With high profile hacks and security exploits dominating the news landscape lately, it’s impossible to discount the growing importance of cyber security services. While it might be tempting to pass these concerns off as the domain of Fortune 500 companies and the military industrial complex, that couldn’t be further from the truth: we’re seeing small to medium sized businesses targeted by hackers with greater concentration and frequency – specifically because security and training have historically been sidelined in these organizations
What follows is a high-level breakdown of how Daystar mitigates contemporary security concerns by implementing three pillars of security: technology, process, and policy. While the technology pillar addresses security via traditional ‘techie’ means, you may be surprised to find that the other two pillars depend heavily on you, the - business owners, decision makers, and managers. Daystar spearheads the initial design and implementation of process and policy, but their ultimate efficacy comes down to how well we work together to communicate and maintain these safeguards. Although this is not meant to be an exhaustive text on managing IT security, it should help to frame your business for exactly how we approach such an important and daunting topic.
When people think of IT security, they’re usually thinking of the safeguards that Daystar implements as part of the technology pillar. While this is only a small piece of a larger, interwoven system, we still, unsurprisingly, view actual technology as a critical foundation to the security of our client environments. What am I talking about, in practical terms? Here are a few examples of the technical standards to which we hold ourselves and our clients when addressing infrastructure and security:
- Hardware: current generation, business-grade edge router(s) with unified threat management features in every office that directly accesses the internet
- Protection: cloud-managed antivirus, anti-malware, and anti-ransomware providing real-time protection on all endpoints and servers
- Compliance: we work closely with businesses to implement the right platforms to help keep your business compliant with any relevant regulatory bodies (i.e. journaling to maintain SEC compliance or encrypted data in transit to promote HIPAA compliance)
- Configuration: web filtering, two-factor authentication, e-mail encryption, wireless configuration and security – whatever your specific environment calls for, we will gladly implement and manage it on the technical side
- Access: VPN tunnels, remote access, single sign-on, infrastructure maintenance – Daystar configures your environment to industry-standard best practice to promote uptime, accessibility, and security
Here’s where things get a little more interesting. In previous paradigms, the bulk of IT security would probably have fallen into the ‘technology’ pillar. However, at Daystar we maintain that technology is actually a smaller piece of the puzzle than its counterparts: process and policy. In this context, ‘process’ really refers to the who, why, and how of your technology access, rather than the technology itself. With file servers having replaced file cabinets, and mobile phones having replaced rolodexes, you’ll find that these processes thread their way throughout your organization – indeed, many of our clients’ entire workflows are technology driven and dependent. Whether we’re talking about a line of business database, accounting software, shared documents, web content, or digital media – it all runs on technology, and it should therefore all have process built around its access and maintenance. To break it down a little further, here are some of the broader considerations that are included in the process pillar:
- How are your resources physically accessed (phone, tablet, PC, browser)?
- Is access granted both inside and outside of your network(s)?
- Is auditing available to track and log user activity?
- Have different levels of access been defined throughout your organization?[AM7]
- Where is your data being stored?
- How is it being backed up?
- Have redundancy and disaster recovery been discussed?
- Is data being archived on a regular basis?
- Who can move or delete data?
- Have regular permissions audits been performed to ensure proper security?
- Who in your organization is responsible for moves/adds/changes for other users?
Once we’ve helped you identify and document the IT-relevant processes in your organization, we can look at applying and building out our third pillar of security: policy.
Policy largely refers to hard and fast rules that govern how your employees, Daystar, and even third-party vendors access and manage the technology in your environment. As you might imagine, process and policy are inexorably related, and the interplay between the two will form the final component of your organization’s IT security moving forward. As process changes, so indeed should policy, just as newly implemented policy will directly affect process. While the technology pillar tends to be more static, policy and process should be regularly evolving with the needs of your business, your industry, and technology. Indeed, making sure that we’re consistently revisiting these pillars should be a policy in and of itself, in the form of scheduled audits, reviews, annual updates, etc.
While each industry and business may choose to build and enforce internal policy in different ways, there are some larger buckets with which we can sub-categorize.
- Written Information Security Policy (also known as an Acceptable Use Policy)
Every organization, regardless of size and complexity, should have a WISP that employees must be familiar with. The WISP directly outlines policy and procedure within your organization – you can expect a more comprehensive blog post outlining exactly how this document makes the three pillars as transparent as possible both for internal employees and 3rd party vendors at a later date.
- Data Destruction
How is your organization ensuring that data is being properly destroyed?
- 3rd Party Documentation
Part and parcel with having a WISP available for 3rd parties (auditors, vendors), it’s also many times beneficial to have documentation built specifically outlining external access to internal resources, as well as ensuring that vendors are providing you with their own policies.
- Audit and Review
As mentioned previously, formalizing an update strategy for these three pillars is one of the keys to their combined success.
- Training and Employee Education
In addressing that last point directly, I can’t overstate how crucial employee training and education are in preventing data breaches, especially as we collectively navigate an age in which the Internet of Everything is sprouting its entirely unregulated head in our homes and offices. From my technical standpoint as a network administrator, I view employee training and education as the single most effective way to safeguard your data and your network, and these programs and platforms should always be dictated by company policy. Just as you’d require someone handling hazardous materials to be properly trained and certified for the task, so too must your employees, handling sensitive network resources, be capable of identifying a threat before it becomes a breach. With the intense proliferation of social engineering attacks, your employees are often both the attack vector and the last line of defense. Give them the tools to succeed; view them as a firewall, not a point of failure. Daystar builds employee training and testing directly into our managed IT services package to ensure that this layer of security is on the forefront of our clients’ minds.
Sustainable Security: The Marriage of Tech and Business
The goal of this piece has not only been to elucidate Daystar’s high-level approach to managed security, but also to show you how security, which used to be the realm of big firewalls and even bigger passwords, has started to evolve into something more synergistic and interdisciplinary. To future-proof your business’s security, there needs to be a consistent and structured conversation between provider and client, between technology and business. It takes time and energy; it takes a willingness to change; it takes employee education and keeping your technology current. Stay tuned for a future post for some implementation tips, but in the meantime, I hope that we can use these three pillars of security – technology, process, and policy – to build an environment where your business can thrive.
Learn more about Daystar’s Managed IT services!