Andrea Danti - Fotolia
IT security strategy: Help clients build these three pillars
User education, access management and data backup are the three pillars of a sound security strategy that partners should build and reinforce for their customers.
Security is always a work in progress. Every time you think you have all the bases covered, cybercriminals come up with new ways to exploit companies. That's why businesses, especially those that handle highly sensitive data such as healthcare providers, must remain ever-vigilant to protect themselves.
To achieve a solid security stance, businesses need reliable security technology, but it doesn't end there. IT service providers must work with them on building and reinforcing three main pillars that must be in place for a sound IT security strategy -- user education, access management and data backup.
1. User education
Humans are the weakest link in any IT security strategy. Ignoring this reality is what leads to businesses getting hit with destructive malware such as ransomware, which encrypts user files and demands ransom to restore access to the data. That's why businesses need to invest in training to condition users against dangerous behaviors.
A new breed of vendors is providing training that goes beyond clicking answers on an online quiz. For instance, phishing simulations teach users how to spot phishing emails. Rather than repeatedly telling them not to click on potentially infected URLs or attachments, users instead are sent simulated phishes to see if they spot and report them or go ahead and click. The same tactic is being employed for other types of social engineering, with vendors calling clients to see if they can bait them into revealing private information.
Users who fail the tests are identified for retesting so that they continue to get the necessary training until their behavior changes.
2. Access management
Managing access to sensitive files is critical to safeguarding private data, intellectual property and trade secrets. The first step is to determine which users need access to what data and give them privileges to only the files they need to do their jobs. The Health Insurance Portability and Accountability Act makes this a requirement for any organization that handles medical records and patient files such as doctors' offices, clinics and pharmacies.
Besides helping achieve compliance where applicable, access restrictions are a good practice regardless of industry. If Bob in human resources has access to only the files and systems he uses to do his work, his chances of infecting Susie in accounting, should his system get hit with ransomware, are reduced.
Aside from restricting access, companies need to help users better manage their passwords. Users have as many as 20 passwords to access different systems, and you can't expect them to remember 20 strong passwords containing at least eight characters, lowercase and uppercase letters, numbers and symbols. Password management tools that require users to memorize a single password to access all others solve this problem. The temptation to write passwords down in easily accessible places or reuse them for multiple systems goes away.
3. Data backup
Your data is your business. Companies that fail to back up on a regular basis put their businesses at risk. Clients may not always understand the importance of backing up data, but solution providers should explain the need for a robust backup solution. Preferably, solution providers should implement automated backups to send copies of critical business data to off-site locations with the redundancy and rapid recovery that today's businesses need.
Frequent, regularly scheduled backups are the best tool against ransomware. If attacked, a business can refuse to pay the ransom and simply restore its data from a backup.
IT security strategy: An ongoing investment
In helping clients build their security pillars to deal with one of the most vexing challenges they face – cyber-risks -- solution providers must also remind them that threats constantly evolve. What may work today may fall short tomorrow, so it's important to keep investing in security and testing the tools and processes that are in place to build the best defense possible.
About the author:
Joshua Smith, co-founder and president of Untangled Solutions, has made business technology his primary focus for 15-plus years, in both the private and public sector. He is currently working on continuing his education in both business and healthcare IT via certification programs.