Panama, Paradise, Publicity

P.T. Barnum receives attribution for the phrase “There’s no such thing as bad publicity”.  I think there are a large number of offshore investors who may be disagreeing with that statement this week.  The Panama and Paradise Paper revelations have placed an exclamation point on the importance of an aggressive security posture.  As the game of cat and mouse between hackers and IT escalates it is more important than ever that organizations use every means at their disposal to secure their data.

See you in the unfunny pages

Companies that are caught exposing customer data to hackers may find themselves in a difficult position if they can’t prove to customers, auditors, and regulators that they utilized “best practices” to secure their systems and guard against breaches.  The issue, of course, is what constitutes a best practice in this rapidly morphing landscape?

Your mother was right. You should layer.

In the good old days, it was enough to simply put in a firewall, lock it down and go on your merry way.  Clearly, this is no longer an option.  A true belt and suspenders approach must be adopted to data security starting beyond the edge of the network and extending all the way to the end user community. Many security vendors now have SaaS options in place to identify risk long before it hits your network.  At the very least some degree of email filtering must be in place which employs a “detonation chamber” against which all mail attachments may be tested for malicious code.  The firewall infrastructure should be intelligent and ideally capable of some level of cloud based machine learning to identify unusual behavior which then quarantines suspect devices.

A minimum of two-factor authentication should be in-place and minimum security specifications rigorously enforced.  Our machines must be encrypted, not just at the workstation but also at the server level. Remote access must always be brokered with direct access to a server via the internet an absolute no no.

Smarter machines are all well and good but these precautions are all for naught if we do not also work on developing smarter people and practices.  A security focused education program is a vital step in buttoning up that “final mile” of network security.  As attacks become more and more sophisticated (and frankly transparent) our people must understand how they might be manipulated and what constitutes good security hygiene.

In Case of Emergency…

Sometimes despite our very best efforts our security will fail.  In this event you must already have a plan in place.  Have you addressed your backup strategy and identified how you might recover from an encryption event?  Do you have a notification requirement and is this ready to be activated?  Do you have a solid partner who can work with you through this crisis?

If you haven’t already begun taking a hard look at your security START TODAY.  The issue is not if you will be compromised but when.