Prime Factors Blog

Closing the Gaps in Your IT Security: Tips to Get Everything Under Control

Posted by Patrick Riley on Aug 15, 2016 10:00:00 AM

Find me on:

HardwareSecurityPadlock.jpgNo one wants to go in front of a boardroom or a managerial meeting and say the company's network is at risk to large-scale threats, and that there needs to be major changes. It either means that an IT expert is accusing the people who make decisions of being short-sighted in some way, or it means admitting that they haven't done what's necessary to secure the infrastructure. However, as uncomfortable as this conversation may be, it is far better to deliver this report rather than the report that announces there's been a breach on the company. The silver lining here in that there are a variety of options to begin tightening up your security, and we'll give you a few tips you can take to the bank.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Start Small

Organizations that are breached can go months before they even know it's happened to them. Meanwhile, hackers can do major damage to the company, customers, and affiliate organizations. Some viruses actually lay in wait like a predator in the wild until it senses a computer is at its most vulnerable. In your case, perhaps you need to start looking at the equipment and the current security you have to evaluate its performance. Firmware is typically considered outdated within 12 months of purchase. If you don't perform updates on a regular basis or haven't upgraded your software for a while, then you should be aware of the types of risks associated with this. If you're using some sort of array of open-sourced platforms, out-of-the-box solutions, as well as a random collection of hardware that has been accumulated over the years, then you'll need to start thinking about tightening up your security into a more cohesive framework.

Get a Handle on the Real Issue

Understanding the problem is a part of figuring out the best way forward, and even the most skilled of engineers may have a hard time identifying the underlying issue. This may stem, in part, from having different people working on different areas of the network -  coupled with a lack of communication. It may just be that there's simply too much happening within the network that goes unchecked. Your first step will be singling out what needs work, and then keeping all solutions as simple as possible. One thing that might help is to perform your own gap analysis on how employees are working with the system. Also, asking them directly about what they don't understand might help you pinpoint the problem.

Practice Until it Hurts

If a hacker can learn something new everyday, that means that your staff can (and should) too. This one is going to be hard to implement because you'll have to provide or enable regular training, ideally every few months or so, and potentially even more frequently. Newer engineers or developers may have learned all the recent coding strategies, but they may not have the experience yet to really understand the bigger picture. Older engineers with lots of time under their belts may be able to understand the higher level concepts far better, but may only have limited awareness of what's up and coming in their field. It will take a collaboration between older and younger engineers, as well as trainers who are able to impart their wisdom to the group in small, easy-to-grasp chunks. It also gives people a chance to open up to each other about what they've seen inside the network. If there is resistance among your staff, try reminding them of what's happening in the wider world when it comes to breaches, and about how much an infiltration could spell major trouble for everyone's jobs.

Mobile Problems

Another major problem that companies may overlook is just how much an employee may be at risk when on the move. Some companies do everything possible to secure their own connections within a company, and are then blindsided by one executive at the airport checking his work email before he gets on a plane. While you can only regulate the high-level employees' behavior so much, you can encourage them to be more careful about what they do whenever they're handling sensitive company information. This is particularly important for those dealing with PHI and HIPAA laws, as the regulations governing health data are incredibly strict. Much of what you can do for those at the top of the company chain should involve education, but if you have a lot of mobile employees, you can also start stripping down their devices so they only perform the functions required for their job. With mobile device management, you can start disabling the features that are most likely to lead to a breach.

Inactive Account Management

If you work with PII, then you likely have all types of accounts at various access levels for both your customers and employees. It's the inactive accounts that are most likely to be exploited by hackers in a number of ways. You may especially encounter this in cases where you had a somewhat hostile end with a former contractor or full-time staff member. They may already know the weaknesses in the system to take advantage of a company's sensitive information. Any account access should be denied immediately (i.e., deleted or disabled) for the employee who exits your company — regardless of circumstances. You should be monitoring all accounts on your network, and who is logging into them. You should have ways to generate failed login reports for deactivated accounts or alerts set up for IT to perform further investigation. If there's any type of odd behavior, like people logging in at all hours of the night, that should be flagged as well.

Think Like a Hacker

One of the best ways to stop a thief is to become a thief. With this piece of advice, you should be scanning your network repeatedly and figuring out how it responds if you try to penetrate your own security systems. Companies like Apple pay huge sums of money to people to hack into their systems so they can work out the kinks before software is released to the public. You should be testing out how visible your network is, and checking all of your open ports to see which ones may be leaving your information exposed. The key here is to be relentless and to make moves that seem unorthodox. You can bet a hacker out there has tried it all.

Write Better Policies

Policies not only help people understand the specifics of how an organization functions, they also help keep expectations clear for future employees. Policies need to change as quickly as hackers change, which bears repeating given how many companies are unable to keep up with advancements made within the white hat and black hat hacking communities. Security is about ensuring only authorized people are able to see the information you're providing, and these policies can go a long way when it comes to working out a routine in keeping things updated and closed off to outsiders.

Use EMV Card Technology

One of the most common ways people are leaving themselves open in their network is by continuing to employ swipe machines at their establishment. It has become so easy to steal from merchants who use them. It’s as simple as purchasing an inexpensive skimming device and applying it to your credit card machinery. From major airlines to the smallest gas stations, company owners are allowing their customers the chance to make countless transactions based on shoddy technology. The magnetic strip was developed for credit cards many years ago, and hackers have had a lot of time to understand its fundamental flaws. EMV chip cards may not only save your business if you do happen to come under attack (because you won't be held liable for charges made by criminals), but it just might stop hackers from succeeding to begin with. A hacker who does manage to get to the information won't be able to reuse that information, because they'll simply get a one-time code that was associated with a customers' particular transaction.

Take Advantage of Encryption and Tokenization

These two techniques are among the most foolproof ways to lock up your network gaps, because they don’t allow hackers to see the information they might steal. Encryption works with the principles of key management, meaning that you'll need to have specific policies around who has access to the specific keys that decrypt information. Depending on the circumstances of your organization, this could get messy. For example, if you are a large company, turnover may be high enough that you would prefer not to have to change the key management structure very often. Tokenization, another method of cryptography, introduces random strings of information into your financial or PHI as an option, so hackers are unable to access whatever they receive at the time of the hack. There are plenty of options for encryption software available, but encryption and tokenization software are as vulnerable as any software to bugs, penetration, or obsolesce. You need to choose a company who is continually adapting to new methods of attack and develop a relationship with a partner who can give you a heads-up about what new threats are on the horizon.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection