Security in Layers1 Sep, 2015 By: Eric Stavola, MCSE, MCSA, N+, CIDA+
If recent studies are correct, most companies will experience some sort of cyber-attack this year, and if hit once they will likely be hit again, having detrimental impacts on an organization.
- The most expensive virus to date has been MyDoom; estimated to have caused $38.5 billion worth of damage.
The Ponemon Institute found the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $12.7 million, a 96% increase from 5 years ago.
Recently, I was in strategy discussions with both the Superintendent and Director of Technology for a large school district. The topic of Cloud Computing and concerns of IT Security naturally came up. I was asked by the Director of Technology, “How can I be guaranteed in writing, that my information will be 100% safe in the Cloud?” I immediately turned to the Superintendent and offered this comment: “Mr. Z, I plan to send my daughters to this school, but before I do, I want you to guarantee to me in writing, that they will be 100% safe at all times while on this campus.” He laughed sheepishly while realizing the reality of the analogy statement.
Overcoming security concerns is all about educating the customer. Key Concept: Security Comes in Layers
The term Information Security describes the tasks of guarding digital information, which is typically generated by a computer or mobile device and stored on HDD, in the Cloud, or other storage media. When our data and information is seen as "secure“ - it ensures the user or in some cases your client, that protective measures have been properly implemented. When talking to any IT/MIS personnel about security, keep in mind that we are simply talking about keeping information or data secure.
There are 3 key characteristics of information that must be protected at all times:
Confidentiality, Integrity & Availability (CIA)
CIA is a widely used benchmark for evaluation of information systems security, focusing on the three core goals of confidentiality, integrity and availability of information.
While it's easy to get lost in perceived and actual security vulnerabilities in cloud computing, remember that 59% of employees steal proprietary corporate data when they quit or are fired. Point being that effective data security is a collaborative effort and companies should take action. Just as the superintendent of any school district has taking considerable steps to make the school district secure, i.e., Locks, Fences, Alarms, Policy, Procedures etc.
7 steps to make migration to the cloud safe:
- Institute a security policy, including documentation of data handling procedures specific to your company or organization.
- Physically secure all computing and data storage equipment that houses or transmits organization’s data and sensitive information.
- Make sure access to the data center is restricted to authorized personnel.
- If utilizing a cloud partner be sure they’re compliant and so are you: SSAE 16, HiPPA, PCI, etc. will give you confidence that the company follows the most rigorous standards for controls & safeguards available when hosting or processing your data.
- If using a Data Center make sure all data will be encrypted before it leaves a facility and during transit.
- Mitigate mobile computing and Bring Your Own Device (BYOD) risks by utilizing disk encryption to protect data in the event of loss or theft, as well as implementing data security controls on all mobile devices with a mobile device management solution.
Perform regular staff training to ensure awareness of:
- Proper handling of confidential information & equipment that access that information.
- Proper password management including use of complex passwords & regular resetting of network passwords (e.g., every 90 days).
- Any changes to security policies or procedures.
Eric Stavola is IT certified with MSCIS, MCSE, MCSA, MCPS, N+, CDIA+ and is an executive IT consultant with a leading OEM. Contact him: (619) 455-2732 or firstname.lastname@example.org