Do you know your IT solutions as well as you should?
Visibility is one of the most important aspects of cyber security. Quite simply, if you can’t see what’s what, then you can’t do anything about it. You can’t spot weaknesses in your defences, and you can’t make improvements to better protect your business.
But what exactly do we mean by visibility, and how does it affect you? Essentially it comes down to one question:
Can you say, with complete confidence, what devices and which people, at any one time, are able to access your company’s digital resources and data?
More often than not, the answer to the question will be either ‘no’ or ‘maybe’. Sure, you might have a list of all the PCs and servers your business owns, but what about those mobile phones in your colleagues’ pockets? If they’re personal devices, it’s likely they’re not being tracked at all, yet they’re quite possibly connected to the company wi-fi, which in turn means they could be connected to every other device in the workplace.
This is a classic example of shadow IT, and from a security point of view, it’s less than ideal. Every one of these phones is a potential risk, a gateway into your corporate network, just waiting for cyber criminals to wonder in and wreak havoc. All it takes is for one team member to accidentally download malware from an email, an app or a website, and it can quickly spread around your business. The same, of course, applies with other personal devices such as laptops and tablets.
Avoiding any kind of BYOD (bring your own device) arrangements in your business could help to reduce your risks, but it would be inconvenient for employees. And wouldn’t provide any kind of guarantee of safety, becasue even company-owned devices can cause problems if they’re not properly tracked and regulated.
Security threats aren’t always external either. Every year, there are numerous cases of insider threat, where employees or other parties within an organisation use IT systems to commit fraud or cause damage. One of the ways they might do this is with unregulated devices.
Businesses might also find themselves having to contend with staff members storing valuable data on personal devices and taking it to a competitor or their next employer.
These are worst case scenarios, but sadly they occur all too often in the real world.
Visibility Through Technology
Thankfully, there are solutions, some of which involve technology, whiles others require a change in the way you think about your business.
The first step is to simply acknowledge and understand the cyber security risks within your business. What you absolutely shouldn’t do is assume you won’t be a target or that the people within your organisation will always be on your side.
Once you made this step, you can think about the technology that will resolve the problem: user and device management tools.
One popular solution is Microsoft Enterprise Mobility + Security. This collection of tools does various things, including enabling businesses to easily prevent unauthorised devices from accessing their systems and data, while allowing enough flexibility for even personal devices to be used safely at work.
It also allows businesses to determine which apps can be installed on devices, and it can be used to remotely delete corporate data from devices.
But perhaps the key benefit is visibility. If you can track where all your devices are and how they’re being used, you’re better positioned to protect yourself. Indeed, as well as device management, Enterprise Mobility + Security manages user identities and tracks changes to data.
There is one problem with this: it requires the Microsoft Company Portal app on the devices you want to track. Employees may not want this on their personal devices, and that is, of course, their right. So how do you protect your business from such devices? One option is to set up a guest wi-fi connection in the workplace, one that has full internet access but is separate from the company network. Or you can simply ban personal devices from the network altogether.
Visibility Through Practice
Technology, however, can only take you so far. Businesses should also implement clear policies and procedures about how employees can use company and personal devices while at work. People need to know what kinds of things they should and shouldn’t be doing; they need to be know what data they’re allowed to take from your premises, and they need to be informed of the possible penalties for any infractions. You might also want to make it a contractual obligation for all personal devices to have security software on them if they’re going to be used at or for work.
Managers can’t be exempt from these requirements either, and they must follow best practice guidelines too. In fact, as high-value individuals, they’re perhaps more likely than anyone to be targeted.
Furthermore, managers need to be on the ball regarding the various comings and goings of their business. Naturally, the higher the staff turnover, the more pressing this will be, but all companies need to be diligent when it comes to granting access to new starters and, more importantly, revoking it for leavers.
We also recommend having regular network audits to ensure maximum visibility. Doing so can reveal any problems, such as unauthorised or otherwise unsafe devices, such as out-of-date switches that don’t adhere to modern security standards. If you need help with this, please contact TMB; we have decades of experience optimising and protecting networks.