In this series, we’re looking at the different types of technology risk. Our last post covered External Attacks, and the need for a coordinated, multi-front effort to protect your network.
Information can be a company’s most critical asset, and protecting it against unauthorized access needs to be a top priority when addressing IT security. Unauthorized access can originate from outside the firm or inside, and measures are required to prevent both.
As we discussed in Post 1, ensuring properly configured firewalls and log monitoring are essential to protecting the corporate network from unauthorized external access.
Companies who store sensitive data, including client details and credit card numbers need to take specific steps in both storing and transmitting this information. Companies should familiarize themselves with applicable regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Payment Card Industry (PCI) Data Security Standards. Industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) may also apply.
While external threats are real, the greatest risk to your company data is more than likely your employees. Forrester Research estimates that up to 85 percent of enterprise security breaches involve internal people and resources. And according to Gartner, “organizational costs of a sensitive data breach will increase 20 percent per year over the next two years.
Putting the appropriate conrols in place can greatly reduce the likelihood that you will face an internal security breach. Richard Stiennon at IT-Harvest put it best when he said ‘Identity and Access Management tools are the single most valuable defense you have against the insider threat’. Some best practices in this area include:
– Clear guidelines and processes for requesting file access and establishing group policy
– Requirements for strong passwords, forced scheduled password changes, and auto-screen locks
– Web security and content filtering
– A well-defined employee exit process to ensure ex-employees do not retain access to corporate networks after their departure
If you don’t have a security plan in place, or need some guidance on where to start, get in touch – we’d be happy to help.
In our next post, we’ll look at Technology Risk #3 – Loss of use / Downtime.
If you’d like to keep up-to-date with our posts, you can follow us on Twitter (@365tech).