As James Bond has shown, even a sophisticated MI6 operative with a nearly limitless budget and an array of hi-tech gadgets has to take into account existing security measures when formulating a plan to infiltrate a building or system. And while online criminal organizations don’t have Bond’s resources, they are sophisticated and well funded, which means you have to continually up your efforts to reduce the threat surface of your business.
As you begin planning for 2016, here are 007 tips for bringing your business closer to an MI6 level of security, without a nation-state budget:
1. Auto expiring credentials for new recruits: While we hope your corporate hiring process isn’t as intense as that of a secret agent, at the end of the day not everyone who signs up ends up making the final cut. To minimize your risk of rogue access, implement a policy that requires system admins to always create expiring credentials for new hires. It’s best practice to implement this for any temporary hires, but if your company offers an employment grace period, consider applying the expiration for the end of that time period, just in case. It’s always easier to re-implement than revoke once things have gone awry.
2. Two-factor authentication (2FA) to deter shadow ops: Having multiple forms of identification is an accepted standard for accessing highly secure systems, but it’s not something that’s strictly reserved for government agencies. If your employees’ credentials do get phished or stolen, having 2FA on your Internet-facing applications will keep them from being used. What most people don't realize is that government-level, or similar, high-level 2FA systems are available to protect most information today and they are far less complicated or expensive to implement and use than one may think.
3. Encryption for your eyes only: Since communicating in code or sending self-destructing messages everyday would be incredibly inefficient (and likely dangerous), your best option is implementing a system that automatically encrypts your emails after it filters and scans them, which helps protect your company against data loss. For the more “top secret” missions, consider investing in hosted solutions that also allow for policies to be configured to encrypt, send, return to sender, or delete messages with insecure content. Because it is hosted there are no upfront investments in hardware, certificates or other expensive yearly certificate renewals. You simply pay a monthly fee per user and receive military-grade encryption.
4. Fort Monckton-esque training for all: According to a recent Intel Security study, 96% of users couldn’t tell the difference between real emails and phishing emails 100% of the time. The main reason cyber attacks are successful is because they rely on human error; whether it’s ignoring an alert to install the latest software update, or being careless when clicking on links. While you don’t need to ship your users off to Fort Monckton, you can still keep their security acumen high by periodically checking to see who within the organization needs more awareness training. Consider sending fake phishing emails to your own employees and see which ones fail. An additional training exercise is to leave non-company branded USB flash drives around the office and see who plugs them into their laptops. Load the drive with a simple word document explaining how the device he or she just plugged into the laptop could have infected their machine (and likely the company’s network). The goal isn’t to chastise employees, but show them how quickly a simple misstep can quickly put them at risk.
Sign up for Computerworld eNewsletters.