I’m not sure I trust another company to handle our sensitive data.

Security begins with the end in mind


I’m not sure I trust another company to handle our sensitive data?

Small business security basics

The first step you’ve probably taken to protect your company data might be to deploy a firewall with web filtering, anti-malware protection and intrusion prevention capabilities. The second step is usually getting antivirus software on all your servers and workstations. Despite being security-conscious or bound by compliance, many companies stop here, not realizing they are still vulnerable. This could be because they have no email filtering, or have weak wireless configurations. Or they might allow employees to bring computers from home to the office without any security vetting, ignore people wandering around with unlimited access via USB drives or even have no policies at all for everyday users using the corporate network. These are all substantial risks to your million-dollar organization. We don’t believe that basic security controls is a sign of distrust for your employees but rather more of an understanding that computer crime is big business for crime syndicates and nation-states with limited local earning potential.

Security and network auditing

One of the benefits of having a networking and security consulting firm that also delivers outsourced IT services is enhanced ability to successfully implement products and solutions via projects. Another great benefit is having a consulting firm experienced at security and network auditing. An audit is a systematic review of your network or security, relative to industry and current best practices. Having us as an external eye to your operations can identify some of those usual suspects of security concerns.

Services from our audit practice are not included with outsourced IT, but can be added to help find major issues (or easy fixes) to reduce your likelihood as a target over your competitors, or the business next-door. Even if you do not feel your network has target-worthy data, hackers don’t always just attack someone head-on, but will compromise Company A (you) to attack Company B (healthcare, financial services or other valuable target). This gives the attacker the ability to more efficiently cover their tracks. By connecting through your business, a hacker can delete all your logs and entries that point back to him. Don’t be a victim or help victimize others by ignoring basic security. An organization named the SANS Institute has been a pioneer in organizing effective cyber defense. They have even detailed out what they considered to be the 20 Critical Security Controls (CSC20) for businesses to protect their network. Our audit practice typically sees one or two controls being partially attempted in small businesses, meaning many firms – and maybe yours – are fairly vulnerable to attack.

The only secure computer is one that is powered off.

Beyond technical security concerns there is also a rarely-perceived human element concern. Kevin Mitnick, the world renowned social engineering hacker now turned security consultant, says the “secure computer” quote above is not true because a good pretexter can get you to turn it on and give him access. A “pretexter” is an attacker with great social skills and is very likable and was able to get well-meaning employees to give him trusted access. According to the 2015 Verizon Data Breach Investigations Report, after investigating more than 500 cyber security incidents across 40 countries, hacking and malware are the top two threats to organizations. However, social tactics were used in about 20% of the confirmed data breaches, making it third on the list.The primary means of social targeting was done via email estimated at 72%, followed by in person deception at 18% and phone calls at 12%. Using information from websites and social media like LinkedIn, attackers are able to target trick emails to your business’s accountants and controllers using the President’s name/email address. Armed with this information, they then ask for checks to be cut to random locations and actually get people to comply. Companies should make sure to educate their teams using Security Awareness training to protect themselves in these areas because no known technology can prevent these attacks where end users make a bad choice. Beyond the human element, the Verizon report goes on to add the importance of knowing your devices to reduce your exposure, properly deploying and configuring your tools for security scanning and understanding the capabilities of the currently available malicious software.To protect your environment, it is up to an executive sponsor to recognize the importance of balancing security and business productivity. Only you, as a leader, have a sense of the value of the organization to recognize the potential risks of not doing enough to protect it. But, some IT level thinkers may push for extremist security measures, forgetting about the inverse relationship between security and usability. Security is important, but people still need to work. Team members not being able to perform their duties will put a company out of business just as surely as hacking, ransomware or other malware activity. Make sure you have access to high-level thinkers that recognize the difference, like a Certified Information Systems Security Professional (CISSP). These experts can help you get more secure and maintain that balance (and stay in business). While it is important for us to conduct a quality internal, external, and wireless or application security scan, it is just as important for us to provide prioritized feedback to you. We can make sure you invest your limited resources in the most effective solution, whether it’s technological or people-related.

Compliance versus security

In our organization we spend a lot of time working on security and compliance. Note that those are two different things – just because you are compliant does not mean you are secure. The Fulcrum Group consults with and supports both healthcare organizations (Covered Entities) and organizations that support them (Business Associates). As a business associate ourselves, we are now required to adhere to all the administrative, physical, and technical guidelines related to the three laws identified below.
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Texas law H.B. 300
As we work with Security and Privacy Officers at our client sites, we assist them with making smart decisions about policies and procedures they are following, to protect themselves and the electronic Protected Health Information (ePHI) they are likewise charged to protect. The challenge in a quality risk analysis is being able to extract the right details from the right people and help build a compendium of information for their Book of Evidence. Compliance efforts should include advising on Security Awareness programs, Disaster Recovery planning, Breach Notification protocols and other procedural items to complement their technology.

Managed IT Solutions Resources

Check out these security posters you can hang in your office to create security awareness.

Unlock Exclusive Content

These 4 security tips are helpful reminders for you and your team. Fill out the form below to access them.

Download Content

Sign up for our newsletter – monthly IT insights delivered right to your inbox.