The Role of Employee Security in Building a Secure & Stable Business Environment

Employee Security Matters: The First Line of Cyber Security Defense

When considering your company’s overall security posture, one often thinks only about firewalls and endpoint protection. However, an employee security protocol is often overlooked, but a company must proactively institute critical security measures. Employees are often the first and the last line of defense in building a secure and stable business environment. A personnel security policy facilitates a consistent approach to handling end-to-end employee security throughout the entire lifecycle of an employee’s tenure with your company. 

From an employee’s initial onboarding through their off-boarding and beyond, the development and implementation of a consistent personnel security policy will ensure your peace of mind, allow you to manage your employees consistently, and maintain your business security from start to finish. 

 

Employee Security Policies – Where it Begins & Ends

A good personnel security policy details both your company’s process and the employee’s expectations. 

Prior to hiring for a specific role in your organization, one must implement the first step in the process by clearly outlining the roles and responsibilities. The process continues during the pre-employment screening, during employee onboarding, and finally, concludes upon employee offboarding. There are some important policy areas to consider as you plan for or review current personnel security policies. 

 

Meeting about employee Security Policies

Roles and Responsibilities

A procurement management policy covers the rules of engagement for selecting and managing hardware and software vendors used by your company. They also protect the confidentiality of purchases, pricing models, authorized vendors, and authorized purchasers.   

For companies that produce specialized products and services such as patented or other trade secrets, a procurement management policy would include a method for confidential procurement through an authorized third-party purchasing organization. Some companies also require documentation of a supplier diversity program as a means for supporting female and minority-owned businesses. Many state contracts or even your company’s culture may find this documentation desirable.   

 

Pre-employment

The pre-employment process is critical to your personnel security process. Before hiring any candidate who will be given access to sensitive company data, background screening should occur. At a minimum, the background screening should include a criminal records search, credit report, and previous employment verification. Often employers fail to apply this same diligence to contractors, temporary or seasonal workers, and outsourcing companies who will be allowed to access sensitive company data or functions; however, failure to do so is a breach in your company’s security. 

Many people might ask why pre-employment screenings are so integral to a company’s security. Would you want to hire a System Administrator with a criminal record that included a conviction for data theft? Perhaps you are considering hiring a new Staff Accountant, and they have a conviction for embezzlement. Maybe you are hiring an Engineer to refine your prized invention, and the candidate was convicted of corporate espionage. Although these scenarios may sound unlikely or perhaps read like something from a movie script, these breaches in personnel security negatively impact companies of all sizes and every vertical focus on a daily basis. Pre-employment screening can save your business from a potentially damaging or even criminal incident involving your company or your data and should be in your personnel security policy.

 

Pre-employment handshake

Onboarding

Suppose you have decided to hire a resource and the candidate has passed the pre-employment screening process. You are confident in their qualifications and relieved they do not have a questionable background. Your new employee reports for their first day of work. What should happen next? 

Employees should be asked to review and acknowledge the following prior to receiving access to any company systems: 

1. Confidentiality Agreement – The confidentiality agreement is your protection and details what the employee can discuss or divulge outside of authorized company employees. 

2. Information System Security Agreement – These policies pertain to the employee’s responsibility in safeguarding systems and data. 

3. Intellectual and Property Rights Agreement – This agreement specifies who owns all of the hardware, software, data, and source code the employee has access to during the execution of their duties. 

4. Security Awareness Training – Information Security training should be given; however, some companies assume the new employee is aware of potential security issues or concerns. Train your employees and obtain written acknowledgement of the training. Better yet, offer this training annually to ensure that policy updates are covered. 

5. Equipment Receipt Acknowledgement – If the employee is issued a computer, phone, access badge, or other company-owned equipment, then an inventory of these items and their serial numbers should be taken and written acknowledgement obtained. 

 

Once the new hire has completed this process, the supervising employee or manager should notify Human Resources and request the new employee’s credentials from the Information Systems Security team. 

The access given to the new employee should adhere to the principle of least privilege. Least privilege refers to granting an employee the minimum amount of access to systems and data required to perform the duties of a given role. If the employee is an administrator, separate administrator credentials should be used to minimize the possibility of administrative compromise. All employees should be required to change their password upon initial use, and multi-factor authentication is recommended for added security. 

For an employee transfer to a new role or department, access should be reviewed by the Information Systems Security team to ensure the new access adheres to the principle of least privilege. 

 

Offboarding and Termination

Gone are the days when most employees earned a gold pocket watch after 50 years of employment. The reality of today is that sometimes the relationship between employer and employee may not work out. When an employee or contractor leaves, either through involuntary termination or by choice, a secure offboarding process should be followed to ensure that the integrity of the company equipment, systems, and data is maintained.   

One of the biggest threats to company security is the inappropriate or illegal use of unused credentials. Unused credentials are often ignored or even forgotten when an employee leaves and is frequently discovered by hackers and used to elevate privileges to sabotage systems and steal data. These unused accounts are an excellent target for criminal activity because no one notices that the password has been changed.   

Another threat that should not be ignored during offboarding is related to the involuntary termination of an employee. Disgruntled, recently terminated employees may steal or destroy data or systems before their credentials are revoked as an act of retaliation. In 2018 , a fired IT contractor with Chicago Public Schools stole over 70,000 employees’ personal information. 

 

When offboarding or terminating employees, the company should ensure that exit interviews are conducted, if possible, and: 

1. Immediately terminate access to company systems by notifying the Information Systems Security team. All of the employee’s account and login information should be disabled, and the password(s) changed. 

2. Any previously issued company-owned equipment and data should be recovered and checked against the issued serial numbers. 

