Cyber Defense – Kingdom Policies
OR I Told Him We Already Got One
The organization is a kingdom, and cybercrime has it under siege! Did you know cybercrime is now the world’s third-largest economy? These enemies are state-funded and numerous, looking to steal your data and money, and put you completely out of business.
You need Policy, Education, and Technology working together, driven from the round table of the boardroom, to be successful. While it may feel like a flying circus at times, this is your circus, and these are your monkeys. Don your chainmail and mount your trusty stead. Or just grab a couple of migratory coconuts and ride with me as we set forth the policies to protect your kingdom from threats.
No Basis for a Government – Corporate IT frameworks include several policies that may or may not be relevant to your organization. Nearly everyone will need at least Acceptable Use, Disaster Recovery, and Incident Response policies, to name a few. Policies should be an autonomous collective. Don’t feel repressed by the governing body to follow frameworks to the letter. Many will pull from different frameworks to match what they specifically need.
Why do you think I have this outrageous policy? – Acceptable policy explains in detail what employees and vendors can and cannot do with company-provided phones, laptops, email, and Internet connections. Every employee from the mail room to the boardroom MUST accept the organization’s usage policy for corporate assets and Internet usage annually. This includes login banners and access warnings on all devices. Otherwise, hackers or naughty insiders can steal your data, and you have no legal recourse because you didn’t tell them they couldn’t. Pull the other one! Seriously!
Only a Flesh Wound? – All department heads, along with management and IT, should be involved in determining the most important computing assets in relation to the company. How much would be lost if SalesForce is down for a day? What about the Internet? What about a breach of all customer and employee data? Risk Assessment and Business Impact Analysis (BIA) give businesses monetary considerations for protection and budgets.
Let’s Not Bicker – Incidents are anything from mistakenly deleted files to data breaches or Sally in Accounting requesting a new phone. Incident Response encompasses Help Desk, Change Management, Disaster Recovery, and Business Continuity. IR goes beyond IT but is rooted in IT. Planning is key, and written plans eliminate ambiguity.
It’s Against Regulations – To reduce risk, changes must be fully detailed, scheduled, and approved through Change Management. This allows relevant parties to understand changes, their impact, and what will be done to roll back the changes if they fail or cause issues. By completing changes in specific windows, disruptions and downtime are avoided.
Sacked a Moose on Swedish Vacation – Hope for the best but plan for the worst. What is the policy if a data breach occurs? Or if the intern deletes the customer database or can’t get the subtitles right? A tornado relocates the office to another state? The castle sinks into the swamp? You can’t count on the llamas to come bail you out. You need a plan! Everyone needs to know their roles and tasks no matter what happens. When possible, get the gang together for a table read. Bribe them with food. That always works.
What’s the airspeed velocity of an unprotected password? – Multi-Factor Authentication is a must-have to prevent stolen passwords or replay attacks from allowing entry. Using a secondary device, or something you have, a challenge is presented to those on the quest to gain entry. What’s your favorite color or something about unladen swallows? Unauthorized access will be denied even with a valid password.
With a Herring! – Does policy dictate the correct level of firewall and network segmentation required? The processor should be strong enough to inspect encrypted traffic to and from the Internet in real time. Integrated software should connect to a centralized, constantly updated threat network. Configurations should block outbound traffic. And the firewall should block unnecessary traffic between internal network segments. Many Managed Service Providers (MSPs) and in-house IT departments provide a shrubbery when a solid stone wall with guards is required.
Bad Zoot! – For maximum security, businesses should have a whitelist of external locations on the Internet employees and vendors can access. Access should only be allowed in relation to job function. Social media, streaming, shopping, and anything NOT related to the business should be banned in written policy. Social media is a breeding ground for drive-by downloads and click-through scams that can deposit malware and ransomware inside your network. Careful where you browse; you might catch something.
Think I’ll Go For a Walk – Working while away from the office holds a host of challenges. CEO loses his phone in a cab. Wandering eyes watch you fill in spreadsheets from the next seat. A three-headed monster tries to swat you before tea. Don’t chicken out! Policies for VPN and mobile connectivity ensure your questing knights can get back remotely to silly Camelot through encrypted channels.
Aarrgghhh! – Love a good mystery? Confound your attackers by requiring all data in your organization to be encrypted. This does require more than just encryption at the hard drive level. You must encrypt at rest, in transit, and while data is used. Encryption policies prevent the prying of stolen or intercepted data.
None Shall Pass – Cameras, door locks, security guards, and fences are great deterrents. What happens when someone slips by them? Many organizations have adopted policies to ensure identification is worn at all times and required for entry. Every person scans their badge every time. No group access into the office or secure locations, like the data center.
Violence Inherent in the System – If you’re not monitoring, how do you know you are safe? You have minutes once infiltrated to prevent a breach. Slow monitoring equals no monitoring. If insurance determines a breach or ransomware occurred due to failed monitoring or slow response, they won’t cover you! READ YOUR POLICY CAREFULLY! They ask ten pages of questions every year for a reason. If you see Lancelot running across the field and do nothing, you are negligent. Once Lancelot gets inside…
Your people shouldn’t need divine intervention to understand their quest. Looking away, apologizing, and groveling won’t matter if you don’t stay on task. Dangers lurk everywhere, and unless you want to be stone dead in a minute, you must…
GET ON WITH IT!
Fine! Gosh! The next post will discuss Education and ask the question – What has Rome ever done for us?