So you’re in charge of cyber security, part the 2nd
A couple of weeks ago I wrote a post giving some advice on what you should do first if you find yourself in charge of cyber security at your organisation. You can read it here. I thought I’d follow up on that post, with some suggestions for what you can do next, and how you can begin to prioritise your actions, and decide where (or if) to spend some money. If you’ve followed the recommendations in the previous posting you should now have an idea of information moves around your organisation, and between you and your customers and suppliers and so forth. You should have an idea how well managed your infrastructure is, and from the help desk an idea of how security literate (or otherwise) your staff are.
Now obviously I don’t know the answers to those questions for your organisation, so if for instance it turns out your staff are always finding USB sticks in the car park and plugging them into their work computers, you might want to hit that as a priority. But broadly, I’d suggest prioritising along these lines:
A well managed infrastructure is a secure one (or at least, a more secure one). If asset management and patching are out of control, start there. Work out what you have installed where. Be specific – what versions of what operating systems and software. Record all this, and then hit the vendor sites. Check to see if you are on the latest versions, and if not were newer versions released to fix security issues. If you can automate updates, do so (it comes with some risk – in an ideal world you’d test before rolling updates and patches across your organisation, but I’m making the assumption you don’t have huge resource and suggest that this is the better course of action). You might be able to sign up for notifications with vendors when they release new versions of software, or when security issues are discovered.
If you are running old hardware and/or software which is no longer supported then you need an upgrade path. If you have limited budget (and who doesn’t?) spend here first.
If you do have some budget, you can automate some of this with a vulnerability scanning tool. Have a look at Nessus as an example (authors note: other vulnerability scanning tools exist). Commercial vulnerability scanners like this are pretty easy to use – they usually come with a host agent of some description (a small piece of software that you install on all your computers), which means they can tell exactly what is installed and cross check against big databases of vulnerabilities.
Check you have antivirus – at least two layers, running different products on each. Have one product running locally on all machines, and have a separate product scanning email.
Review your cloud usage. Does everyone use their own Dropbox? I’d recommend deciding on a service, and signing up for proper commercial use, and then allocating your staff accounts. It means you keep everything under your control, and can revoke access when people leave. I’ll cover considerations for cloud service use in a future post.
Ransomware is a big problem right now – malicious software that encrypts your files and extorts you to get them back. Review your backup process. Test it – make sure you can actually recover documents. Is once a day enough? Partition what people have access to – ransomware can encrypt network drives that the user has mounted. So do some segregation and only give the finance people access to finance related files etc. It limits the damage should the worst happen.
Despite me listing them second, people are key to your security. Train them to be paranoid. Explain why security is important, and all the terrible things that can happen when it goes wrong. Make people aware of their responsibilities to your company, customers and their data. Get them paranoid about email, and give them somewhere to report anything suspicious. As a security person I can attest it is many times better to have to deal with false positives than it is to have to clean up when someone opens something malicious. We have blogged before on dealing with suspicious email.
Security specific stuff
Ok, so you’ve got a well managed network. You know what you have installed. You’ve sorted your cloud usage, and everyone is terrified of email. Great. Basics sorted. What else can you do? Next steps can include a web filtering product of some description, which inspect content as people browse and block potentially malicious websites (there are plenty of enterprise and small business products to chose from). An ongoing awareness training programme is also a good idea – you can be imaginative too. There are companies that you can pay to phish your staff for you, and provide instant training when they get taken in.
You can consider security monitoring – deploying software and hardware that monitors your network and website for signs of malicious activity, and can alert you when things go wrong. We’ve talked about incident response before, and knowing something bad is happening is obviously key. It’s also far better to know you’ve been hacked, or that someone is trying to hack you, so you can do something about it. Too many compromises go undetected for long periods of time (or are only uncovered when the stolen data turns up on the front pages).
I hope that is of some use. As you can see, a lot of what constitutes good cyber security does not actually require a specific cyber security solution. Anyone who tells you they have a black box (which will no doubt be expensive) that will solve all your cyber woes is selling snake oil.
Comments, thoughts, rants, get in touch. Otherwise, thanks for reading!