Sound Data Security for Small & Midsized Business - Risk Based, Prudent and Cost Effective

Recently the computer systems of the Federal Office of Personnel Management were hacked.  Classified personnel data thought secure were compromised.

Estimates indicate the hackers gained access to 21.5 million records of current and past, direct and contract employees, compromising personal information gathered during security checks, which included social security numbers and security clearances.

It’s Not That Uncommon

According to Information is Beautiful, notable outside hacks that compromised more than 30,000 records, include such household names as: SONY, Target, Anthem, Home Depot, EBay, Zappos, Department of Veteran Affairs, Premera Blue Cross, JP Morgan Chase and a disturbingly large number of other organizations.

Based on these incidents and the skill of the hackers against large corporations and agencies, it would appear that if some sophisticated evil-doer was intent on hacking your small to mid-size firm – they could find a way to do it.

But there are easier ways the mal-intentioned can gain access to your data than hacking in from the outside.

Internal Vulnerability to Data Security Breaches

A good Information Security Plan includes a combination of protection methods. Data breaches can, and do, arise from not only sophisticated external hacks, but also, from internal lapses in security - and those internal breaches can be just as serious, if not worse.

Given the relative attention paid to protecting data from outside intrusion vs. protection from internal lapses, it would appear that the security policy of many firms is based on the false assumptions that:

1.    Everyone on the outside is bad

2.    Everyone on the inside is good

The fallacy in those assumptions can be quickly pointed out through real experience.

Take the recent SONY data breach as an example.  There are conflicting reports regarding the sources of this breach. The FBI points to North Korea. Other independent IT security analysts say it was an inside job.

From the NY Post dated Dec 30, 2014

“(The SONY) malware had specific server addresses, user IDs, passwords and credentials, it had certificates.  This stuff was incredibly targeted.  That is a very strong signal that an insider was involved.’’  Quoting Kurt Stammberger, Sr. VP Norse, www.norse-corp.com

We are actually skeptical that the Sony hack was a strategically planned “inside job”.  We think it was, more likely, an opportunistic theft - the result of consistently poor internal IT practices that left the security door open. 

Next, take the case of Edward Snowden.  Snowden is the American computer professional, who leaked classified NSA information regarding its global surveillance programs.  He had been hired by Booz Allen Hamilton, an NSA contractor, in 2013 after previous employment with both Dell and the CIA.

He simply walked out the door with those files.  Someone gave him the passwords, presumably because he needed them to do his job.  And for all we know he did his job well – until he decided not to.

All the external data security algorithms and firewalls in the galaxy would not have stopped the NSA or SONY (assuming they were internal) breaches. 

Data security policy that looks outward – instead of both inward and outward leaves a highly vulnerable flank exposed.

While these are probably the most newsworthy incidents of an internal breach, how many more simply go unnoticed or unpublished by the press, carefully hidden by the firms involved to avoid public embarrassment and loss of customer trust.

Implications

Here are the lessons and implications of this discussion.

1.  Responsible data security initiatives must comprehend both external and internal vulnerabilities.

2.  The biggest data breach vulnerability that any company has stems from fundamentally unsound internal IT security policies and practices.

3.  Organizations typically commit disproportionate amounts of funding and effort to prevent the threat of external breaches – while many times having internal breach vulnerabilities rampant throughout their organization.

4.  Of the two vulnerabilities, for small to mid-size firms, internal vulnerabilities have the higher probability of being compromised – and are often the lowest cost to protect.

IT directors will too frequently talk about firewalls and intrusion protection while rarely giving the attention needed to manage internal access issues.  Yet, investments in the reduction of internal vulnerabilities yield high security returns. 

I say this because rigor and discipline cost nothing extra.  And that rigor and discipline require a tough-minded and uncompromising management team that creates and rewards a data-security-minded culture - while making sure productivity is not compromised.

How to Reduce Internal Data-Breach Vulnerability

The first rule of data access states:

People must have access to all the data they need to do their jobs – and nothing else.

In the military, this philosophy is called “need to know”.  Contrary to its occasional bad rap in the movies, in practice it does not hinder productivity, but actually improves productivity while mitigating risk.  It does require people to include data security in their thinking – always. 

With this rule as a prime directive, here are 10 things to do to reduce your organization’s internal data-breach vulnerabilities that do not negatively impact productivity:

1.    Categorize Data by Types: Decide what data types are most important and analyze the consequences of a breach and their vulnerability to internal theft.

It is unlikely that the blog post drafts your marketing team is working on represent a major threat to the firm, its customers or employees if breached.  Contrast that with your market and customer data, product firmware code, employee social security numbers, Intellectual Property files, health insurance and the firm’s financial records.

Ask yourself to what degree the compromise of this data, if it found its way into the hands of your competitors, would harm your business.

 2.    Frequently audit who has access to each category of critical data and if that access is truly needed.

In some firms we have consulted with we have discovered long-term employees who, as they progressed within the firm, piled up increasing levels of secured access to various critical data files, whether or not they still needed that access.

This is often also an issue for the employee who works remotely, such as a sales person.  Consider designing that person’s access based on their remote access, not on assuming he or she are just like any other internal employee.

Ask. Do you need access to do your job?  Why?  Not needed?  Take it away! Don’t simply build on previous permissions.

3.    Do not take the simplified route to systems installations. It’s the riskiest approach.

Certain programs, such as File Share, have factory set default settings that may assume universal access.  Sure, it’s easier for the system administrator to install and configure the system in that mode, but when it comes to the security of important data files that may be managed through that system, paying strict attention to whom should have what access is critical. 

