Authored by: Lynn McIntier and Bob Green – SL Business Informatics
Information security is a discipline with many moving pieces and involves fighting ever-changing risks. We all know the adage – what may be good security today may not be sufficient security tomorrow. If you’re responsible for the safekeeping of your business’ vital assets, including its information – this is a quick reference for you, as you navigate the current and riskier-than-normal climate we are in.
More specifically, this post provides some tips on what you can focus on now to ensure your business information security is prioritized. Let’s agree, too, that resources are getting more scarce, blame is abounding, and hackers seem to have even more time on their hands. Not a good combination.
Before we share – be aware that our list below is not a recipe to mitigate all your information security risks; that takes a formal assessment of your unique business and risks (we perform these, yes) – but they are intended to give the reader some very relatable actionable items for consideration. If you have questions, contact us, of course.
- O365 External Backup – Consider performing an independent backup for O365 data (e.g., Email (Exchange Online), OneDrive for Business, SharePoint Online, Microsoft Teams). Microsoft has their own backup systems in case of an emergency such as an outage or security breach but recovery could take a significant amount of time depending on how many Microsoft customers are impacted. We recommend implementing an independent backup of O365 data.
- Security Awareness Training including Phishing Tests – Consider utilizing 3rd party training and testing solutions – the sooner the better. This will raise user awareness of how to identify and block attempts to introduce malware or hack your systems. Training is used to educate the users on what to watch for and testing reinforces their understanding through mock examples (based on real threats).
- Single Sign On (SSO) with multi-factor authentication – SSO solutions that are integrated with your network authentication (Active Directory) ensure that users are authorized (active) before granting access. Access can be disabled from a single system (Active Directory), rather than individual systems with different administrators. With the addition of multi-factor authentication, hackers must have access to multiple systems to breach the network perimeter and access you applications and data. Various multi-factor options are available – and SSO systems are flexible to use with different device types (e.g., iPhone, Android phone, laptop, etc.).
- Mobile Device Management (MDM) – This option institutes a managed system for the manner in which users can access and work with your corporate computing resources via mobile devices such as phones, tablets, laptops, etc. Once the mobile device is ‘registered’ with the MDM system, the device can access your systems including email, operations software, Teams, etc. The MDM system can enforce security protocols such as access mechanisms (e.g., pin codes, biometric checks, etc.) before providing access to the device. Additionally, access to your systems can be disabled from a single-system if the device is lost or stolen.
- Replace personal computers with company issued laptops – If you’ve not already learned this lesson, or been warned about the inherent risks – please consider it, now. It’s best that your corporate computing is done on corporate devices. This ensures that systems meet the security standards already established (e.g., configuration, antivirus, etc.) by the corporate systems administration.
All of these can be performed by competent IT managers with proper education and training in these tools and technologies. They apply now, while we’re a mix (or exclusively) safe-at-home, and back in the business office. If you have questions on any of these, or want to discuss how we can help with an IT Risk assessment tailored for your organization, please email us at [email protected].
Lynn McIntier, CISA, and Bob Green, CPA.CITP CGMA, serve as Director and Lead Partner, respectively, in SingerLewak’s SL Business Informatics practice. With respect to the topics around information security and IT infrastructure and risk, we are completely objective, product agnostic, and experienced as IT leaders for our clients. For more information about the practice area, click here . Thanks for reading.