3. Remind the offboarding individual about any agreements still in force. 

4. Change administrator credentials if the individual had access to system administrator credentials. 

 

Person getting terminated

 

Not only are small to medium-sized businesses affected by security breaches related to their personnel, many high-profile companies, such as Equifax in 2017 , have suffered embarrassing and expensive breaches because of a failure to adhere to internal policies and controls around Personnel Security. 

Regardless of your business size, a Personnel Security Policy is integral to managing your employees and proactively protecting your company from security threats. 

Worried about how secure your business is, or wondering if there is anything you can do to improve your security? Edge Networks can help! Schedule a call with us or take our free, self-guided IT Security Risk Assessment

4 Things You Need to Consider When Creating an Effective Device and Inventory Management System

Understanding Device and Inventory Management

Business process improvement guru, H. James Harrington, famously said, “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” This is especially true when it comes to your device and inventory management strategy. 

 

Why Do Device and Inventory Management Matter?

There are many reasons that companies should maintain an accurate inventory of their devices. 

Let’s consider a few real-life scenarios. 

Suppose your company is considering the implementation of a new Enterprise Resource Planning (ERP) software. The software vendor has provided you with the minimum requirements needed to run the software. How can you plan for this project’s costs and timelines if you do not know if your equipment can run the software? You cannot budget for any upgrades required and cannot know how to allocate the resources necessary to perform any upgrades. With an accurate inventory management program in place, you could run a report and have this information with little effort. 

Another common scenario is asset depreciation. Suppose you are a CFO or Controller and are trying to prepare an annual report for the board. How can you accurately report your current assets if you do not know what you have and what has been lost, stolen, or out of service? With inventory management, this exercise becomes more accurate and easier. 

 

Device and Inventory Management

 

What if a salesperson’s rental car is broken into and their laptop is stolen? The police will want to know the make, model, and serial number of the stolen device to file a report. Insurance will not cover a loss claim without it. The salesperson only needs to contact the service desk. The representative can provide the serial number for the report, the salesperson will receive the police report, and a claim can be approved for reimbursement. 

Finally, imagine you are a CIO or IT Director. You receive notice that a patch needs to be applied to keep a new critical vulnerability from affecting your company network. Inventory management allows you to know if your equipment is affected and where these affected devices are located. Inventory management saves you time and keeps your network safe and protected from this vulnerability.   

These are just a few examples in which a device and inventory management system can help an organization work better and be more informed. 

 

Process Matters – Where Do I start?

To get started on this journey, the creation of an inventory and device management policy is critical. 

These policies typically cover the following:  

1. Procurement Management

2.  Asset Inventory

3. Asset Accountability

4. Asset Protection

Let’s dive deeper into each of these policies.

 

1. Procurement Management

A procurement management policy covers the rules of engagement for selecting and managing hardware and software vendors used by your company. They also protect the confidentiality of purchases, pricing models, authorized vendors, and authorized purchasers.   

For companies that produce specialized products and services such as patented or other trade secrets, a procurement management policy would include a method for confidential procurement through an authorized third-party purchasing organization. Some companies also require documentation of a supplier diversity program as a means for supporting female and minority-owned businesses. Many state contracts or even your company’s culture may find this documentation desirable.   

 

2. Asset Inventory

The core of an asset inventory system includes the methods and tools used to manage the existing assets accurately. 

Asset inventory management is essential for the efficient control of computer and software assets. IT systems change continuously during their lifecycle. Hardware components may be added or removed; software installed or uninstalled. Even in small IT networks, there will always be growth and change. 

An accurate and current asset inventory’s goal is to have a complete, up-to-date and accurate view of all network components, including PCs, servers, printers, hubs, routers, switches, and software. Ideally, the inventory should capture the device class and what is installed on the device. For any given timeframe, this can provide the actual state of all infrastructure components, which will provide a clear idea of what is owned, operating, and where it is located across the entire enterprise. 

 

Woman looking at computer screen

3. Asset Accountability

Asset accountability covers the classification of software and systems. It also covers the asset owners and other parties (internal or external) responsible for these systems and the data they contain. 

Asset control is also part of this accountability. This helps to ensure that responsibility for the controls protects major information assets such as a customer contact information database that has been assigned. This policy component assumes the major information assets have been identified. Identification of an organization’s major information assets can also occur when risk assessments are performed and when contingency plans are prepared. 

 

4. Asset Protection

Asset protection speaks to the type of computing equipment that may be used to access company systems. Typically, this is defined as company-owned or personal devices. From a security standpoint, most companies opt to require the use of company-owned or company-controlled devices so that security policies can also be easily monitored and enforced. 

Asset protection also covers the type of labeling and identification used to ensure the protection of the device. Most companies will opt for a destruction-proof label or tag that contains the company’s name and who to contact if the device is found, along with an internal serialization mechanism that is tied to the asset inventory system. 

 

Next Steps – Policy Creation and Maintenance for Device & Inventory Management

After you have decided on your basic device and inventory management strategy, the real work begins.

If you do not yet have a policy in place, your first task is to start outlining your processes to cover the items described above. Most companies will defer to their trusted technology advisor to help facilitate the creation of the documents and run initial discovery and documentation of current inventory items. These tasks are often run in parallel because the discovery of previously unknown device types will help steer the policy’s discussion and subsequent content.

 

People looking at paperwork

 

If your company already has a system and policies in place, you should review the policies and their continued applicability annually at the very minimum. Identify gaps in your process and tools and make appropriate changes to ensure that the processes are still relevant. Run an audit to find errors or omissions and think about how you can refine your process to eliminate these gaps.

The ideal scenario is to have a coordinated management system in place that provides real-time data on the devices used in your networks. Most Managed Service Providers (MSP) use a Remote Monitoring and Management (RMM) system along with a Network Management system to perform this function for their clients. Networks are scanned in real-time or at regular intervals to ensure the devices and software assets’ health and find any new items accessing the managed network. 

