Not long ago, it would have been easy to think that office security was “figured out,” so to speak. In other words, the technology was developed, and the complexity of threats was such that traditional firewalls, antivirus applications and anti-malware scanning would be able to rise to meet them — a cyclical, predictable process that generally kept an equilibrium, even if it was escalating year by year.
That equilibrium was shattered as cyber threats made an exponential jump in this decade, leaving many consumers feeling vulnerable and IT professionals feeling flat-footed as alphanumeric passwords (with at least one special character) and security perimeters quickly became antiquated ideas.
Today, securing the workplace is a complex process requiring advanced technology, cutting edge skills, strict policies, competent training and constant vigilance. Businesses are networked and interconnected like never before and there’s no one “pipe” that data flows through anymore; it’s via hundreds of thousands of devices, connected through local networks, VPN, Wi-Fi, Bluetooth and cellular connections. Add 5G high-speed networks to the mix, as well as remote employees that could be scattered across the globe, and the security perimeter starts to look more like a sieve. Unless it’s properly secured, data can slip through the cracks all too easily — or bad actors can find their way in.
And it doesn’t stop there. Ransomware attacks, spear-phishing hacks and low-tech social engineering can result in long-term consequences, both financial and reputational in nature. If you or your clients find yourselves outside of regulatory compliance (should the business be governed by any), fines may be imposed for the breach. And, once data is compromised — especially valuable personal identifiable information (PII), it will likely be sold on the dark web to the highest bidder, only to be used in future attacks.
Therefore, with so much on the line, what should you be focusing on to secure your business, as well as your clients’, in this new era of cybersecurity? Here are five essential areas to address. And, if there are any glaring gaps in your cybersecurity strategy, it may be time to partner with a provider to deliver those services.
1) Create a security-focused culture
A business with a healthy security posture doesn’t just happen overnight, nor is it achieved when thought of as a bolt-on set of systems and processes added to the status quo. In order to secure any office, best practices need to be instilled, enforced and maintained as part of the daily culture of the business. It’s not the sole responsibility of the IT manager, MSP or CISO to maintain security at all times; cybersecurity is a shared responsibility between users and IT professionals, who all must proceed with a sense of caution throughout the course of the day to ensure a level of acceptable risk is being upheld.
That standard all starts with an effective strategy that not only covers technical aspects of security, but includes continuous employee education and monitoring. With more than half of all data security breaches caused by human error, it’s vital that staff are educated on how to identify things like malicious email phishing attempts, and provided best practices for smart and safe computing, such as:
- Proper password etiquette (not using “password”; not using the same password in multiple places, etc.)
- Properly reporting phishing email attempts
- Not leaving laptops or desktops unlocked while away from the desk
- Refraining from downloading personal applications instead of using corporate-approved apps
- Ensuring user roles and permissions are properly managed
- Deleting credentials when employees leave the place of work
- Using mobile device management for certain devices routinely removed from the office
- Addressing physical data management needs, as security vulnerabilities are not only limited to the digital realm
- Access keycards should be properly recorded in an always up-to-date database
- USB drive use should be limited or eliminated, as an infected USB drive is one of the easiest ways to infect a network
- Whiteboards should be cleaned after use to prevent sensitive information being exposed to visitors, in pictures, etc.
- Digital displays and screens should be reviewed to not divulge any sensitive information as well
- Desks should be kept clean, with no passwords, notes, or printouts containing proprietary information on them
- Discussion in person and on video conference calls should be secure and confidential, in authorized secure meeting spaces
Fostering this vigilant security posture will take time and ongoing training, but will ultimately lead to a more security-focused workforce, a security-focused culture and a heightened awareness of threats.
Threats will slip through your fingers if you fail to sharpen your security knowledge on an ongoing basis.
2) Use multifactor authentication — on everything
Let’s face it: passwords aren’t going away, but they are a flawed technology, and in a world where it’s becoming easier and easier to spoof, bypass or even brute-force password-protected barriers, an added layer of security is essential to verify that 1) the login is authentic and 2) the user is who they claim to be.
Two-factor authentication (TFA) is no longer a string of numbers randomly designated by a token; today’s common TFA processes take a variety of forms, such as:
- Text messages
- Automated verification phone calls
- Connected apps
- Paired devices
- Fingerprint recognition
- Facial recognition
If two-factor authentication can be enabled, it’s likely a good idea to enable it wherever possible. It may slow down login times and not everyone will be pleased by having to take extra steps, but it can dramatically reduce simple login vulnerabilities, and expose hacks that are trying to bypass the second layer of authentication.
3) Review your device security policy
When it comes to device security, there are multiple solutions that can be enacted, but one of the simplest best practices is effective patch management, to close up known vulnerabilities and prepare for what’s next.
Laptops, desktops and servers are usually focused on in this category, but what about mobile phones, tablets and other handheld devices? Furthermore, what about multifunction printers, copiers, routers, interactive displays, conference systems and other digital hardware scattered throughout the office? Are they routinely patched with the same rigor as other endpoints?
A world covered by the Internet of Things is no longer a prediction; we live in it today, as the average number of screens per user continues to multiply. It’s possible for one user on your network to use a computer, tablet, phone and wearable device concurrently — and all must be secured to maintain a strong security posture in the office. Advanced firewall technologies and modern endpoint security can be effective, but only if the devices themselves are addressed and included in an overall strategy.
4) Have an incident response plan on file
In terms of cybersecurity, it’s better to plan not for “if” but “when,” understanding that the risk of cyberattacks is growing in the SMB space, and even the best cybersecurity solutions can never be 100% effective forever.
Therefore, you should have a detailed incident response plan on file that outlines exactly what you’ll need to do if there is a security incident. This plan should detail specific common threats and the plan for dealing with each, including multiple scenarios for each, taking into account the acceptable risk level of the business. That way, if there is no other possible recourse for dealing with a ransomware attack, for example, the implications of a full restore from backup is already understood and planned for.
Incident response plans should be reviewed and updated as needed to ensure the office has a plan for even the latest threats and can engage in bringing the network back online as soon as possible.
5) Engage a SOC for threat monitoring
For most businesses, it’s not feasible to hire and maintain security services that proactively monitor and manage their IT environment, looking for threats and vulnerabilities as they arise, mitigating them as they occur. The scope and cost of the technology, infrastructure and talent involved is far too extensive. However, by engaging a managed services provider that uses a Security Operations Center, you’ll ensure your business is being protected at all times, with trained experts using the latest and most advanced technology to keep your business as secure as it can possibly be.
A concerted effort
The days of a straightforward, one-vector cybersecurity strategy are long gone, and today, it takes a mélange of technology, services, education and cooperation to establish and maintain an effective cybersecurity strategy. Keeping an office safe from threats is a complex process, including physical and digital safeguards as well as policies that balance efficiency alongside appropriate security. It all comes down to the user, and making sure they are effectively trained on how they can do their part in keeping their work environment secure. If they understand what they can do to keep the office and network safe, and the importance of their vigilance, the business has a much better chance of withstanding the barrage of threats just waiting to strike. After all, the next security incident is always only one click away.
John Schweizer is the Vice President of the Office Equipment channel for Continuum. John has had tenured runs in key executive positions at office equipment giants like Alco Standard-IKON, Ricoh and most recently as the CEO of a Xerox owned company. He also had principal ownership in a dealership in San Diego. John currently serves as a member of the advisory board for the cybersecurity firm, Fhoosh.