If your business has a traditional IT environment or a hybrid environment that blends a traditional IT environment with cloud services, it helps to think about protecting it like you would protect a fort. Don’t let the bad guys come over your walls!
Here’s how to fortify your IT traditional ecosystem to stave off breaches, thieves, and even attackers from inside:
1. Equip your army
Everyone who’s inside your fort (your company) needs to understand what’s at stake and their role in cybersecurity. One employee acting carelessly with login credentials or internet clicks can undermine all the hard work and expense you’re putting into hardening your IT ecosystem — it’s like inadvertently opening the drawbridge.
Starting now, educate every employee by:
- Developing clear, understandable, written policies and procedures and updating them each year
- Investing in security awareness training that’s interesting, interactive, and self-directed (don’t worry, it’s affordable)
- Keeping everyone up to date on new social engineering techniques — it’s much easier to fool a person than to break through a firewall
2. Build your moat
Physical security in the IT world means creating and monitoring a barrier around your physical environment with IT-enabled access control systems, such as surveillance cameras and doors that require badges to unlock. You can see (and log) who’s coming and going from specific (or all) areas of your building. And you can revoke access and trigger alarms with just a few keystrokes.
3. Position the sentries
Use the right devices and tools to guard your IT perimeter:
- Firewalls — IT hardware that runs 24/7/365 to block out bad traffic, let in good traffic, and help you manage security by providing data on intrusion attempt patterns. Next-generation firewalls are best.
- Unified Threat Management (UTM) — Device that guards against many kinds of risks, including data leaks, intrusions, viruses, malware, web content, and other threats, all in one piece of equipment. Choose a UTM that’s highly rated and have it managed by professionals who specialize in your particular device.
- Captive portal — Tool that allows only safe, updated devices to connect to your network. Other devices are “held captive” and only allowed to operate in a certain area of your network until they’re secured.
- Virtual Private Network (VPN) — Provides a secure, encrypted tunnel for private communications over the public internet. This can be critical if your company lets workers connect to your network remotely.
4. Pull up the drawbridge
Your operating system (OS) is the doorway into your company’s riches. It absolutely must be secure, stable, and reliable — that’s why IT professionals were going nuts when companies still ran Windows XP after long support had ended (and will likely do the same when Microsoft ends Windows 7 supports on Jan 14, 2020). Password management and multi-factor authentication are critical to protecting access to your platform.
5. Hide the jewels
Do not leave your data in plain sight, whether it’s at rest or in transit — encrypt it! And maybe build a private network with private encryption, if your risk warrants it. Your cybersecurity consultant can help you decide what to encrypt and when to encrypt it. Then, monitor the encryption status of your entire IT ecosystem.
6. Barricade the tunnels
What’s the best way to find out where your applications are vulnerable? Hire a professional to try and break in. Penetration testing finds secret entries into your network, and vulnerability scanning tools detect new problems — application updates and new applications (especially off-the-shelf apps) can come with unintended consequences. Harden your applications by closing each hole. And do the same with your antivirus apps.
7. Check their papers
Your CEO, accountants, sales reps, and receptionist all have different needs to know. And so do your visitors. To prevent being attacked from the inside, segment your network into different areas and require permission to access each area or transfer data between areas — just like military checkpoints. The more checkpoints, the more control you have. Tools that protect your internal network include:
- Internet Protocol Security (IPSec)
- Port-level security
- Network Intrusion Detection Systems (NIDS)
When your company secures and actively manages all seven IT areas, you are covering all your bases to keep your IT fort and jewels secure.
Keep in mind that these seven layers of cybersecurity apply to centralized infrastructures where you know where your information is located and you have a physical location (your building) where your employees work. As you integrate more cloud-based services and remote workers into your environment, you’ll need to add more layers of security because your data and workers are spread out across the cloud and, possibly, the globe. You want your knights to have access to your jewels but not anyone else! Enhanced security for cloud-based technologies adds extra steps to identify users and the zero trust model is likely the way of the future for most hybrid-cloud IT environments.
Leapfrog has been helping our clients navigate cybersecurity layers since we first opened our doors 20 years ago. No two clients are the same — your organization has its own way of doing things and sets of challenges to address. The objective of our managed security and compliance services is to protect your organization while keeping it productive. The right balance is important. You want to be secure but you don’t want to outspend your actual risk. To have a conversation about how we can help project your kingdom’s jewels from external threats and internal ones, too, please contact us today.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.