The world in which we live today has introduced us to some new and unimagined challenges. Amongst those is the increase in cyber security threats.
Several surveys, taken in May, indicated that 43% of the US workforce was working remotely compared to 16% the US Bureau of Labor Statistics reported back in October 2019. This incredible increase has opened the door to cyber threats as businesses struggle to adopt remote working technologies and policies.
Fortunately, here at UCS, we already had the technologies and policies in place for remote working and were able to implement an increase in telecommuting overnight.
Data and system security have been, and continue to be, a priority at UCS. We have partnered with a third-party expert to manage this critical element of our business. The depth of knowledge and experience they bring to us 24/7 would be cost-prohibitive if we attempted to handle this ourselves inhouse.
I asked our contact to put together a short overview of the security utilized by UCS. Here’s what he had to say about the lengths we go to secure data:
'United Credit Service incorporates what we refer to as the “security layering technique”; no single piece of technology alone mitigates any risk associated with use of corporate data but instead together each piece overlaps and encapsulates the other to prevent unauthorized access to corporate systems and data. Like tumblers on a lock the only method to access data is to use the correct keys.
The following are additions added to the UCS network and are a part of today’s business standards to protect corporate networks from breaches and data leaks.
At the border of any protected network there is an appliance and/or software package inspecting all incoming and outgoing packets. Through use of rules you allow only the traffic that is necessary to send and receive data for authorized business use. However, firewalls now encompass more than just packet inspection and rules; and the following are items that any modern firewall should include.
- GeoIP Blocking – the use of rules to limit the traffic coming and going to entire countries as most malicious activity takes place in countries that do not have any need to access your systems
- Intrusion Prevention and Detection – inspection of packets to discover any malicious activity that may be embedded in standard traffic processes and log and/or block based on patterns
- Outbound Rules – while inbound traffic rules are common the use of outbound rules to limit traffic such as SMTP to come from only authorized internal systems allows prevention of malware and viruses
The concept of anytime and anywhere access for our employees is key to productivity along with the necessity to transfer data to and from authorized companies to allow for the sharing of data and information. However simple public access rules and “emailing files” has created security risk to any company. Incorporation of simple technologies can mitigate most risks by encrypting your data.
- VPN Clients – instead of public RDP servers encourage the use of employee VPN software to force data traffic into your protected network from non-business owned systems
- IPSEC Tunnels – when you must actively trade data to and from other business discuss the use of tunnels that create active bridges between you and them using the public Internet while encrypting and hiding the data from unauthorized snooping
- Encrypted Email – sometimes you must send sensitive records via email such as phone numbers, SSN and credit card data. Vendors offer encryption technology that prevent the email from actually sending to a user and instead forces them to come into your system and disallows printing and downloading and even forwarding
Flat networks are a thing of the past. With voice, security camera, storage and virtualization data all intermixed in the data network you risk exposure to sensitive data with a breach in any one of those sub networks.
- VLANs – virtual local area networks allow you to subnet and route internal traffic so that while the physical network and switching remains the same the underlying technologies’ traffic is NOT intermixing together
- Guest Wifi and Hidden SSIDs – if employees can join their personal devices to the same data network as the corporate systems then you risk exposure from unknown devices and even further ones that do not have the same strict protection on them as business systems; as well if your wireless networks SSID broadcasts and can be found you risk “wardrivers” that can attempt to crack into your network without physically being in your building
- Traffic and System Monitoring – when you are not monitoring what your network and systems look like during normal processing how can you spot abnormal traffic patterns that could be malicious? Use software that monitors not only the installed programs, services, and processes running on all systems but also the bandwidth consumed from each system to more easily spot intruders
END USER PROTECTION
Every end user system is potentially vulnerable to system attacks from viruses and malware, and end users themselves are possibly the riskiest “system” you have. However, we actively incorporate technologies and training together to protect data.
- System Patching – weekly and/or at most monthly system patching must occur as most malware and viruses take advantage of vulnerabilities that have been patched by vendors that business simply have not installed
- Antivirus/Antimalware – though only 40-60% effective some protection is better than nothing, and most software in this category includes methods to block things like USB flash drives, unauthorized copying of data and prevention of certain file extensions from running
- Policies and Procedures – whether they be system policies like password complexity and how often you change passwords to business procedures like acceptable use policies any business should follow industry standards set by the SANS Institute including their free to use policies and best practices guidelines
- End User Training – if your employees are never told how to spot phishing attacks, proper ways to give out information over the phone, spotting unauthorized building access, or many of the other items that have no real technology protection you continue to expose the greatest risk to any business; the employee themselves'
There may be portions of what's written above that many of us without IT backgrounds cannot fully understand, but hopefully everyone can appreciate how seriously we take data security--yours and ours--alike.
Working with our third-party vendor we will continue to implement changes as necessary and as technologies evolve. Cyber security requires that we never simply rest and assume we have the latest and greatest because, as we all are very aware, things can change in a heartbeat.