Lock Down: Security Essentials: Managing loday's Risks Efficiently.
Controlling Access Risk
Though it's stating the obvious, if we can keep the cybercriminals out of our computers, networks and databases, then we can protect the data contained on each of these devices. This type of risk is known as access risk and it involves ensuring that the cybercriminals do not have physical or logical access to our systems and the data contained therein.
This means deploying common sense physical controls such as keeping your servers and other sensitive equipment in restricted-access and locked facilities such that only authorized persons have direct physical contact with these assets.
Implementing effective logical access controls is a bit more challenging than implementing effective physical access controls. Regarding logical access controls, it would be nice to think that usernames and passwords would be sufficient, but these rely on humans and we must assume that humans are going to make mistakes--mistakes that could cause their login credentials to become compromised.
Therefore, to adequately address logical access risk, you should take steps such as implementing multi-factor authentication (MFA) whenever you can do so. M FA involves logging into a device or system by using at least two of the following three items:
* Something you know, such as a username and/or a password;
* Something you have in your possession, such as a smartphone or a key fob to which an additional log-in code could be sent upon successfully entering a username and password; and
* Something you "are," such as a fingerprint, facial recognition or retina scan.
By implementing MFA through requiring a username and password in addition to an additional login code sent to your smartphone, a cybercriminal would not only have to compromise your username and password, but also would need possession of your smartphone to receive the additional login code sent to the device.
While it's not impossible that all of these conditions could materialize, it's highly unlikely and, because of this, the risks associated with logical access are significantly reduced.
Thwarting Social Engineering Attacks
Social engineering involves cybercriminals attempting to trick your team members into surrendering sensitive information--usually usernames and passwords--so that they can use that information either to further an attack or to profit directly from the information.
A common scheme is for the cybercriminal to call an individual and pose as a member of the company's information technology team, indicating to the team member that there is a "problem" with the team member's email account. The cybercriminal would go on to explain to the team member that she needs his username and password to login to the team member's email account so she can fix the problem.
Of course, once she receives the username and password from the team member, she uses it to further some other nefarious activity. Other examples of social engineering attacks involve sending emails with malicious links or attachments in the hopes that the recipient will click on these them to install malware.
To reduce the risk of social engineering attacks such as these, team members should be thoroughly trained to recognize the types of situations described above and to "just say no!" Under no circumstances should a team member ever share usernames and passwords with others, including their managers or members of the information technology team.
Likewise, under no circumstances should any individual ever ask for another team member's credentials. We must create a more security aware culture so the specific risk of social engineering attacks is diminished and that, in general, all team members have a heightened awareness regarding their role in the security regime of the organization.
Stopping Violations of Company Security Policies
Many companies have adopted various forms of security policies, including ones indicating that items such as Social Security numbers, bank account numbers and other sensitive data should never be transmitted through unencrypted email messages or stored in shared folders on the company's servers. Yet countless studies show team members ignore policies such as these at alarmingly high rates.
To prevent violations of company policies surrounding sensitive information, consider implementing Data Loss Prevention (DLP) tools.
DLP tools allow an organization to specify what type of data can be stored or transmitted through its resources. Included in virtually every DLP tool is the ability to block--among other things--outbound email messages that contain sensitive information such as Social Security numbers, credit card account numbers and other types of information that should remain private.
Many business oriented email servers and services such as Exchange Server, Exchange Online and Gmail provide built-in access to DLP tools that focus on blocking email traffic containing sensitive information. You can deploy other commercially available DLP solutions to analyze traffic across your network or data that's stored on your servers for violations of company policies.
All told, DLP is one of the best and least expensive--means of ensuring that team members comply with your company's security policies and standards.
Reducing the Risk of Ransomware
Ransomware is a particularly insidious form of an attack on your data. If you become a ransomware victim, your data will be taken hostage until you pay a ransom and, even then, you're not likely to be provided with access to your data. To reduce this risk, consider activating Controlled Folder Access (CFA), a feature that was added to Windows 10 in September. With CFA enabled, Windows protects documents in folders that you specify so unauthorized applications cannot alter these documents. By applying this "whitelisting" approach to preventing a ransomware attack, even if the ransomware gets installed onto your computer, the risk to your data remains relatively small. CFA is one of the easiest--and best--ways of mitigating ransomware risk.
Yesterday's security techniques are no match for today's risks, but that does not mean we must be resigned to accepting unnecessarily high risks. By identifying where your biggest risks are and taking a targeted approach to addressing these risks, we can mitigate them to an acceptable level. Pay particular attention to the four risks and--more important--the four solutions outlined above and you and your team will be in a better position to protect the sensitive information to which you have been entrusted. Good luck!
Thomas G. Stephens Jr., CPA, CGMA, CITP is a shareholder in K2 Enterprises, LLC, where he develops and presents CPE programs. You can reach him at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Author:||Stephens, Thomas G., Jr.|
|Date:||Jul 1, 2018|
|Previous Article:||Cryptocurrency 101: The Wild West Taxation of Virtual Currencies.|
|Next Article:||MyFTB Improved: Security Enhancements Coming to Tax.|