As James Bond has shown, even a sophisticated MI6 operative with a nearly limitless budget and an array of hi-tech gadgets has to take into account existing security measures when formulating a plan to infiltrate a building or system. And while online criminal organizations don’t have Bond’s resources, they are sophisticated and well funded, which means you have to continually up your efforts to reduce the threat surface of your business.
As you begin planning for 2016, here are 007 tips for bringing your business closer to an MI6 level of security, without a nation-state budget:
1. Auto expiring credentials for new recruits: While we hope your corporate hiring process isn’t as intense as that of a secret agent, at the end of the day not everyone who signs up ends up making the final cut. To minimize your risk of rogue access, implement a policy that requires system admins to always create expiring credentials for new hires. It’s best practice to implement this for any temporary hires, but if your company offers an employment grace period, consider applying the expiration for the end of that time period, just in case. It’s always easier to re-implement than revoke once things have gone awry.
2. Two-factor authentication (2FA) to deter shadow ops: Having multiple forms of identification is an accepted standard for accessing highly secure systems, but it’s not something that’s strictly reserved for government agencies. If your employees’ credentials do get phished or stolen, having 2FA on your Internet-facing applications will keep them from being used. What most people don't realize is that government-level, or similar, high-level 2FA systems are available to protect most information today and they are far less complicated or expensive to implement and use than one may think.
3. Encryption for your eyes only: Since communicating in code or sending self-destructing messages everyday would be incredibly inefficient (and likely dangerous), your best option is implementing a system that automatically encrypts your emails after it filters and scans them, which helps protect your company against data loss. For the more “top secret” missions, consider investing in hosted solutions that also allow for policies to be configured to encrypt, send, return to sender, or delete messages with insecure content. Because it is hosted there are no upfront investments in hardware, certificates or other expensive yearly certificate renewals. You simply pay a monthly fee per user and receive military-grade encryption.
4. Fort Monckton-esque training for all: According to a recent Intel Security study, 96% of users couldn’t tell the difference between real emails and phishing emails 100% of the time. The main reason cyber attacks are successful is because they rely on human error; whether it’s ignoring an alert to install the latest software update, or being careless when clicking on links. While you don’t need to ship your users off to Fort Monckton, you can still keep their security acumen high by periodically checking to see who within the organization needs more awareness training. Consider sending fake phishing emails to your own employees and see which ones fail. An additional training exercise is to leave non-company branded USB flash drives around the office and see who plugs them into their laptops. Load the drive with a simple word document explaining how the device he or she just plugged into the laptop could have infected their machine (and likely the company’s network). The goal isn’t to chastise employees, but show them how quickly a simple misstep can quickly put them at risk.
5. Identity and Access Management to prevent double agents: Spies aren’t the only ones worried about being double-crossed. A recent survey by Intermedia found that 28% of IT professionals have accessed systems belonging to previous employers after they left the company, and nearly 1 in 4 millennials said they would take data from their company if it could positively benefit them. Thanks to advanced identity and access management tools, though, businesses can not only monitor and disable the use of specific features within applications, but also capture screen shots of particular actions and create detailed audit trails of what a user does once they log.
6. Single-sign-on to simplify the mission at hand: Forward-looking businesses are constantly exploring new tools and apps to provide employees in order to empower them and make them more productive, but not even James Bond himself can create and remember strong passwords for the 14+ cloud services employees typically access today. Deploying a single-sign solution will provide users with access to their web apps with just one password. Furthermore, premium versions can automatically create strong, unique passwords for each user that are periodically changed — automatically — without users ever knowing. This increases security and productivity; all your employees have to worry about is remembering whether they like their martini shaken or stirred.
7. Third party vendors, your allies in arms: The CIA, MI5, MI6, FBI etc., all occasionally work together on a single mission, and so too should businesses with their vendors. Many businesses don't realize the vendors they work with can help the business (and also put it at risk). If you're planning to store company information in the cloud, work with a cloud provider that has a strong reputation for security and also helps migrate and protect your data seamlessly.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.