It is the middle of October which means that the month is about half way done. It also means that people are in the midst of finding that perfect Halloween Costume for themselves or their little kiddos. Maybe you are excited for the middle of football season or anxiously waiting for the next pitch in the baseball playoffs. You could by like this author and are excited for the annual Cleveland Beer Week, but I digress. Did you know, however, that October is National Cybersecurity Awareness Month?
It is surprising that we need a month blocked off to make us aware of something that we should constantly be aware of. But I also look at this month as being a reminder to take ones temperature and determine how better prepared you are from last year.
So what have you, or your clients, done in the past year to better protect and prepare for a breach of data? Here are some tips to ensure your protection against cyber attacks:
Have an IT Audit Performed
Preferably, this audit would be done by an outside entity but something is better than nothing. The IT audit should identify your sensitive and valuable data. The audit should then consider where that data is stored. Then the audit should consider who has access to that data and how that access is monitored. Logging successes and failures to your sensitive data will help identify attacks when they are beginning but also identify possible compromised accounts by looking for changes in patterns of access. For example why is Bob, who is on vacation in Europe, accessing the payroll information? Finally, the IT audit should consider how the data moves and if it is protected in that move. We worked with a company one time to find that they had sensitive financial information that was quite well protected. However, when it was put in transit to another system, it was left in a folder that was unsecured. An IT audit can find those leaks.
Like I mentioned, it is beneficial to have the audit done, but having it done by an outside entity is even better. I’m sure you think I’m just trying to drum up business but that isn’t true. An outside entity will have no pre-conceived notions and will not take anything for granted. Plus they are incentivized to find that vulnerability. Years ago I had a client come to me because they had a server crash. The server contained their database that was vitally important to the company. In fact, the owner said if they ever lost it, the company would close up. At every management meeting the head of IT was asked about the backups. Each time he confidently replied that the database was being backed up. When the server went down, the owner said “well it is being backed up, we are good”. The head of IT replied “yes, but I was backing it up to another location on the server”. See what I mean about preconceived notions?
Have a Data Breach Plan in Place
The statistics don’t lie. Those companies that have a data breach plan in place will definitely see a beneficial return on that investment when the breach occurs. Years ago the rage was having a disaster recovery plan for when you lost power, had a server crash or had some other event that affected the company. Those that had the plans and had a disaster just dealt with a minor blip on the road to success. Those that didn’t have a plan saw their company take a major financial hit or worse went out of business. A data breach plan is just an extension of a disaster recovery plan but with an emphasis in handling a different type of situation. The plan will cover how to stop the breach, properly preserve the data and who to get involved. It will talk about when to report the breach and how to do it properly so that your company doesn’t come off as sounding incompetent or vulnerable to the next breach. About that investment?
Train your Employees and make them Aware
Untrained employees suffer from two issues. First, they often can’t identify the signs of a breach. Second, they also find themselves vulnerable to social engineering which we all know is one of the biggest methods criminals use to breach companies. Training comes in all shapes and forms from seminars to reminder emails to on demand webinars. A knowledgeable staff goes a long way to preventing data loss.
Have a Vulnerability Test Performed
Have you considered having a penetration test (aka pen test) performed? A good pen test will involve someone taking an active role in trying to get at your data and then providing a report as to how it was done. Think of it as taking an IT audit to the next level. The results of such a test can make you rest easy at night or can be quite sobering when you find out that you aren’t as safe as you thought you were.
Look at your Insurance and Contracts
I just attended a couple of excellent seminars given at the Northeast Ohio ISSA. A couple of months ago, Greg Stein from Ulmer & Berne gave a great talk on why it is important to look at contracts that you have with vendors and third party providers that handle your data to see what type of protection you have, or more likely don’t have, when that outside entity makes a mistake with your data. This month it was Kim Ferenchak with Oswald Companies who discussed cyber insurance. If you think that your E&O or D&O insurance will cover costs from a data breach, you are most likely mistaken.
So there you have it, some tips on things to look at during the cyber security awareness month.
by Greg Kelley, BS, EnCE, DFCP
Chief Technology Officer
Vestige Digital Investigations