Where to start
“There are two types of businesses; one that’s been hacked and one that doesn’t know they’ve been hacked”
– a paranoid security dude.
10 years ago security was simple: Secure your perimeter, block everything and be on the lookout for Stuxnet styled USB key’s littering the employee car park. In those days mailboxes were measured in the megabyte and the most popular mechanism for data transportation was USB. Fast forward to today and I haven’t had a laptop in years that’s had a DVD drive and I often find myself staring at the cassette player in my car wondering what it once did.
The perimeter has shifted. Or perhaps it’s more accurate to say that the perimeter has become more porous. The question is no longer what’s accessible externally, it’s what’s available and how can we prevent leaks, malicious or otherwise. The questions I often find myself working through with my customers are:
- What can’t you afford to lose?
- What would hurt if it were exposed?
On top of these I’d throw in some of the standard continuity planning questions around how long their business could survive without key systems. Answers typically vary with responses ranging from a casual shrug of the shoulders to a terse, pinched look in their forehead. You could easily guess based off these reactions whom has been stung before.
The truth is security is a trade-off between inconvenience and protection with it not taking much to tip the scales to either inefficient or ineffective (think of the TSA and their security kabuki or a DMZ with more holes in it than an overused sponge). People don’t want to lose data but they’re also not willing to be inconvenienced and so people will often veer towards doing nothing; as security is a lot like oxygen, you don’t notice it until there isn’t any.
So how does one navigate this balance? One approach we at Azured find successful is by setting a “lowest common denominator” level of security with simple and non-invasive measures such as firewalls and filters at the perimeter, paired with teaching users a healthy scepticism of the unknown whilst building a strong communications channel with your IT team. You want your users to come to you first before clicking that suspect link from a bank they’re not a customer of.
Using these tools you’ll begin to get a baseline of your environment and an understanding of the common attack vectors for your business. Paired with the likes of Microsoft’s Cloud App Security, you’ll also gain a solid understanding of what’s happening with your environment and you can then take a case by case approach to further enhance your environment security, identifying outlier users and granting them enhanced protections (such as multi-factor authentication).
Where you go from here is as interesting as it is expansive as you delve deeper into end point security. Neatly weaving in data and logs from your authentication and network devices and constructing a behavioural baseline for your users to better detect and protect against unwanted intrusions.
Ultimately security is a dance with businesses constantly on the back foot and, like many things within IT, it cannot merely be combatted with just technology. Technology won’t stop you from giving away your personal details over a phone, but good process just might.
The key is to understand where you’re at, what’s important, where you want to go and most importantly; remember your user in this process as a security system that isn’t used is just a waste of time, money and effort.