The toughest part about helping clients stay secure probably isn’t what you think.
Human beings aren’t always very good at evaluating risk, and our blind spots tend to get us into trouble when it comes to securing the workplace. When we first sit down with clients, they often believe either their organization is too insignificant to be of interest to hackers or that cybercriminals are so powerful that there’s very little point to prevention. Both viewpoints are misguided.
It’s not only possible to secure the modern office, it’s more straightforward than many people believe. But first, you need to help your clients understand where the risks really are.
Companies today are required to handle more sensitive information, not only on their local servers but also in their communication channels and through a large assortment of software-as-a-service (SaaS) vendors. These IT solutions are used to conduct key business functions, so any disruptions can be catastrophic. In addition, the modern workforce is much more remote, so all of this data must be accessible through many different types of mobile devices, computing platforms, and a growing collection of internet-of-things (IoT) devices.
The result of this perfect storm is that cybercrime is now more profitable than the drug trade. And as long as it remains this easy for criminals to infect systems with ransomware or harvest credentials through phishing scams, it will remain highly profitable and commonplace. But that doesn’t mean it’s unavoidable.
Here are my top recommendations to safeguard the modern office from external and internal threats to data, tools, and systems:
- Require unique accounts with MFA for all users so that you can perform accountability reviews, contain incidents, and audit ongoing use
- Frequently review employees’ access to data so they only have what they need to perform their current role
- Use a modern antivirus solution like endpoint detection and response software (EDR), which will actively look for suspicious behavior as well as protect devices from malicious code
- Remove any and all unsupported software and systems from the environment — these are often the easiest way for hackers to access more critical systems
- Have a patch management solution in place to help protect operating systems, third-party apps, databases, and servers
- Get single sign-on (SSO) in place to make user management and workflows more efficient while allowing you to shut off access to data and platforms quickly
- Configure all user workstations to auto-lock and implement a clean desk policy
- Invest in a security information and event management (SIEM) solution to monitor and respond to alerts, including those that occur after hours
These recommendations don’t just come from me. There are two powerful groups working on solutions to help organizations of all shapes and sizes stay secure. The National Institute of Standards and Technology (NIST) has put together a Cybersecurity Framework (NIST CSF) that’s available online, and the Center for Internet Security (CIS) has grouped its recommendations for businesses by size. Small to midsize organizations should at the very least consider their 56 recommendations associated with Implementation Group 1 (IG1).
Simply implementing these basic cybersecurity hygiene safeguards has been proven to prevent most attacks, but that’s not always easy for small organizations with very small or chronically overwhelmed IT departments. This is why many IT providers offer cybersecurity assessments to help organizations evaluate their current state of preparedness.
This may sound counterintuitive, but it’s in the best interests of IT providers to be generous with their time and their resources. It is infinitely better to help keep customers safe before an incident than help them recover from a disaster. And when we work together to make it harder for cybercrime to be profitable, everyone’s jobs get easier.
Print security risks
Print security is frequently ignored, and hackers would love to keep it that way, as modern business printers run software, have a memory, and, best of all, they’re connected to the network and systems. Therefore, unsecured printing devices can allow hackers to see the data that passes through them, and they can also provide a convenient way to launch more sophisticated attacks, including ransomware.
Fortunately, implementing print security is slightly less complicated:
- Consider follow-me printing solutions (also known as pull printing or secure print) that will require users to authenticate themselves at the device before producing a document
- If secure print isn’t a good fit for an organization, smaller printing devices can be kept in locked areas that are only accessible by authorized personnel
- Keep printer firmware updated
- Stop using any printing equipment that’s no longer receiving security updates from the manufacturer
- Upgrade any printing devices employees are using remotely and consider cloud applications to lock down company hardware, as well as a virtual private network (VPN)
- Configure a printer’s security settings when you begin using them (including updating the default admin password), and make sure they no longer contain any sensitive data before you decommission them. If you use a third party to wipe hard drives, be sure to get and retain a certificate that verifies this occurred.
- Shred sensitive documents when they’re no longer needed. Always use cross-cut shredders, and stay away from older ribbon shredders.
Print security is evolving very quickly, and so are print-related threats. All of these solutions can be implemented internally, but they shouldn’t get put on the back burner.
Physical security risks
Cybercrime and print security threats get a lot of attention when it comes to workplace security, but an intruder or a disgruntled (or simply curious) employee can get an organization’s name in the papers for all the wrong reasons.
Every workplace is different, but these are a few basic physical security measures to keep in mind:
- Identify all entry and exit points and how people are moving through the building, and restrict access to critical areas
- Implement a visitor policy where guests are required to check in and check out, wear a badge, and get escorted through sensitive areas
- Require company-issued access cards or fobs to limit the staff’s ability to enter certain areas at certain times
- Consider video surveillance; not only is it a good deterrent, but it also allows an organization to review an incident and collect evidence
- Set up automated alerts and implement a review process to evaluate any anomalies
It’s also important to understand that the best security solutions in the world aren’t effective if they aren’t used. It’s natural for people to want to simply follow another employee through an open door without swiping their badge. It doesn’t seem like a big deal until that one time out of a thousand when this seemingly innocuous behavior allows an intruder to access the space.
Don’t allow tailgating or tagalongs through secured doorways, and try to cultivate a culture that promotes security.
How to create a security culture
Just one careless click, a propped-open door, or a password on a notepad can invite disaster. But we human beings are careless by nature. We get distracted easily, and we sometimes do things when we’re in a rush that we wouldn’t do normally. If we’re being honest, we’re all tempted to skirt some rules now and then to save a few seconds. It seems harmless, but in the modern workplace, it isn’t.
You’re not about to change human nature any time soon, but you can modify behavior.
These recommendations will help your customers to build a security culture:
- Invest in regular security awareness training; companies that do this reduce their security-related incidents by 70%
- Make sure leadership is also invested in and modeling security best practices
- Encourage staff to alert the appropriate personnel to a suspicious person or to verify that an email is legitimate
- Carefully vet any vendors that have access to the company’s systems, data, or physical space
- Don’t skip over administrative tasks, like background checks and keeping the company incident response plan and IT policies up to date
- Develop a business continuity plan to minimize downtime and financial hardship in the case of a disaster, like a flood or fire
- Investigate any single points of failure that could cause a significant disruption to a business, and prioritize alternate resources or failover needs
Human beings may not be good at evaluating risk, but we’re very, very good at inventing ways to save time. We get frustrated easily when we feel like our time is being wasted, which is why most people don’t exactly look forward to new security policies or tools. So when you add a new requirement, like MFA or secure printing, it’s important to make user authentication as quick and easy as possible and help everyone in the organization understand why it’s important. Sure, swiping a badge takes an extra second or two, but so does locking the door of your house.
Similarly, security awareness training can be remarkably effective, but long, boring lectures are a turn-off. There are many companies that specialize in making security awareness interesting and engaging, and, not surprisingly, they get much better results.
Employees can be one of a company’s biggest liabilities, or they can be one of its greatest security assets. You can help your customers ensure they are the latter.
Charles Brandt is a Twin Cities based Security Consultant at Marco Technologies. Before joining the company, he served as an IT director, project manager, and business owner. Focused on real-world application of cybersecurity frameworks across multiple industries, Charles has extensive experience in risk analysis, incident response planning, cybersecurity program evaluation and roadmap development, and stakeholder communication.