You are an IP service provider so your company is 100% on top of cybersecurity, right? What about your end-users? Your enterprise clients' employees? Go beyond the basics in this webcast as we discuss training and educating from the inside out and best practices for stepping in to assist your customers when a problem presents itself.
3. fecinc.com
A shift in thinking
External threats are most
familiar
Inside threats getting more
attention
4. fecinc.com
Internal risk events
– Weak credentials
– Credential sharing
– Unauthorized application use
– Device loss/theft
– Disgruntled workers on social
media
Targeted information
– Private customer data
– Financials
– Intellectual Property
Consequences
– Legal liability
– Stock manipulation
– Lost revenue
Looking Inside for Risks
5. fecinc.com
• Publish and educate
• Require Strong
Passwords
• Complex and strong are
different
– Longer is better than
random complexity
– Easy to remember is
better
• Cycle Passwords
A Working Password Policy
6. fecinc.com
• Commonly a focus
• Hobbles usability
• Users circumvent
• Focus on strength
instead.
– Long
– Memorable
The Complexity Problem
10. fecinc.com
Preventing Data Leakage:
Keeping the Good “In”
Methods of Data Leakage
– Lost Equipment
– Stolen Equipment
– Equipment gifted or sold to former
employees
– USB drives
– Unauthorized software access via stolen
or shared credentials
– Social Media Posts
– Unauthorized Cloud sharing
Stopping Leaks
– Firewall Rules
– Data encryption and MDM
– Equipment release process
– Have a USB drive policy or
– Lock USB ports out
– Pay attention to good work process
– Social Media Use Policy or
– Block social media posting
Weak and shared passwords are the first flaw in internal security.
A USB stick with intellectual property, customer or business account information, or any other critical data, leaving in someone’s pocket, can destroy a business.
A lost or stolen laptop or mobile with private data on it can put a company at huge risk of liability.
Social engineering, with phishing or pretexting to get access to secure information through an employee can too.
While you’re looking at intrusion detection and prevention, or virus and Trojan prevention, your cyber security risk from inside could be sneaking out in employee Facebook posts.
<Intro Question #1>
The policy must be easy to find, easy to understand, and easy to follow.
The resulting passwords must be strong while still easy to remember and use.
Anecdote: Acquaintance stores credentials for all work systems in an outlook contact.
Time is a critical element to cracking passwords. Set a cycle that works for your business. Most recommend 30-90 days.
Say you’re the person entering the maze, and you do so every day. Wouldn’t you keep a map to reference? That map is an insecure record of your password.
Anecdote: Acquaintance stores credentials for all work systems in an outlook contact.
Long easy to remember passwords are far better. At least 12 characters for users, 15 for Admins. One recommendation is to use a long memorable phrase in all passwords, shifting its location and varying surrounding characters in ways that make sense to the user.
“A password of sufficient length can defeat a password guesser or cracker, whereas complexity adds significant value only when the complexity is random or near-random.”
http://www.infoworld.com/article/2616157/security/creating-strong-passwords-is-easier-than-you-think.html
<Intro Question #2>
Not ironically, information is key to information security.
Documented policies, hardware and software inventories, access and transaction logs, configuration and change management processes all take time, but are critical foundations to security.
User management structures such as software-enforced password reset can ensure compliance with password time cycles.
Regular reporting and internal audits are also the best ways to measure success against your own policies. Often these can be done systemically, but sometimes manual measurement is required.
Independent external consultants can be effective in identifying gaps in your cybersecurity structure. Additionally, certifying compliance with industry standards such as PCI and NERC CIP requires external auditors.
<Intro Question #3>
• 23 percent of IT professionals work for a company that does not have security policies.
• 47 percent of employees and 77 percent of IT professionals worldwide believe that their companies' security policies need improvement and updating.
• A 20 to 30 percent difference between the number of IT professionals and the number of employees who know that a security policy exists indicates that IT is not sufficiently educating and communicating security policies to employees, and that employees may not be paying attention.
• The majority of IT professionals believe that employees don't always adhere to policies because they don't understand the risks involved with their behavior, because security isn't a top-of-mind priority or issue, or because the employees just don't care.
http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-503131.html
Having a policy is the first step towards implementation and effectiveness measurement. Communicating relevant policy sections to various employees is critical to a working policy. To work, a policy must be about good work processes, and not cumbersome impediments to daily work.
Creating the security culture. A major problem with cyber security education and implementation is that users may not understand their roles in context, and can get overwhelmed.
To increase your staff’s comfort and understanding of their role in cyber security, it may help to use the analogy of a bank teller or retail cashier.
These jobs play a critical role in the security of their businesses. Bank tellers are trained as a matter of course to complete transactions as securely as they can. Retail cashiers are trained in the same way to handle money as securely as they can while at the register. Neither one is expected to police the establishment, or stop a crime singlehandedly.
For most companies, information can be as valuable to their business as daily transactions are to banks or retailers. But staff in those companies are no more specialized in information security than a teller or cashier are in preventing robbery. They just need training to do their daily work securely. If they work with a customer database, or payment card data, they need simple training, in context, to use that information in the least risky way. They probably do NOT need training in an end-to-end cybersecurity plan and policy.
Simple, tailored training about how to do daily work the secure way is a whole different discussion than yet another fire and brimstone lecture about what can happen if they give their password to a colleague. Make security about good work processes, not about abstract risks in bad processes.
<Intro Question #4>
Draw bridges work two ways. They keep the bad stuff out, but they also help keep good things in. You need to look at security in both directions too.
Listed here are some of the most common methods data can leak from your business, and the best methods for prevention.