Cybersecurity Awareness

2014 was a very long year in regards to network security. Many organizations saw breaches of private data, including but not limited to credit card information, social security numbers, and even private emails between employees. Not only were attacks seen by malicious organizations, but serious exploits were found in some of the most trusted elements of the internet, such as was seen with the Heartbleed exploit. According to TechCrunch, 83 million records were stolen from the JP Morgan Chase breach alone, and the average cost of a breach was $3.5 million dollars. Because of how serious these issues have been, it is incredibly important to have a plan in place to secure your networks to minimize the risks of bad things happening to your data.

The first place to start is with the areas that you control. This means ensuring that software is both up-to-date as well as legitimate (some organizations have been known to use pirated copies of software to reduce costs; not only is this illegal but most piracy websites are rife with malware). Updating software is also a matter of ensuring that the software is still supported so that it can be updated; if your organization still has Windows XP in place, you have a major problem - and if you use Windows Server 2003 trouble is coming your way this summer when support ends. The costs of upgrading software might be worrisome, but it is nothing compared to the nightmares a breach can cause because of backdoor your outdated software let in.

After taking care of your software, it is equally important to educate employees about best practices in protecting company interests online. There have been many theories that the massive Sony hack at the end of 2014 started with a disgruntled employee, and while the jury is still out on that case the AT&T breach earlier in the year was certainly caused by upset employees. While not all attacks are on purpose like the AT&T attack, education is the place to start so that employees understand what can cause a threat. This can help to inform employee who might be considering to do bad thing some enlightenment that your team is prepared to stop them, and for employees who might genuinely not have a clue there is the opportunity to educate them and improve the human firewall element of the network. Also keep in mind that data isn’t only lost on the internet - physical files and equipment that are lost can be just as bad for data loss, as was seen by Redwood Regional Medical Group when a lost USB flash drive resulted in 33,702 patient records being lost.

Speaking of firewalls, all business applications should be behind the corporate firewall, with the capacity to save and store network traffic logs as well as the capacity to block and allow specific applications to be used by employees. There are many debates as to whether to block all apps (blacklist) and let employees notify IT as to what they need or to allow all apps and block the bad later (whitelist), but regardless of the solution be sure to understand what your employees need and when possible build corporate solutions for popular consumer products employees might wish to use to improve work experience. DropBox is a commonly cited example - IT obviously doesn’t want employees to have easy access to move files to a home PC to work at night, because less scrupulous employee might use this to start pilfering data. That said, there is certainly a value to allowing employees to work at home, and IT can help to address that by providing their own version of DropBox, or even VDI implementation to enable mobile workloads.