How do I know if my company needs a computer IT Network Security Assessment?
Posted on May 9, 2016 in IT Security, IT Security Assessment
This question can be easily answered be asking yourself if you have not had one performed for you in the last year or ever. If that is the case, the answer would be unequivocally YES!
IT and computers, like many other facets of your business, are not “set it and forget it” devices like a fax machine or a stapler. IT systems have changes being made to them on a daily basis and must have regular attention paid to them in order to keep them from harm’s way and your system running smoothly. Just because something terrible has not happened to your IT systems yet does not mean that your system is forever free and clear and does not need any attention. It really means that you been dodging the bullet and the inevitable significant “game-changer” is not far around the corner.
The most common items that are overlooked on a network / IT system and which can cause major issues are user password policy (passwords not set to expire on a regular basis, not required to be 7 characters or better), system security updates policy (is there an actual plan for regular deployment of updates?) and end-user awareness training. Believe it or not, not addressing or forgetting about these mundane items are what the Internet “bad guys” are hoping for. These are the sort of vulnerabilities that they love to see—old user accounts not disabled, users with easy to guess passwords and in the case of MedStar Health—an unpatched network server and workstation.
You may be saying to yourself that “we are just a small entity” no one wants our data or information.” On the Internet, however, your network is just a number (IP address) much like a house address is to the post office. Your “house” has windows and doors which are called ports.
Do you even know where your Internet firewall is located in your office and how do you know whether your Internet protection device is up-to-date with the latest security firmware updates?
Of the most important security devices in your office should not go unchecked for months or even years. You should keep this unit up-to-date with a support contract from the vendor and by applying regular firmware updates. Having it tested with an external penetration test is equally important.
How old it is or is it even a supported device with the hardware manufacturer any longer?
Your security appliance / firewall should be replaced as often as a desktop computer – every three years or so to ensure that you are taking advantage of the latest security and protection technologies.
Internet ports are only a small fraction of the way risks can be introduced into your network.
Other items at which to look are (and there are MANY more than these):
Poor Data Backup Strategies / Disaster Recovery
Is there even a plan to test the backups or a plan to recover from a significant IT security event? You should have a layered approach to data backup and it should be automated, not manual, and should also include some sort of disaster recovery data restore option.
Remote Access / Employees in the Field / Cloud Computing
Are users in the field or working from home offices updated on a regular basis? Are they using public hot-spots for Internet access? Data in the cloud seems nice and convenient but who is looking at your data as it resides on the vendor’s servers? Have you reviewed your service level agreement with your vendor? What happens if they have a “gotcha” virus moment like a large entity like MedStar? How long does it take to get your data back if the vendor gets bought out by another company and the new company discontinues your cloud offering as a way of killing the competition?
Your business should have a well thought out and concise remote access policy for remote users and the computers that they use should be company-owned so that your IT personnel can dictate security policy on them.
Is there a company-wide policy for use of smart-phones and remote data sync? Do the phones even have the security lock feature turned on? On an iPhone, if not, the data on the phone is NOT encrypted. Same as with remote computer users, the smartphones that your company employees use should be company owned and administered. You cannot tell your employees to be smart and security aware if you do not own it.
Is there an employee who is not happy about not getting a promotion? Did he /she have a greater level of data security access than they should have given their job description? Threats from within should be of great concern. You need to keep your finger on the pulse of your staff and to have formal policies as to what needs to be done from an IT perspective before you make someone an ex-employee.
So, to answer the question presented to you at the beginning of this post, “How do I know if my company needs a computer IT Network Security Assessment?” With all of the moving parts of an IT system, the better question is, “Can I afford not to?”