There is a myth that cyber security is too complex for the average, non-technical, business leader to understand. In this article, we’ll be disputing that myth.
If you are a CEO, doctor or technical expert, here are three basic principles that every cyber security expert will be following to secure your systems.
Principle 1: Physical Security
In simple terms, this means securing your servers in their own private room, behind a locked door. You would think this is obvious, but I’ve seen servers in closets, the CEO’s office, the accountant’s office, a bathroom, the company break room and more. Just as striking is leaving the door to the room open and accessible to anyone.
There is more to consider. Securing your server also means having a room where the server will be safe. There are several non-safe aspects to rooms:
- Power – Servers like consistent power. I’ve seen servers shut down when a floor heater, a coffee machine or a printer was turned on. I’ve seen electrical spikes from lightning storms from electrical storms take out multiple server motherboards. Clean power is very important to the security of your server and data. (Think about dedicated power outlets and a uninterruptible power source (UPS) for each server and the software to shut down the servers gently)
- Air-conditioning and airflow – the colder the server the happier the server. A server running in an 80-degree room can be hitting 110 degrees inside the case. Servers can permanently shut down at temperatures over 90 degrees.
- Backups – If you are doing your own backups, you must test those backups every three to six months. Typically, one in three tape backups no longer work. Your cycle for data backup needs to include more than just one or two backups. Discuss backups with HR, accounting and other business leaders about how long you’ll need old data before it’s replaced.
- Internet of Things – This is the concept that our refrigerators, toaster and appliances are being connected to the internet. We are seeing an explosion of connections to the internet. It’s hard to track all the hardware that is connected to the internet. These non-traditional entry devices need to be identified and hardened (made secure) in the future.
Sometimes we don’t think of a lock on the door or a computer backup as cyber-security. There are many more issues that you might consider. Think about if this was your favorite pet. If you were going to leave them someplace, how would you want them secured? Your servers probably need at least that much physical security.
Note: Moving systems into the cloud negates this need for physical security. This is one of the values of the cloud. Cloud providers will have a much more comprehensive physical security solution that includes guards, monitored access to servers and much more. It’s the equivalent of a very secure bank vault.
Principle 2: Authentication
With most networks, security is only as good as your company’s password policies. Think of a password like a physical key. If it’s given, lent or stolen there is no security until the until the lock is replaced. Sometimes we see buildings with multiple locks. Each key is separate and different. Technology has these types of systems as well. We can lengthen the password or have multiple passwords to logon with.
The problem is that the more complex the password, the more likely it will be written down someplace. Which means it can be stolen. There is a social problem as well. There are about 10 common passwords that 25% of people use. Anyone who knows these 10 passwords can try each of them over the course of a month and discover access one in four times.
We recommend multi-factor authentication. We take the multi-key principle and automate a 2nd, 3rd or more keys into the process. Keys that the user doesn’t even know about. They just plug in a small piece of hardware and they could logon with the equivalent of 10 keys. Without the hardware, nobody can logon to the server (or a laptop, phone or tablet).
Contact us for our favorite multi-factor solutions.
Principle 3: Bit Comparison
The idea here is that if a hacker logs on, they’ll make a change on your server. This could be adding a new user, adding some code to the server, or even as simple a successful logon to the system. With bit comparison, we take a picture of every 1 and 0 on the server (or workstation etc.). Then each time that the system changes a report is sent to the admin. Most changes are expected and known. The admin will be able to verify any change. The comparison software will be programmed to also identify risky changes and report them to the admin (and anyone else). This way a new software, user or change that a hacker leaves behind will be recorded and an alert is sent out.
In this way with physical security, Authentication and Bit comparison we can dramatically improve the security of your network and your data. It won’t stop everyone, but it will stop 99.9% (or more) of the people. There are too many easier targets. Why risk the secret service knocking at your door? With these three tools, your systems will be both HIPAA compliant and PCI compliant. If you’d like our recommendations for the best security tools, please contact us.
Our team here at Business Cloud Services recommends the cloud because it offers a higher level of security at a much lower cost than you could do it yourself. The cloud doesn’t charge for hardware (capital costs) and charges a simple monthly fee for using their servers, similar to a banking fee. Not all cloud security is the same. If you are looking for HIPAA or PCI compliance, you’ll need to pay for that. Far less though than building it yourself. Much less than if you found yourself hacked.
To find out about our favorite cloud solutions, contact us here.