November 2017: When it comes to cybersecurity, there are two things your organization needs to be doing right now — multi-factor authentication (MFA) and data encryption. Hackers have become too sophisticated to be stopped by yesterday’s security policies.
Implementing encryption or MFA (or both) may not be as easy as flipping a switch but it’s worth the effort to do it right. Here are five important facts to consider:
1. Putting up walls isn’t good enough anymore
While you definitely need firewalls, unified threat management (UTM) and a Virtual Private Network (VPN), if all you’re doing is trying to keep the bad guys out, you’re not doing enough. Someone is going to breach your walls eventually — even the most secure IT environments aren’t foolproof. So, if your data isn’t encrypted, it’s there for the taking. While it has become common to encrypt data in transit it’s still not that common to encrypt data at rest. Which makes data at rest the most vulnerable. And the data on user endpoints — computers, smartphones, thumb drives, etc. — are the most vulnerable, especially in a Bring Your Own Device (BYOD) world.
2. Passwords are insecure
Are your employees still using a username and password combination to access your network and other business information? That’s child’s play for password-cracking software from the dark web. While longer, more complicated passwords are harder to break, even complicated passwords can be stolen or shared or reused by employees. Eyeballs, thumbs and faces are harder to steal, so biometrics are much more secure when layered with another piece of authentication. Yet, even two-factor authentication isn’t secure enough — you need MFA comprised of three pieces of authentication to raise the bar to today’s standards. Anyone who wants access to your data should be required to provide:
1) Something they know, like a username-password combination
2) Something they have, like a keyfob or other physical token, or a one-time password via email or text
3) Something they are, like the owner of a fingerprint, retina or face
3. Email is antiquated
Even if your organization encrypts email transmissions, most of the time email sits unencrypted once it reaches the email server destination. It’s at risk again if your email recipients don’t encrypt the emails once they’re at rest in their networks. Email wasn’t built to be completely private and while app add-ons may help, they don’t secure an inherently insecure system. What’s worse is emails are stored on different user devices, which creates a lot of loose ends. Yet email is still the go-to for most organizations because it’s so convenient. The far better choice for 2017 and beyond is encrypted chat and collaboration tools — there are plenty of options.
4. Third-party vendor security is lacking
Most breaches can be traced to third-party vendors. Network access credentials are mishandled, stolen, shared (inadvertently or on purpose), or otherwise compromised — and their business partners pay the price. Each person who is allowed access to your network should use a unique set of credentials. An MFA policy goes a long way in helping you audit all access to your network and retain control of your data.
5. Encryption is built into Windows and OSX
There’s no excuse not to encrypt end-user devices, even (and especially!) when using a BYOD policy. Encrypting hard drives is as simple as clicking a few buttons. If your organization does not have a secure platform or use Virtual Desktop Infrastructure (VDI), Desktop as a Service (DaaS), or mobile security for BYOD devices, then your data is at risk. Use BitLocker Drive Encryption for Windows machines and File Vault for OSX machines. Here’s how to encrypt Android smartphones and tablets and iPhones and iPads.
Leapfrog helps clients choose and implement the right types of encryption and MFA policies for their unique needs. We consider these policies baseline when it comes to managing security for businesses in today’s high-risk environment. If you want help or advice about protecting your critical data, including your financial, HR and customer data, or about managing your network security, please contact us here at Leapfrog — we’re happy to help.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.