audit are checked, regardless of their impact to the company’s overall security profile.
- Do you provide training to your staff to ensure they are up to date on all appropriate security and compliance requirements?
- Do you run unannounced tests to ensure that the staff is meeting compliance requirements?
- Do you have a process for staff to communicate potential compliance problems up the chain of command?
On-boarding and off-boarding employees
- Do you make a point of training new hires in your data security policies and procedures?
- Is this training done only once or are training resources available to employees throughout the year?
- Do you have a process to measure the effectiveness of your security training on new and established employees?
- Have employees been instructed that the company policy requires them to challenge strangers or unescorted visitors, even if that stranger turns out to be a company executive they do not know?
- Do you have a policy to do exit interviews to ensure that all company property, especially property that contains data storage, is returned before an employee leaves?
- Do you have a policy to ensure that all accounts of exiting employees are disabled the same day an employee leaves the company?