How Do I Protect Myself? My Company?

By Chad F. Walter

In the wake of my blog entry,“My Biggest Cyberfear”, I’ve been asked how, or rather, what can I do to protect myself and/or my company.

From a consumer standpoint (note that every company is a consumer of goods and services just like the customers they serve), we must all get active.  It’s not just about watching your credit reports.  It’s about taking a stand, holding the companies we do business with accountable.

I’m not a big “don’t trust anyone” advocate, but if you use a credit card for purchasing (whether in person or online), be skeptical.  If you’re asked to provide a phone number or email to complete a purchase, don’t be afraid to say no.  By all means, stop sharing everything with the world!  Many consumers are often purveyors of their own biggest violation of personal privacy which in turn leads to social engineering.

In reality, many of our home networks are now more complex than corporate networks were 10 years ago.  Even in the simplest home environment, we have “smart phones”, “smart televisions”, laptops, desktops, tablets, connected refrigerators and possibly even a car that connects to the network.  All this, and yet, many homes don’t even have an antimalware solution.

Here, I present two simple suggestions for your house:

1. Install an antimalware solution on all the devices you can. Even the worse antimalware solution is better than nothing.  There are many on the market to choose from and they range from free to expensive.  I don’t usually recommend the “free” solutions, but again, it’s something.  If you’re asking me what I recommend, I’d share with you that Network Box USA uses and recommends Kaspersky.
2. TURN OFF YOUR DEVICES! I don’t mean let them power down or go into sleep mode.  I mean really log out of your apps and turn them off.  You’re not using them and neither should someone else.  That’s right, if it’s on, it’s accessible and you’re vulnerable.

Now, what can a corporation do to protect its data?  First of all, let’s face it.  For many of us in the corporate world, much of the data we need to protect isn’t “ours”.  This data really belongs to the people we serve.  It belongs to our employees and customers.  They trust us to maintain and protect their data. In turn, they allow companies the ability to borrow that data for transactional usage. This trust comes with a certain amount of accountability.  Simply put, if you can’t properly protect the data, you shouldn’t store it.

I’m not an engineer.  I’m not going to use big words or acronyms that you don’t understand.  In the simplest of terms, here’s what I suggest for corporations:

1. Understand and classify the data you need to protect and the people/applications/devices that need access to it. Not everyone or everything should have access to the data on your network.  Actually, you may find that some people/applications/devices shouldn’t even have access to your network at all.  Control, question and audit any and everything with access, all the time.
2. Encrypt, encrypt, encrypt, and when you’re not sure, encrypt. Data at rest, encrypt it.  Data in motion, encrypt it.  Data you feel is no longer relevant, either destroy it or encrypt it.  There are some great encryption solutions on the market.  Network Box USA uses and recommends Zix.
3. Secure your network and all access points (perimeter, endpoint, mobile, web application, etc). We get it, everyone in IT security gets it.  IT security is hard.  It’s a moving target and it’s not how you make money.  You sell “widgets”, not IT security.  In many cases, IT security is an operational and budgetary distraction.

Welcome to 2015 wherein IT security is an integral part of your business.  Take the time to understand your limitations. Seek services and solutions that enhance your internal capabilities.  Look at managed IT security service providers like Network Box.  Explore partnering with a company that can do the penetration testing, assess your threat exposure, advise you on data or personnel classification, and then let your customers know what you’re doing to protect the data they trust you with.  The investment you make in IT security can and should be part of your value proposition.

In my initial blog post, I took a stab at our lawmakers.  As consumers, we all need to get involved with the process of consumer protection.  I personally feel that breach notification laws are a good step in addressing the issue but I also feel that they don’t go far enough in protecting consumers from cybercrime.  The truth is, I don’t like the “trickle down” approach to accountability because it allows corporations to gamble with consumer data.  Just take a look at the breaches of 2014 and it’s immediately apparent how fundamentally flawed this approach is.

To summarize, I’m a realist.  I accept that like any other form of criminal activity, there will never be an end to cybercrime BUT that doesn’t mean we need to crawl in our doomsday bunkers just yet.  There are ways to reduce the risk, manage the risk, and eventually turn cybercrime from the norm to the exception.