Using more automated methods helps enforce policy compliance and is an underpinning of a mature, secured environment. 

 

Putting it All Together for Effective Device and Inventory Management

As you can see, a robust and mature device and inventory management program enhances the effectiveness of the entire enterprise. From finance to IT, everyone plays a part and benefits from this substantial investment in your company.   

Does creating an device & inventory management system feel overwhelming? We at Edge Networks know that there are a lot of moving parts and potential pitfalls. Remove the burden of managing your IT with our flat-fee IT managed services programContact us to schedule a free, 30-minute consultation today.

Compliance Mistakes You Don’t Know You’re Making That Can Cost You Thousands

Taking the Fear of Compliance Mistakes out of Regulatory Compliance

The phrase “regulatory compliance” often strikes fear in even the most seasoned executives, but it doesn’t need to be that way.  Education and awareness are critical, so let’s look at the top two regulations that your company may need to think about – Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

 

What is Regulatory Compliance?

Regulatory compliance refers to the steps put in place by an organization to comply with state, federal, and international laws and regulations that are relevant to its business operations. If regulatory compliance is violated,  there can be monetary and even criminal penalties that a company may incur.

 

Cards in pocket

Payment Card Industry Data Security Standard (PCI-DSS)

If your company directly accepts payments for goods or services through payment cards (VISA, AMEX, and Discover for example), you need to have a plan for PCI-DSS compliance.

PCI-DSS was established to prevent credit card fraud. This is accomplished by putting standardized controls (rules) in place at all merchants accepting cards. This is a good thing.  It increases your customer’s confidence because they know you are actively working to protect their card data.

 

There are six control objectives required under PCI-DSS:

1. Build and Maintain a Secure Network and Systems

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

 

Let’s quickly break down each of the objectives:

1. Build and Maintain a Secure Network and Systems

Simply put, the company needs to have basic security in place. This means having a firewall and password-protected computers. Do not use default passwords on any systems or software.

 

2. Protect Cardholder Data

If you take orders over the phone, do not leave cardholder information on a notepad or sticky note. Preferably, the numbers would be directly entered into your terminal system or software and never stored, if possible.

 

3. Maintain a Vulnerability Management Program

Make sure you are using up-to-date anti-virus and anti-malware protection on all systems. 

All operating systems must be current and patched. Third-party software must be up to date.

 

4. Implement Strong Access Control Measures

Limit access to and protect equipment used to process transactions. If you must write down card data, make sure it is shredded. Any systems used to process transactions must have their drive destroyed when decommissioning.

 

5. Regularly Monitor and Test Networks

Regular network scans, both internal and external, need to be performed regularly or whenever there is a change to systems or software.

 

6. Maintain an Information Security Policy 

Establish and maintain an information security policy. Review this policy at least annually—train employees on security awareness and social engineering. Screen new employees to limit the incidence of internal breaches. Lastly, have an incident response plan in case of a data breach.

There are a lot of things to consider. If you need help understanding any of these controls, reach out to your IT Security Professional or Edge Networks.

 

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA was passed into law to provide a framework to safeguard Protected Health Information (PHI). 

PHI is defined as any piece of information in an individual’s medical records that could be used to identify them personally. Basic examples include name, social security number and date of birth. Many other identifiers are included, and these continue to evolve as more technology is used in healthcare.

If your company is healthcare-focused, then you are very familiar with HIPAA. Your company falls into a group called “covered entities”.

 

People Signing HIPAA forms

There are three main categories of covered entities: Health plans, Clearinghouses and Providers.

  • Health plans include insurance companies, health maintenance organizations (HMOs) as well as employer-sponsored health plans.
  • Clearinghouses are organizations that process health information to conform to the prevailing standards for data content or format. Clearinghouses act on behalf of other organizations.
  • Providers include doctors, clinics, dentists, nursing homes, pharmacies and chiropractors, to name a few. Essentially any organization that submits healthcare-related claims to another covered entity.

You might feel a sense of relief when you notice that you are not on the list of covered entities. However, you may not be off the hook just yet. If you perform work for these organizations, you may be what is known as a business associate, and you must also be compliant. In this situation, you must enter into a contract called a Business Associate Agreement (BAA). 

The BAA details what information your company has a responsibility to protect. A few examples of service companies considered business associates are shredding services, attorneys, accountants, marketing services, and transportation services. This is not an exhaustive list. Please check with legal counsel if you are unsure.

To ensure health data protection is taken seriously, there can be monetary penaltiess associated with unauthorized disclosure of PHI. Penalties are levied based upon severity and negligence of a given disclosure. 

 

There are four HIPAA violation penalty tiers and associated monetary penalties:

  • Tier 1 – A violation that the covered entity was unaware of and could not have realistically avoided, had someone take a reasonable amount of care to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000.
  • Tier 2 – A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. Minimum fine of $1,000 per violation up to $50,000.
  • Tier 3 – A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000.
  • Tier 4 – A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation.

 

Money signifying HIPAA Violation Penalty

 

The penalties are adjusted for inflation annually.

Individuals involved in disclosures can also incur criminal penalties. These penalties are based on the severity and negligence involved in the disclosure. If an individual has profited from the theft, access or disclosure of personal health information (PHI), then those monies may also have to be forfeited in addition to the fine.

There are three tiers of criminal penalties for HIPAA violations:

  • Tier 1 – Reasonable cause or no knowledge of violation – Up to 1 year in jail.
  • Tier 2 – Obtaining PHI under false pretense – Up to 5 years in jail.
  • Tier 3 – Obtaining PHI for personal gain or malicious intent – Up to 10 years in jail.

The value of PHI on the black market continues to increase. This has been a big temptation for some individuals given recent economic conditions. Social engineering and malware attacks are on the rise to gain access to this valuable data. 

It is imperative that organizations subject to this Act take appropriate actions to reduce the risk of breaches.

