Sponsored Content by Finley & Cook
It seems like cybersecurity concerns grow by the day, with no hope in sight. We’re being buried under a landslide of requirements that we can barely track. What if there is a better way? What if you could, for once, do less and benefit more? There is a common joke that points the way.
The doctor says to the patient, “What seems to be the trouble?”
Raising his arm, the patient says, “It hurts when I do this.”
The doctor says, “Don’t do that.”
Three tips regarding cybersecurity will illustrate this common sense principle. Cybersecurity sometimes seems like a problem that only an expert can help with, but there are quick and easy ways to be more secure without lots of cost or effort. Continue reading to see how you can benefit.
Get Rid of the Data
You don’t need to secure data you don’t store. That’s just as obvious as what the doctor says in the joke, and just as true. We all keep data much longer than we really need it. As an organization, though, it is important to get rid of old data that is no longer needed. Reducing your stored data reduces the storage cost as well as backup costs and effort. Just as importantly, reducing the data stored makes securing the remaining data that much easier.
When you start identifying and deleting old data, don’t forget about old hard drives laying around and old backups that may be stored in an old format. All those sources of data are of little use to the organization, but are a huge risk of data leakage. Getting rid of them will immediately improve your security posture.
Another way to eliminate data from your facility is to outsource certain aspects. For example, many organizations outsource some accounting functions, or payroll, or certain functions related to gaming. Your website and email are obvious first choices to move to a cloud platform. Doing this, while changing the policies and procedures impacted, will greatly improve your security as an organization.
Stop Changing Passwords
First, of course, it is important to follow whatever rules and guidelines your organization has implemented. Most organizations still have periodic password change requirements. If you are the one writing those rules, though, or you have an influence, the jury is in – routine password changes hurt more than they help. The problem, according to NIST 800-63 publication, “When password changes do occur, people often select a secret that is similar to their old, memorized secret.” So it doesn’t help much, and causes lots of unnecessary activity. Instead, current best practice is to have long passwords – 12 characters or more – but not require changes unless there is a system change or suspected compromise.
Bear in mind, though, long passwords alone simply aren’t enough these days. Please implement another authentication “factor” on any platform that supports it. For example, if you use Office 365, enabling your smartphone by using the Microsoft Authenticator app is quick and easy. This is an example where a penetration test is not helpful at all until you make these basic changes that change the whole game.
Let People Use Their Own Devices
Okay, this tip is still controversial in some organizations, but it probably shouldn’t be. Most employers have found that allowing at least basic usage of smartphones or tablets by their employees during work hours is helpful to the security of the network. The alternative is that folks try to put music and weather apps on their work computers, leading to daily changes in the security of that system.
Note that I’m not necessarily recommending full-on “Bring Your Own Device” (BYOD) and everything that entails. Many organizations can benefit greatly from full BYOD-style rules, enabling workers to use applications on their own phones to work with organizational data. Those with more sensitive data, though, may be more restrictive. Even then, you will want to provide “public” Wi-Fi for employees to use with their own devices and their own data. Keeping the network separated in this way will help keep each activity distinct and limit accidental mixing of data.
Don’t Do That
So you see, the doctor’s advice is just as useful in cybersecurity. When you store data you don’t need, it hurts. When you force frequent password changes, it hurts. When you restrict folks from having access to their own devices and data, it often hurts. The answer is Don’t Do That, if your organization will allow it. In every organization, there are countless more areas this will help in a similar manner. Look at your own daily processes, paying special attention to any “pain,” to see if you can make positive changes.
Whatever you do, when you reach out for help with cybersecurity, focus on finding someone with experience in your industry. Any good security firm will be able to help you, but someone with experience in your industry will be much more cost-effective. Some firms focus on healthcare, police and fire, or industrial controls. Finley & Cook, PLLC has specifically helped clients in Tribal government, Tribal gaming and hospitality, and Tribal enterprises. This allows us to develop techniques unique to those clients. Consulting with experts who have experience in your industry is one of the best ways to quickly uncover the cybersecurity changes that will make you more secure. Hopefully some of the changes also eliminate a little bit of pain in the process.