Microsoft’s “out of the box” method of access is “everyone gets access to everything”.  That is because Microsoft does not know your company.  If you have never reviewed your data access policies, chances are good that you still have this mechanism in place. 

4.    Implement an uncompromising password change policy

We have all experienced the irritation of being surprised by not being able to access a system because the system demanded a password change.  Minor irritation and inconvenience must not trump security discipline.  Make your policy one that is meaningful yet manageable by your workforce. 

Having said that, changing passwords very frequently may sound like a good idea, but probably is not. 

I recently read an article that stated that passwords should be 15 characters, complex, and changed every 45 days.  The writer claimed this approach as good security.  Consider, for a moment, how this might be horrible security.  With that policy in place, people will write down their passwords on pieces of paper.  Good IT practices understand that human beings do human things.   Good security must be simple for people to use.   If security is too complex, people will unintentionally create security holes under the guise of convenience.

5.    Don’t compromise security policy because of Executive “inconvenience”

Periodically, executives express frustration or even anger with the inconvenience of being required to make periodic password changes themselves.  As powerful a source as it is from which that complaint arises, it is important to remember that like any corporate imperative, security rigor must start at the top.

In order to mitigate that surprise/frustration, executive management should be involved in setting the expectations for, and approving target levels of security for IT to achieve.  That policy must balance the best interests of the company, its customers, employees and shareholders.  This executive involvement in security and compliance expectation setting, in effect, establishes their own personal security expectations.

 This is a much better approach than just turning all security policy decisions over to IT and its edicts.

6.    Train and test your employees in your data security policies, procedures and expectations.

Does everyone know what to do when they get a “tricky” email asking them to click on a link for “confirmation”?  In a recent controlled test with one of our clients, we ran such an email scam and were able to extract 21 of 50 employee’s systems access passwords.

7.    If the data doesn’t need to be on the network, remove it.

Put that “no need for current access data” in separate, secured data storage and delete it from your network.  Pronto!  If your company has the “crown jewels” of data that makes your product special, consider pulling that data off your network entirely.  And that 5 year old email may be more of a liability than an asset.

8.    Audit Passwords: 

Outlaw passwords like “Password”, “Welcome”, “Administrator”, birth dates, and children’s names.

It may seem improbable in this day and age of increased awareness and paranoia about security breaches, but during IT audits we still find passwords glued to a monitor, taped under a keyboard or in upper right-hand desk drawers.

And, it’s not only unsophisticated users that have sloppy password discipline. 

We mentioned earlier that passwords in out of the box software installed on servers are commonly pre-set as “administrator”.  As system infrastructure grows, its access through the “administrator” password becomes more and more powerful.  The effort required to change this becomes a big deal.  The more network administrators a firm has, the more the password has been shared.  If the IT person you hired is not as security-savvy, rigorous and disciplined as you thought they were, it may be that everyone has access to everything.

9.    Forbid the use of flash drives (or other portable storage media) for taking data out of the building.   If you need to grant that right to people, be intentional, grant it, then remove it returning back to the “normal” state of denying that capability.

10.    Do not give contractors critical passwords unless that access is tightly managed.

Remember that Snowden was a Contractor who clearly had ineffective security management.  Remote employees can also be a challenge to manage. 

Yes, it is inconvenient.  But, if you must sacrifice security for convenience, make those password accesses term-restricted – and don’t just hand out remote access / VPN access to everyone.  (See the first rule of data access.) 

How Much Money and Effort Can A Small to Mid-size Firm Commit to Data Security?

So, how does a middle market firm address Data Security issues in a responsible, affordable, reasonable way?  Can it reasonably commit more resource than SONY? More than JP Morgan Chase?  If you are a middle market firm, the answer is, not likely.  So, here are some guidelines we suggest:

Guideline 1:  Look Outside. A small company must protect against external data breaches but certainly not to the US government or Sony level.  Pick some good server protection, install it and keep scanning the horizon for better.

Guideline 2: Look inside. Identify and put in place policies, procedures and disciplines to protect against the circumstances identified in our 10 considerations.

Guideline 3:   Listen to your employees.   If someone has hacked your network and is actively moving data, there is probably no way for you to know that immediately.  However, if unexpectedly you begin to hear comments like: “Wow! The system is sure slow today.”  or, “My hard drive just keeps running, and running and running.”,  these comments should not be ignored.  Users noticing changes in system performance are often your first and best line of defense.  Remember that even when the little boy cried “wolf”, eventually the wolf showed up, and that part of the story did not go well.

Guideline 4:   Know when something unusual is going on in the network.   Is the network running slowly?  Are file uploads slower than normal?  Are email messages bouncing?   These are all signs that you may be under attack or have been attacked.

A Final Word: Convenience vs Security

We have probably all read about disasters that were made fatal by people turning off smoke detectors because they tripped constantly for “no apparent reason” or people trapped in a fire because one of the exit doors was blocked or locked for some excuse of convenience or irritation.

Data Security is no different.

The policies and protections put in place to establish a rigorous and sound data security program perform a critical service and purpose.  When that service and purpose is ignored or disabled, when disaster threatens the consequences can be severe.

 *******

For more information on how Lighthouse Information Systems can assist with your strategic and tactical technology and data management optimization, call Rick Koski at 408.884.3690 visit our website www.lighthouseis.com or email to [email protected]