 

Regulatory Compliance Matters

This is just a brief glimpse of the two main regulations that you may encounter in your business. It is best practice to review your compliance policies at least annually, and certainly when a change is made to the regulations.

If your company lacks in-house talent with the detailed knowledge needed to ensure compliance, we recommend that you consult with legal counsel. For the technical and operations aspects, you should reach out to a knowledgeable compliance and technology partner like Edge Networks to assist you with your journey into the compliance world. The investment will immediately begin to pay for itself because you just cannot put a price on your peace of mind. Contact us today for a free, 30-minute consultation.

The Five Critical Components Your Cybersecurity Incident Response Plan Must Have

What Is a Cyber Incident Response Plan?

According to the National Institute of Standards and Technology (NIST) , a government agency that supports and promotes the use of technology to solve human problems, a cyber incident response plan consists of “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious attacks against an organization’s systems.”  More simply put, creating a cyber incident response plan means formalizing the exact steps you’ll take as soon as you discover that a cyber incident has taken place.

Having a robust cyber incident response plan in place can save your business time and money, and it can help preserve your business’s reputation if you’re victimized by cybercriminals. Advance planning can boost your organization’s cyber resilience, and increase your peace of mind in the face of today’s most formidable threats.

How can you create the cyber incident response plan that’s right for your business’s size and your IT infrastructure’s degree of complexity? Your plan doesn’t have to be elaborate; it just has to be solidly built so you’ll know what to do in a time of crisis.

 

Cyberattacks can happen to anyone. Be prepared by creating a solid Cybersecurity Incident Response Plan.

No matter whether your business is large or small, no matter what industry you’re in, or where your offices are located, cybercrime poses grave risks to your financial well-being today, and your chances of survival and healthy growth in the years to come. Global losses caused by cyberattacks are predicted to exceed $6 trillion by 2021, putting more money in criminals’ pockets than the trade of all major illegal drugs combined.

Leaders of small and medium-sized businesses may be tempted to believe that they face fewer risks from cybercrime than large enterprises because their profiles—and revenues—are lower, but the latest research shows that they are in fact more likely to be targeted for attack. According to the 2019 Verizon Data Breach Investigations Report, nearly half of all breach victims were categorized as small businesses. The Better Business Bureau reports that as many as 20 percent of smaller organizations will fall victim to cyberattacks in any given year, with average losses totaling nearly $80,000 per incident.

To help you get prepared, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.

Given these nerve-wracking statistics, which remind us that cyberattacks aren’t just possible but are almost inevitable, it’s important to make a plan. Drawing up a comprehensive risk assessment, laying out the specific steps you’ll take in the moment of crisis, and delineating key responsibilities can help you feel more prepared, but it’ll also enable a speedier response. And the faster you can contain the incident and manage its consequences, the lower your overall costs are likely to be.

 

The Five Essential Ingredients

#1: Formalize and Document the Policies and Procedures

In case of disaster, you can’t just wing it. Every aspect of your cyber incident response plan should be concrete, written, and well-tested. Though you’ll want to include detailed steps and procedures to follow, you’ll also want to spell them out simply.

Keep in mind that stakeholders across the entire organization may have roles to play in identifying, containing, and responding to the incident, even those whose typical job responsibilities don’t have anything to do with IT, and that incident response team members are likely to be under a great deal of stress. Documentation should be clear, brief, and very specific, so that steps are easy to follow, even when the pressure is on.

 

#2: Build a Rock-Solid Team

You’ll want to establish a computer security incident response team (CISRT) within your organization.

Team members will be responsible for technical incident response procedures (identifying that an incident has occurred, analyzing logs to figure out exactly what happened, repairing systems, and removing the means by which the attack was accomplished) as well as internal and external communications (exchanging information with employees, law enforcement, affected customers, and senior management, for instance), so you’ll want to include IT security staff and draw on resources in other departments as well.

Some team members should be skilled in marketing/public relations, human resource management, and providing legal counsel. A managed service provider can supplement your in-house expertise if your technical security team isn’t large enough to meet your incident response needs.

 

#3: Establish Communications Guidelines

One team member should be charged with the responsibility for authorizing when and how details about the incident are to be disclosed. It’s also a good idea to have legal counsel review any notification letters or other disclosures before they’re made public. Have a plan in place for how you’ll accomplish this, as well as a set of guidelines for what you’ll say.

Be sure you have recorded the contact information for anyone you might need to communicate in a place that’s separate from any systems that might be affected by a breach. This could include contacts at regulatory bodies whose requirements you must meet, as well as all members—both internal and external—of your incident response team.

 

#4: Outline Concrete Technical Steps

From incident discovery and classification to containment and recovery, you’ll need a playbook detailing specific steps within incident response protocols that you expect your security team members to follow.

You’ll want to collect all relevant log data so that it can be audited, and review all alerts generated by the security tools in your network environment. You’ll also need to elaborate the testing and validation procedures you’ll rely on after forensic analysis is complete to certify that all systems have been restored to secure operational status.

 

#5: Practice Makes Perfect

Technologies are constantly changing, as are attackers’ strategies and techniques. At a bare minimum, your team should revisit your cyber incident response plan once a year. Update it to reflect your current IT environment, the current threat landscape, and your current risk profile. Any incidents that do take place should be examined at length. Afterwards, make technology updates or policy changes to safeguard against similar attacks in the future.

It’s also a good idea to conduct scenario-based testing exercises to make sure that your incident response plan can be relied on in times of need. These can be simple or elaborate, and offer team members the opportunity to evaluate—and improve—their preparedness without facing an actual incident or attack.

Developing a cyber incident response plan doesn’t have to be complicated. Having one can make a dramatic difference in your level of preparedness, your overall vulnerability, and your peace of mind. A managed IT service provider with cybersecurity-specific experience will have a great deal of practical knowledge in cyber incident response procedures, and can guide you in building the very best plan to meet your business’s needs, from the ground up.

