In our last post on this topic, What Security Protection Factor (SPF) Does Your Business Need, we discussed how to assess your business’ protection needs. Similarly, it’s important to examine how to layer on that protection to make sure your business is well-covered.
Today’s businesses are under attack from all types of cyber threats. Here are some stats that show just how serious the situation is:
- 1 in every 131 emails includes a link to malware or has an attachment containing malware. (Symantec)
- 401 unique pieces of malware were identified in 2016, 89% of which were new. (Symantec)
- Ransomware attacks were up 36% in 2016, with the average ransomware demand rising from $294 in 2015 to $1077 in 2016. (Symantec)
- 10% of firms recorded ransomware attacks in Q1 2017. (Fortinet)
- 80% of organizations reported high- or critical-severity exploits against their systems in Q1 2017. (Fortinet)
Symantec 2016 Internet Security Threat Report
Fortinet Threat Landscape Report Q1 2017
4 Layers of Security Protection
When heading out for a day at the lake or an afternoon at the ball park, most of us bring along the sunscreen. But this is just the first layer of protection from the sun. Those who are especially susceptible to sun damage might consider additional lines of defense, such as wearing a hat or a dab of zinc oxide on their most vulnerable spots.
This same layering approach can help your organization make sure you’ve got all your vulnerable spots covered. To help organize your approach, we’ve divided these layers into four areas: people, infrastructure, security tools, and managed security.
Due to the scope of this topic — today’s article will focus on the first two: people and infrastructure. Within the next few weeks, we’ll address the second two. As always, if you have specific questions, you’re welcome to add them in the comment box or reach out directly.
Security Protection Layer #1: People
Some business leaders tense a bit when you tell them their people are their weakest link. We all aim to employ only the best. However, your most talented professional can sometimes be misguided when it comes to security.
Addressing this layer requires two elements: protocols and training.
Protocols include things like your approach for handling passwords. For example, you might have a policy (and systems) that require strong passwords that must be changed every six months. For an extra level of protection, you might even require two-factor authentication for sensitive systems.
As strong as your protocol may be, you need to inspect to be sure you get what you expect. Are the passwords your employees choose really that strong? In their 2016 Internet Security Threat Report, Symantec looked at the passwords that were most commonly used to break into connected devices. The password “Admin” topped the list with 36.5%, followed closely behind by “I23456” and “password.”
Training. If you want to change an employee’s behavior, you’re going to have to make it clear what you want them to do. And, in most cases, you’re probably going to have to tell them why. How to spot a phishing email is a good example. If your employees don’t know what to look for, they can easily fall for that bogus email that looks like it comes from the CEO.
Security Protection Layer #2: Infrastructure
Our infrastructure discussion could cover a vast number of topics. But, for now, let’s once again focus in on two key areas.
- OS and application updates. Your first line of defense, infrastructure-wise, is the security features built into your software applications, especially your operating systems. Companies like Microsoft go to great lengths to close vulnerabilities exposed by cyber-attackers. With WannaCry, Microsoft went so far as to release a patch for older, unsupported versions of Windows.
[Related post: Immediate Action to Take in Response to WannaCry Malware]
Never assume that a piece of software is 100% secure the day you install it. Application coding is too complex and cyber thieves are too smart – so always remain up-to-date on installing a vendor’s patches.
- Device OS. It’s hard to say what the hot security topics will be in the coming months, but my guess is that device security is going to be an even greater concern than it is today. More and more devices are being used in business. It’s easy for an organization to overlook device security (especially if they have a BYOD policy) and hackers know it.
[Related webinar: BYOD: Is This Exploding Trend a Security Time Bomb?]
One way you can protect yourself is to only allow devices that have extra layer s of protection built in. to access your network. For example, Microsoft’s Windows 10 IoT has multiple built-in security features that can help protect the data on your devices and your network, and since it’s Windows 10, it looks and feels like the OS you use throughout your business.
In the second installment of this 2-part series, I’m going to dig into security applications such as firewalls and antivirus software as well as managed security services. I will also answer one of the most common questions: How do I know when it’s time to upgrade from an off-the-shelf application to a commercial-grade security application or managed services?
Heather Sweigert, Compliance Analyst at TierPoint, is responsible for maintaining regulatory standards throughout the company. As a key contributor to the TierPoint Security team, Heather assists in setting standard security protocols and communicating updates and audit findings.