IT Insight: Strengthen your company cybersecurity now
It only takes one cyber-attack to end a business. As cybercrime continues to rapidly evolve in frequency and sophistication, so must your business security plan. You need confidence that your company’s sensitive data is as secure as your physical assets – and the only way to achieve that is with total network security.
But the fact of the matter is that most businesses simply don’t have the time, resources, or expertise to effectively manage their security alone.
Cyber-Security is often described as an arms race between the bad guys (hackers and their associates) and the good guys (the rest of us), with each leg of the race requiring the good guys to deploy a new generation of technology to stay safe. But this analogy is incomplete because technology alone is insufficient to protect us from Cyber Crime.
What is required is a framework of measures including not only appropriate technologies, but also management policies/governance, good IT practices, user training and user supervision.
An IT Managed Service Provider, such as PCGiT, can provide your business with the technologies, tools, and guidance you need to keep your IT systems safe. To this end, we have implemented a multi-part security architecture, with a broad range of security controls, that defines how we interact with our own IT systems and those of our clients. We devote significant resources to planning, managing, documenting, and delivering this program. Does your current IT provider offer the following?
- Information Security Council (ISC): We maintain an ISC comprising senior security engineers who are tasked with overseeing all aspects of cybersecurity for our company and clients. The ISC members meet regularly and are responsible for driving PCG’s ongoing vulnerability and risk management processes and adapting our practices and policies to evolving needs.
- Written Information Security Plan (WISP): Central to our security program is a WISP that details the company’s policies regarding cybersecurity controls, employee information, security policies, along with privacy and related issues. Our cybersecurity controls are based on the NIST Cybersecurity Framework. Our plan is reviewed and updated regularly by our ISC and Management Team.
- Technical Controls: To implement the controls specified in our WISP, we leverage a broad range of security technologies to protect our network, our endpoints, our email system, our information assets and our physical premises.
- Managed Detection and Response Service (MDR): We operate a state-of-the art managed detection and response operation that proactively monitors our environment 24×7 for security-relevant data including potential threat activity and software and system vulnerabilities. We monitor a broad range of system behavior to identify suspicious events, and to block or kill suspicious processes.
- Strict Credential Management Policies: We require all our employees to use strong passwords and multi-factor authentication for all user and admin access. We do not generally hold or store client user credentials such as PC and domain passwords and have strict policies for handling them for circumstances where we do need to hold them.
- Mandatory Security Training: We require all our staff to participate in regular cybersecurity training, including specialized training for privileged users and periodic phishing simulations.
Of course, your IT Managed Service Provider alone cannot protect your business from cyber-crime. The security of your business is a shared endeavor, with ultimate responsibility lying with the executive leadership of each client organization. It must be this way as each client is an independent entity that is also the owner of their information assets, has the authority over the policies and practices of their IT users, is the arbiter of which MSP services they utilize, and is the decision maker on how much business risk they take.
Until now, our guidance to clients on their security practices has been mainly in the form of recommendations. But while many do follow these guidelines, we now believe that the time has come to define some baseline standards that all our clients must acknowledge and meet. Doing so is in their own interest and helps to protect our team and the greater PCG community from the side-effects of cyber-crime.
- Endpoint protection: All servers, backup appliances and workstations must be protected by an EDR threat detection agent – in addition to the anti-virus.
- Password policies: All clients must use strong, unique passwords that comply with our current password standards. The password policy must be documented and distributed to users.
- Password Enforcement: All clients must operate a Microsoft domain configured to enforce the password policies within the domain.
- Network boundaries: Each client office with two or more computer users must be protected by a PCG-approved firewall.
- Remote access: All remote access to the corporate network must be via a VPN or similar technology.
- Multi-Factor Authentication (MFA): All users must have MFA in place at a minimum for email access and for remote access to the corporate network.
- Email protection: All email accounts must be protected by a PCG-approved email security program.
- Employee training: All computer users must receive computer security training including, at a minimum, annual training, and quarterly phishing simulations.
- Unsupported computers: No computers with unsupported (out of date) operating systems may attach to or be accessible from the corporate network.
- Employee-owned computers: Clients that allow employee-owned computers to access their corporate network must have an approved policy in place.
- Back-up: All clients must have a back-up service for all servers and other systems storing data deemed critical to the business’s operation, to include cloud or other off-site backups.
- Cyber insurance: All clients must maintain cyber insurance covering both the insured and third-party claims, with a limit appropriate to the scale of the business.
While Cyber-Crime will be with us for the foreseeable future, PCG is committed to working with our clients to allow them to focus their energy and resources on their core business. We leverage a broad range of technologies, both within our own operations and as services, to our clients. We provide our clients with Comprehensive Risk Assessments to help ensure that their cybersecurity investments are priorities in keeping their IT assets safe. We can deliver strategic guidance, policy and best practice advice, documentation, user training and more – everything our clients need to play their own critical role.
Together we will raise the bar on Cyber-Crime.
JoAnn Hodgdon is vice president and co-founder of Portsmouth Computer Group (PCGiT) with her husband David. PCG provides comprehensive managed IT services, business continuity, security, cloud computing and Virtual CIO services to their clients. You may reach her at joann@pcgit.com or at www.pcgit.com.