Business IT Security 101
As the cyber threats facing businesses keep multiplying, owners are asking "what should I do to protect my business?".

Let's break this down.

Step 1 – Understanding your Risk and Exposure

Before you can fix the problem, you must identify it and its depth. In this case, the first step to securing anything is understanding the exposure. Ask yourself the following questions:

  1. Where does my data reside? ie in the cloud or on-premise,
  2. Who is the data owner? The owner is always the one responsible for the data, so is the data yours or are you storing for a client?
  3. Who is the custodian? The custodian, stemming from the word custody, is responsible for the custody, including the safekeeping, maintenance, and transport
  4. How is it accessible?
  5. Who is responsible for managing the access, such as provisioning new users and the termination of old accounts.
  6. Do any 3rd party vendors have access to my data?
  7. Is the data encrypted?
  8. If there is a breach how would I know about it and what responsibilities do I have to disclose it?
  9. Am I held by any compliance requirements and/or regulatory bodies?
Step 2- Identify the GAPs in your existing security plan

I have performed numerous security assessments where I have to ask the business how a particular application works. They always point me to the IT guy, who shows me how it works under normal conditions. My first question is, "what if the main access method doesn't work, can you get in another way"? Almost invariably I found that even when the primary method is secured by a unique user ID and password, locked down to be accessible from trusted endpoints only, utilizes 2FA, and etc; the backup method is a username and password and accessible from everywhere. When asked why it's been set up this way, the answer is always the same, because we can't afford any downtime.

If the answer for alleviating downtime is the reduction of security then what is the plan if you are hit by ransomware? The reason I point this out is to help business owners view their business not as an asset to investors or clients but as a target to criminals. To put in crude terms if something is worth having, to someone it may be worth stealing.

Let's tie this back to a physical analogy to explain the issue. If you were a jewelry store you would undoubtedly have a reinforced door, a strong lock, CCTV, burglar alarm system, monitoring and etc. But if your front door had 3 locks would you only put one lock on the back door? Would you tell yourself that if one of those locks got jammed you may need to get in urgently to open the business? Of course not. You would see the real risk associated with a break-in because it's tangible. The inherent problem with IT Security is that it is intangible. Fixing that which you can not see is a challenge, but thinking about it from the point of view of an attacker is the best strategy a business owner has.

Step 3 – Plot a course for correcting the issues you discover

Once you discover missing safeguards, controls, policies or procedures you can plot a course for correction and prioritize as your budget and personnel allow. This is a good time to engage the help of a 3rd party because you can now assign specific tasks and subdivide responsibilities. It is critical to remember though, that the party ultimately responsible for the business's security and due diligence remains the business owner so be sure to properly vet any 3rd parties to ensure they are following good security practices themselves.
Follow Iospa Tech LLC on Instagram, Linkedin, and Youtube
Made on