Protection of information assets is one area that is often overlooked until disaster strikes. While there are many things you should do to protect your organization’s information assets, my goal in writing this article is to identify five key things you should have at the top of your list. Amongst various practitioners and advisors, there would most likely be some debate about what such a top five list should contain.
While in the midst of writing this article, I read an article by Michael Hess that appeared on cbsnews.com. His article featured an interview with Kevin Mitnick. Kevin Mitnick is probably not an overly familiar name, but he was at one time one of the world’s most wanted computer hackers. Mitnick served a prison sentence for his misdeeds and subsequently became a computer security consultant. Given his background, he has a lot of perspective on threats every business should be aware of. I’ve summarized these threats as outlined in the recent cbsnews.com article and included suggestions on steps that can be taken to manage the risks associated with them.
1. Beware of threats from within
Quite often threats to information assets lie inside of an organization and can manifest through simple errors. It is important that members of your organization understand the risk of actions like clicking on an attachment to an email from an unknown source or accessing a link through a social networking site. It is also important to understand threats that can exist through what is called social engineering which involves manipulating human behaviour to achieve a specific purpose. For example, a call from your help desk or support provider asking for a password to help solve a problem should be questioned. If you are interested in more information about social engineering, I would recommend Mitnick’s book The Art of Deception. Awareness training is the key to addressing threats of this nature.
2. Keep desktop software up to date
According to Mitnick, hackers are very much aware that businesses rarely update the software that resides on individual workstations and laptops. Out of date software often contains security flaws which can be exploited. To mitigate these risks, your information protection program should provide reasonable assurance that software updates and patches are applied and application software is kept up to date.
3. Limit outgoing connections to those required for business purposes
It is very important to take steps to manage the risks associated with inbound traffic to your IT environment. A common example is the use of virus scanning software. In addition to inbound traffic, there are risks associated with outbound connections. More specifically, Mitnick suggests that a computer can become infected with malware that can connect back to the attacker through an outbound connection. His suggested strategy to address this situation is to restrict services a user can connect to outside the company to only those required for business purposes. This can be achieved through firewall connections.
4. Consider cloud computing, but do so wisely
Cyber attacks are evolving daily and it is very challenging to keep up, especially for small organizations. Quite often cloud computing solutions offer better security than that which can be attained in-house because cloud providers have the capacity to keep experts on staff to address evolving threats. As such, cloud solutions can be a viable option. However, there are risks associated with this alternative and it is important to ensure that you carefully evaluate such risks or engage with a knowledgeable advisor to assist you. Some considerations you should think about include sensitivity of data you might store in the cloud, and encryption and access to your data should you decide to move on from your cloud provider.
5. Backup your data and test recovery from your backup
I didn’t draw on the Mitnick article for this suggestion, but it is always wise to reiterate the importance of backups and testing of recovery from backups. Far too often we have observed an absence of an effective backup strategy. This issue also ties back to the importance of awareness training. We have also observed situations where backups are taken from a server, but significant valuable data resides on desktops or laptops and as such is not covered by the backup taken from the server. It is important to remind users to store their data in the appropriate location such that it is in fact covered by your backup routine.
Francis Liska, CPA CGA, CMC CISA, CICA is a partner at OTUS Group, a team of advisors to business, government and not-for-profit organizations.