Protecting Your Systems in 2022
2021 offered an unprecedented number of challenges to small business information systems.
I wanted to take a few minutes to talk about the overall strategies that I’ll be using to protect my clients in the coming year.
Defense in Depth
There’s no such thing as a magic pill. Not one product, not one solution, not one strategy that can safeguard IT assets 100% of the time; anyone who tries to convince you otherwise is trying to sell one. And if you believe that sales pitch, you’re already falling into a trap of the mind; you’re already making too many assumptions and assumptions won’t keep you safe.
Instead, it is more rational to perceive risk in terms of layers of control.
Here are some examples:
one layer controls the physical access to a network;
another controls the wireless access to a network;
another controls the remote access to a network;
another layer authenticates who you are to that network;
another defines what software you do or do not have access to.
Five layers, five controls.
Over time, we can measure and test our controls to prove that they work, and we can say - with some degree of certainty - that our systems are secure.
Security, after all, is just a feeling: it is the confidence that we have in our safeguards. If you’re not already managing your IT in layers, how can you have any confidence that your systems are secure? Well, you can’t - you’re just making assumptions - and assumptions do not equal confidence.
Cloud Computing
Most small businesses do not have computer and network expertise on-staff. And aside from the talent problem, managing IT assets and information systems is extraordinarily risky and costly. So unless computer expertise is a core-competency, why do it?
It is far better for small businesses to outsource that risk and push it onto the backs of vendors who can operate at a better economy of scale and can manage IT better than them.
Somebody like Google can manage your email more cost-effectively than you can, and they have an army of professionals safeguarding your data. So why not let Google handle your email instead of running your own email server? The same could be said for applications, files, phone calls, databases, and device management.
In doing so, small businesses transform IT into an always-on utility - a system like electricity and water - allowing for the most reliable, cost-effective access, using any device, anywhere.
You don’t keep an electrician on-hand to deal with electrical problems, right? And you don’t keep a plumber on your payroll to handle the plumbing problems and run more water into your building. The same should be for your IT. Outsource the risk; transform IT into a utility.
In 2022, I’ll continue to push my small business clients to abandon running their own on-prem servers and devices, and to leverage cloud computing to the greatest extent possible.
Identity and Access Control
One of the biggest challenges we have in IT today is this concept around stealing somebody’s identity to gain access to a confidential system. This is primarily done with phishing attacks. A bad actor sends your team an email that looks legitimate. They click on a link and are brought to a website that looks and feels legitimate, but is really set up by the bad guys to capture their username and password to a secure system.
It’s a huge problem and employee training isn’t enough. The bad guys get more sophisticated every day. We need technical controls that adapt - using machine learning (ML) and artificial intelligence (AI) - to spot the phishing attack and prevent the user from evening seeing it. Google’s Gmail uses these tools to constantly screen attacks from aggressors intending to steal ident information from your employees.
Combined with good password management policies, multi-factor authentication, and admin alerts controlling end-user access, adaptive ML/AI promises to reduce these effects significantly. In 2022, in my role as a Google Partner, I’ll be continuing to help my clients get the greatest benefit from their cloud platform investment by securing their identity.
Endpoint and Mobile Device Management
Another vector of attack against your systems is through exploiting the human propensity to procrastinate and ignore risk.
A good example are computer security updates. Many users will deliberately tell their computers to not apply updates, or, won’t restart their machines after receiving updates. This prevents the system from receiving necessary software updates to help protect them, and over time, the lack of patches creates huge holes that aggressors can drive a truck through.
Endpoint Management (EPM) uses software to regulate the compliance of managed computers so that they’re always receiving their security patches. EPM also takes care of things like viruses, malware, and intrusion detection. It provides a set of tools to remotely manage assets to bring them back into compliance and safe to use.
Mobile Device Management (MDM) uses similar controls to verify that the devices approved to remotely (like mobile phones, tablets, and laptops) access company information are controlled.
Used in conjunction with each other, MDM and EPM alert administrators to take action if a machine continuously falls outside of the range of acceptable patching, suffers from malware or an attack, prevents unauthorized, lost, or stolen devices from accessing secure information, and provides dashboard-level pictures of the overall security posture of a company. It’s the best, most cost-effective way to prevent loss … rather than reacting to loss.
In 2022, I’ll be attempting to convince most of my clients to join my endpoint management program and implement MDM to best control their systems.
Managed Browsers
Increasingly, phishing attacks come not just from email but from what are referred to as browser hijacks. Websites and software will redirect the user’s browsing activities to websites that attempt to steal ident credentials or Personal Private Information (PPI). Hijacks threaten not only the user but any confidential information that may exist on their computers.
These risks demand that an IT control be extended to Internet browsers. Managed browsers are browsers that exist on any device anywhere but they receive a central set of policies. These policies dictate how the browser can be used, when it can be used, what sites and software are okay to use - and which ones aren’t - and prevents the user from accessing known-bad websites that could harm them.
In my role as a Google Partner, in 2022, I’m going to help a majority of my clients by deploying managed browsing policies governed by their Google Workspace investment to help keep their teams safe while using the Internet.
Perimeter Control
There are logical software components to every network. These components control the logical flow of information. You’re probably familiar with these devices by their names of routers, switches, bridges, and gateways. Most are simple computing appliances without a high degree of security built-in to them.
These devices do their work day in and day out and most of the time, you don’t have to even think about them. However, over time, their firmware needs to be updated; for the same reason we patch computers, we must also patch these devices. Aggressors realize that this equipment often goes unnoticed and unsecured because it’s not something most people are thinking about.
Well, I’m thinking about it. In 2022, I’ll be helping my clients identify their network’s perimeter infrastructure, either patching or replacing suspect equipment, and implementing tighter security controls over them.
Training
All the ML/AI in the world can’t beat human instinct or well-trained human behaviors. Technical controls to help secure the workplace are great but real security - real confidence - begins and ends with training people.
Your team must be brought up to speed about the most recent threats and concerns, and given tools to help them navigate the risk.
Sometimes, the best training simply interrupts an emotional response to a problem … to get somebody to just question clicking on a link so they can ask for more advice is an interrupt that a hacker can never thwart. The most skilled hacker can rarely beat an attentive, trained human! They’re counting on the human to not be paying attention, to not be trained.
Therefore, technical controls aren’t enough. This next year, I’ll be pushing training to help teach and inspire others to take these threats seriously. Further, responding to these problems by dealing with them in-depth, through implementing layers of controls, through shifting more and more risk to cloud providers, by implementing strong controls over identity and Internet browsing, and through inspecting the perimeters of our networks, will help instill a stronger sense of security for my clients next year.
R