 

Download Your Free Incident Response Plan

incident response plan

Make Cybersecurity Part of Your Onboarding and Offboarding

Importance of Cybersecurity in the Employee Onboarding and Offboarding Process

Malicious actions taken by disgruntled former employees have the potential to cripple any business, no matter how large or small. It happened to Amazon, to Apple, to the infidelity matchmaking website AshleyMadison, and to the automotive innovators at Tesla. And it has occurred at many small and mid-sized organizations as well. Former employees have stolen intellectual property and trade secrets—including proprietary software and technical information—and have taken passwords, administrative privileges, and intimate knowledge of their former employers’ IT environments with them when they left their jobs.

Of course, not all harm that employees do to information security is accomplished in bad faith. In the 2019 Verizon Data Breach Investigations Report, for instance, “privilege abuse”—including the abuse of credentials accidentally disclosed to criminals by victims of social engineering attacks—and “data mishandling” were among the most common causes of breaches, and together were responsible for more than half of the incidents included in the survey. Employee errors, accidents, and misconfigurations remain among the leading causes of data breaches year after year and have held this position since indexing began. 

This is why it’s critical to have cybersecurity measures in place for the Employee Onboarding and Offboarding process.

 

Business woman in pink on cell phone. Onboarding and Offboarding

Developing the proper onboarding and offboarding procedures can have a major impact on your organization’s cybersecurity risk profile. Both malicious acts and innocent mistakes will be far less likely to result in a data breach if you have the right policies and workflows in place. 

Read on to learn about best practice guidelines to help your incoming employees keep cybersecurity front-of-mind, and to prevent employee departures from increasing your vulnerability.

 

How to Get Employees on Board with Cybersecurity Policy and Compliance

New hires are often your most eager, attentive, and motivated employees. If you can successfully turn this beginner’s enthusiasm into good habits, you’ll have taken an enormous step towards creating a strong and resilient cybersecurity culture within your organization.

Implement a well-designed Security Awareness Training program and make participation mandatory, not optional. Look for a program that provides information in various types of media and in differing formats to engage employees with diverse learning styles. Research indicates that including games and quizzes can boost employees’ ability to remember information from the training, and incorporating testing and assessment can help you evaluate the training’s effectiveness, and show you which individual employees are likely to pose the greatest risks.

Are you concerned about the cybersecurity of your business? Edge Networks can help! Take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

 

women performing security awareness training

How Do I Create a Security Awareness Program – Employee Security Awareness Training

Reducing threats better than a firewall, intrusion detection system, or endpoint protection platform with Security Awareness Training

Why should Security Awareness Training be on your radar? Year after year, leading industry surveys continue to reveal that cybersecurity attacks are on the rise. And the latest 2018 Verizon Data Breach Investigations Report, which details more than 53,000 incidents and 2,216 confirmed data breaches, is no exception. Though enterprises are spending more than ever before on technological solutions, and though more robust software and more recent updates are available, criminals are continuing to breach our networks at an unprecedented rate. Why are attackers successful as often—or more often—than they were in the past, despite advances in security technology? 

According to Verizon’s research, the most common action taken in breaches was the use of stolen credentials. In another recent survey, 65 percent of organizations had been victims of a major security incident within the past year, and among these, more than half (52.9 percent) reported that their systems had been infected through a phishing or targeted email-based attack. Human error is what has allowed these attacks to succeed.

 

Phishing Statistic

No firewall, intrusion detection system, or endpoint protection platform can help reduce these threats. They’ll be just as prevalent no matter how much technologies improve. 

But there are steps you can take to secure your organization against threats seeking to take advantage of human error. Implementing security awareness training is relatively simple, cost-effective, and, according to research, highly effective at lessening these risks.

 

What is Security Awareness Training?

Security awareness training is a formal educational program designed to help employees be more mindful of information security best practices as they go about their daily activities. Its primary objective is to strengthen the overall security culture throughout the organization. 

Various types of security awareness training exist, from the “break room approach,” in which employees are gathered for lunch-and-learns or special meetings, to training conducted via videos or webinars, all the way through comprehensive programs that include practice with simulated phishing attacks and testing.

 

People in Security Awareness Training Meeting

How Do I Train My Employees for Cybersecurity?

Numerous cybersecurity awareness programs are available today, but not all are equally effective. Many security leaders struggle to gain support for this training from upper management, and some have difficulty getting employees across the business to take all its aspects seriously. Training that’s poorly designed, that’s conducted too infrequently to be memorable, or that has become outdated (which can happen very quickly in today’s ever-changing cybersecurity landscape) won’t give the hoped-for results.

Look for a program designed to engage your users, to hold their interest, and to provide ongoing training, assessments, and refreshers to ensure that they retain what they’ve learned. Programs that deliver information in a wide variety of media types and formats (ranging from posters to video, webinars to email newsletters) will cater to a broad array of learning styles. Programs that include gamification build a sense of mastery and autonomy among users, improve their recall of information, and boost their willingness to participate. And programs that offer testing and assessments and display the results in a visually appealing dashboard make it easy to identify the individuals who pose the greatest risks.

 

Importance of Security Awareness Programs

Because the human tendency to make mistakes remains the same while cybersecurity technologies grow more sophisticated, cybercriminals are focusing increasing amounts of attention and effort on people instead of technical defenses. 

Email continues to be the most common attack vector. Despite this, an alarmingly high percentage of users in one recent international survey were unable to correctly define—let alone accurately identify—a phishing or ransomware attack. In this cultural climate, security awareness training has the potential to make an enormous difference.

 

Benefits of Security Awareness Training

No matter which technical cybersecurity solutions your organization has in place, implementing a security awareness training program can enhance their effectiveness. Because of this, security awareness training continues to be among the most cost effective ways to reduce the overall information security risks faced by your organization.

An effective security awareness training program will significantly decrease your chances of suffering a data breach, and thus of incurring resulting direct and indirect costs—for remediation and repair, revenue loss, reputation damage, and fines and penalties. Forrester Research estimates that a mid-size organization would experience a $124,219 risk-adjusted benefit value over the course of three years after implementing a highly effective security awareness training program.

The “soft” benefits that such organizations would experience are more difficult to quantify but no less important. These include an increase in employee motivation and ability to respond effectively to phishing attempts or other cyberthreats. Employees who are confident in their ability to identify risks are far more likely to participate in a “speak up” and “safety first” workplace culture, and less likely to ignore threats when busy or stressed.

 

Security Awareness Training Companies

Demand for cybersecurity awareness training is on the rise. Cybersecurity Ventures predicts that the market for security awareness training, which was roughly $1 billion per year in 2014, will increase to $10 billion annually by 2027. To help employers navigate this rapidly growing market, they’ve assembled a comprehensive directory of companies that offer products, services, and platforms within it.

 

People pointing at laptop

With so many options to choose from, it can be challenging to determine which cybersecurity awareness training program will best meet your organization’s unique needs. Seek out a training provider with extensive experience, and choose one that knows your industry well—including its culture and history as well as the threat profile and compliance requirements you face.

Several organizations, including the SANS institute and the U.S. government , offer free resources that can help you evaluate vendors or lay the groundwork for your training program. Many reputable vendors also provide tools and resources that are free to the public.

 

IT Security Awareness Training for Employees PPT

A common method for delivering security awareness training is by showing PowerPoint slides on best practices to assembled employee groups. Though this is undoubtedly better than no training at all, such presentations, which security experts and weary employees alike dub “ death by PowerPoint ,” are among the least engaging ways to present this vitally important material.

 

Security Awareness Training Program Template

In contrast, the most effective security awareness training programs for today’s complex and ever-changing threat landscape are those that engage your users’ attention and awareness by presenting highly relevant, personalized and individualized material in a variety of formats. 

Look for a program that includes:

  • Baseline testing. It’s key to assess your users’ strengths and vulnerabilities before you begin training.
  • A comprehensive training library. Interactive modules and games will challenge and engage your users. Automated reminders can provide an incentive for them to continue progressing through the program.
  • Tests and simulations. These should be sophisticated and varied to mimic the real-world threats that users encounter daily.
  • Clear and actionable reporting. Statistical reports allow you to see the results of your security awareness mitigation plan, and to modify it to maximize effectiveness.

 

Security Awareness Program Ideas

If you create a security awareness program that employees find enjoyable and engaging, they’re far more likely to remember its lessons and apply them at the right times.

Include games among the educational materials and consider providing incentives or awarding prizes to employees who succeed in the training or are able to apply its lessons to real-world attacks.

 

Man and woman talking in office

It’s also important to customize your messaging for different employee groups. Senior executives may not need or benefit from the same training as IT staffers, and industrial equipment operators will have different needs still. If you can make the training relatable and relevant, employees are more likely to appreciate its value.

 

Data Security Practices for HR Professionals

HR professionals have a vital role to play in protecting organizations’ information assets. Because HR traditionally oversees employee development and training, they’re in an excellent position to advocate that strong employee cybersecurity training programs be implemented throughout the entire organization. An effective HR department can go a long way towards developing a resilient cybersecurity culture across disparate departments and divisions. 

HR departments can also ensure that security awareness training be incorporated into employee on-boarding procedures.

 

Clean Desk Policy

It’s easy, straightforward, and the opposite of technically complex. But many employees forget that simply straightening up their desks can help protect the security and integrity of business data.

Though we often think of data security as an IT problem, sensitive information can also be found on printouts or paper forms. Be sure to file away all paperwork that needs to be saved, and shred paper documents before discarding them. Putting everything where it belongs is a habit that will keep all types of data safer. It also makes it easier to see if laptops, mobile devices or USB drives have been stolen or tampered with.

Finally, never store written down passwords on sticky notes to store on your desktop or attach to your computer monitor.

 

Clean desk policy image

Conclusion

Some information security best practices are simple, but choosing a security awareness training provider that will understand your business, industry, and company culture can be complex. It’s an important decision, however, since highly effective security awareness training can have a major impact on your resilience in the face of today’s most prevalent cybersecurity threats.

A managed service provider with extensive experience partnering with companies just like yours can guide you in evaluating the options. If you’d like to learn more about security awareness training, contact Edge Networks today to schedule a free, zero-obligation IT assessment.

Top 3 Tips for Rock-Solid Microsoft Office 365 Security

Microsoft Office 365 Security – Best Practices

Microsoft Office 365 is among the world’s most widely used software suites, and its popularity continues to grow. Organizations large and small can benefit from Office 365’s always-on convenience, which enables employees to be productive anywhere and everywhere, reliability, and predictable monthly cost. But will your data, intellectual property, and other valuable information assets truly be safe in the cloud? How can you be sure you have rock-solid Microsoft Office 365 Security?

Here at Edge Networks, we’ve seen firsthand how devastating the effects of an Office 365 breach can be. We’re also highly familiar with the world-class enterprise grade security-hardened infrastructure that Microsoft maintains, and we understand the strength of their commitment to physical, logical, and data security. 

We believe that your data can be at least as safe—if not safer—in Microsoft’s Office 365 cloud environment than it is when stored on premises. But we also know that the Microsoft Office 365 environment is highly customizable and configurable.

 

Man looking at green numbers

In the vast majority of cases, Office 365 breaches occur not because of vulnerabilities in Microsoft Office 365’s physical and network infrastructure—which is among the safest in the world—but because users or administrators have not properly configured their Office 365 tenant for security and threat management. Often, making a few small changes can go a long way when it comes to reducing the cybersecurity risks your business faces.

Here are a few quick-to-implement tips that can dramatically improve your safety and security while you continue to enjoy Office 365’s many benefits:

 

Tip #1: Notify users in the subject line of emails that come from outside the company

Email spoofing, which involves forging message header information to mislead the recipient about where it comes from, is more common than ever before. According to Verizon, email fraud accounts for more than 90% of cyberattacks targeting enterprises, and the FBI reports a 136% increase in business losses due to email fraud between 2016 and mid-2018. 

Email spoofing statistic

 

Anything you do to make it easier for users to spot a forged or fraudulent message will make your organization safer. In Microsoft Exchange Online or Office 365, you can add a prepend like [EXT] or [EXTERNAL] to the subject of all incoming messages that originate outside your organization. This makes it easy for team members to identify those that don’t come from the person who is said to have sent them—so that attempts at email spoofing will be glaringly obvious to their intended targets.

Adding a prepend to incoming messages from senders outside the company is easy to implement. It’s a low-cost, low-effort way to boost security, and thus it’s a very good idea.

 

Tip #2: Enable multi-factor authentication (MFA) for your organization’s Office 365 users.

This is probably the most important step you can take to protect all the accounts throughout your business from the consequences of password loss or theft. It adds a second layer of security to all user sign-ins and other system interactions. Microsoft makes it simple to set up MFA centrally for all users, though it can also be done individually.

Most people are familiar with multi-factor authentication because it’s widely used for consumer applications like online banking. They understand that they’ll need to check a secondary device, like their phone, for a code that enables them to access their sensitive personal or financial information. Office 365 supports authentication via mobile app, phone call, or SMS messaging.

Global surveys indicate that only about 20% of enterprise Office 365 users have set up MFA, despite the fact that password-based attacks are the most common reason for Office 365 account compromise. But the prevalence of these types of attacks means that enabling MFA is very much worthwhile. It’s a powerful means of protecting your account, your data, and the security of your entire organization.

 

Laptop displaying Authentication Failed

Tip #3: Enable mailbox audit logging within your tenant

Business email compromise is a serious and ongoing threat. Even the best-informed and most careful employees can fall victim to spear-phishing or other social engineering tactics. Cybercriminals have used everything from fake invoices to keylogging software that steals users’ credentials to trick their targets into transferring funds to their bank accounts. 

By enabling mailbox audit logging, you’re essentially transforming your Office 365 tenant into recording device that will track hackers’ every attempt at tricking, misleading, or deceiving your users via email. It’s a critically important forensic tool that will allow investigators to look back at all the login events and suspicious activities that occurred within mailboxes in your tenant. 

The capacity to maintain these logs is built into Office 365, but audit logging has not always been enabled by default. Turning it on is a simple process, but it must be done ahead of time—you can’t search data from before the time you enabled audit logging capabilities. This is another area where thinking proactively about Office 365 configuration settings can make your business far more secure.

 

Conclusion

At Edge Networks, we’ve made many of our clients’ transition to the cloud easier and more secure. We have the know-how to help you prevent an Office 365 breach from devastating your business. To learn more about how to configure your Office 365 tenant to maximize productivity and security, contact us today for a free, 30-minute consultation.

 

While you’re here, check out our video to hear advice from our former CIO, Josh McKinney, on how to stay safe in Office 365. 

 

Boosting Productivity and Security with Single Sign-On Authentication

Save Time and Hassle with Single Sign-On Authentication (SSO)

If you’ve ever logged in to Candy Crush with your Facebook account, or confirmed your identity before making an online purchase by signing in via Amazon or Google, you’ve used single sign-on authentication. 

With single sign-on (SSO), a centralized user authentication service allows you to use one set of login credentials to access multiple applications or platforms. In other words, one website relies on another trusted site to verify your identity. 

It’s practical and convenient. Single sign-on can save you time and reduce the hassle of repeatedly resetting forgotten passwords. Because you need to remember fewer passwords overall, you’re more likely to choose longer, stronger, and more complex credentials—the kind that are more difficult for attackers to compromise. And you’ll probably make fewer help desk calls.

 

How Does Single Sign-On Authentication Work?

Single Sign-On systems were designed for security. Rather than passing your actual username and password between websites and apps, these services instead share an access token. An access token is like a notification of approval: it indicates that a user has been authenticated, and is authorized to perform certain functions, but access to their private data or credentials is not given. 

An access token works somewhat like a credit card transaction approval number. It’s a code or key that enables one website or application to use the services of another, without sharing all of your account details.

Most of the companies—including Microsoft, Facebook, Amazon, Twitter, and Google—that provide SSO login services to individuals rely on the same standard protocols. Called OAuth, these protocols are intended to be secure, simple, and highly standardized, making them suitable for widespread use. 

Businesses usually instead employ Security Assertion Markup Language (SAML) based protocols in their internal single sign-on access systems. With increasing numbers of small and mid-sized organizations making use of cloud-based services, using these SSO systems can improve security and make it easier for IT administrators to manage access to diverse web-based applications and resources. 

 

SSO secured phone

Is Single Sign-On Authentication Secure?

Generally speaking, single sign-on is no more or less secure than the centralized authentication service that you’re using. For instance, if you’re using Facebook to log in to third-party applications, your credentials are being stored in accordance with Facebook’s encryption standards, and access to your account information is governed by Facebook’s privacy policies.

Most SSO authentication providers are deeply concerned about security and devote a great deal of attention and resources to it. Their systems usually have extensive security measures in place and protect user passwords with strong encryption, so they can’t be accessed even if they provider’s systems are compromised. 

In contrast, smaller e-commerce businesses usually don’t have the time or money to develop their own login and security systems, and those that do may not be able to implement systems that are as robust as those of major SSO providers. 

 

What Are the Drawbacks to Single Sign-On?

SSO establishes a single, centralized point of failure for multiple account logins. So if, say, Google stops working, you cannot access all the accounts that you usually log into with Google. And if Facebook suffers a data breach, hackers may be able to compromise the access tokens that Facebook issues as well. 

Because SSO increases the number of accounts and resources that you can gain access to from a single account’s login credentials, if that account gets compromised, a hacker might be able to gain access to more of your personal data or account information than if you weren’t using it. 

 

frustrated girl in front of laptop Single Sign-On Authentication

All in all, creating strong and unique passwords for each of your user accounts individually might well offer better security than SSO, but only if you can remember these passwords, change them regularly, and keep them long, un-guessable and containing a good mix of numbers, letters, symbols, and special characters. In the real world, for the majority of users, single sign-on is likely to be a better solution.

 

What are Best Practices for Single Sign-On Security?

Implementing Single Sign-On Authentication has numerous benefits for businesses. It improves productivity and reduces password fatigue. Coupled with employee training, it can significantly improve overall password hygiene within your organization. SSO can also make it easier to introduce secure bring-your-own-device (BYOD) policies.

It’s important to select an SSO system that supports secure storage of authentication credentials and encryption keys. It’s also critical to ensure that you’ve properly segmented your network to protect your main identity service within your IT environment. 

Adding multi-factor authentication (MFA) to your SSO implementation can improve security significantly without compromising convenience. With MFA, users are required to verify their identify through additional means, such as via a second device or with a separate security token. MFA can be implemented for access to high-risk or sensitive systems only, or more broadly throughout your organization.

Here at Edge Networks, we have in-depth experience helping our clients balance their needs for security, usability, and convenience. To learn more about choosing a single-sign on solution for your business, contact us to schedule a free, 30 minute consultation, or take our free, self-guided IT Security Risk Assessment.

You can also watch this video to hear Josh McKinney, our former CIO, give a brief overview of this technology and how it can work for you.

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Why do so many companies fail to take data security seriously? From what we have seen, companies fail to take data cybersecurity seriously enough for the following reasons:

 

  • They believe that ensuring compliance with a security framework, such as FISMA or NIST, is enough.
  • They haven’t experienced a security breach in the past, so they don’t believe they’ll deal with a security breach in the future.
  • They don’t want to deal with the hassle and/or don’t have the knowledge to find and implement the right security solutions.

 

Does anything listed above sound familiar? Most businesses are surprised when reality strikes them and they must write their clients, consumers or patients a letter with the subject line: Notice of Data Breach.

To help you get prepared for if disaster strikes, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.  

 

Yet another example of a company’s failure to take preventive measures against computer security breaches

Today that “Notice of Data Security Incident” letter came to me from The Oregon Clinic , and alarms went off in my head. For the past 2 ½ weeks, I have lived, breathed and dreamt about cybersecurity and what the implications are to a business who does not take the steps necessary to prevent these “incidents” from occurring in the first place. And now I am seeing it not only as it pertains to The Oregon Clinic, but to their patients.

Their letter starts like this: “I am writing to inform you of a data security incident that may have involved your personal information. At The Oregon Clinic, we take the privacy and security of your information very seriously. This is why I am contacting you, offering you identity monitoring services, and informing you about steps that can be taken to protect your personal information.”

 

Person doing paperwork for notice of data breach

It goes on to outline the when, what, and how they plan to resolve this “incident”.

  1. On March 9, 2018, The Oregon Clinic learned that an unauthorized third-party accessed an email account.
  2. The Oregon Clinic immediately disabled the account and began an investigation to determine what had occurred and whether protected health information (PHI) may have been affected.
  3. Cybersecurity experts were engaged, including a digital forensics firm, to determine the nature and extent of the incident.
  4. On April 19, 2018, the investigation determined that PHI may have been affected. This information included patient’s name, date of birth, and certain medical information (that may include medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information and/or health insurance information).
  5. They determined that the incident was restricted to one email account and did not affect any other aspect of The Oregon Clinic’s network.
  6. In addition to their investigation, they are offering additional steps patients can take to protect personal information. This is an identity monitoring service for 12 months at no cost through Experian.
  7. And, lastly, they give recommendations to protect your personal information, (which is a long and arduous task as anyone that has had their personal information/identity put at risk knows). 

 

In an article by Scot Gudger, CEO at The Oregon Clinic, he issues the following statement to Health Data Management:

“We are very sorry this happened and apologize to the patients who have been affected by this incident. We value our patients and will continue to work closely with cybersecurity experts to remediate this situation, and, most importantly, are taking steps to help prevent similar incidents from happening in the future.”

 

This mindset of “Oh we’re sorry, and NOW we will take steps to prevent this” is becoming less and less acceptable in a world where hackers are always looking for that one company with an out of date AV or Firewall, or no IDS/IPS, or the plain and simple mindset of “it won’t happen to us”.

Don’t let yourself become another number in the world of cyber-attack statistics. Your staff and customers deserve the best from you. 

If you’re looking to be more proactive in your cybersecurity incident response plan, we’ve created an outline of five critical components yours should have. Read more about it below.

If you’re unsure of whether or not your network is secure, take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

 

Download a Free Cybersecurity Incident Response Plan Template

Bulk configure handheld scanners Intermec CK3 via CloneNGo

Josh McKinney, chief technology officer with Edge Networks with a tip of the week. 

What I have in my hands here is an Intermec CK3. It is a bar code scanner that one of our clients uses to scan inventory and to also process orders for customers. 

One of the cool things that Edge Networks did, is this device uses what’s called CloneNGo an application that allows you to configure a master device with certain settings like wifi connectivity applications and other configuration settings…