Examine who has access to business data and accounts. Understand the importance of limiting employee and third-party access to certain networks and accounts.
- [Instructor] Inventory lists need information about data and devices, hardware and software. Another key item to put on an inventory list is about controlling who has access to the data and devices. Who has the keys to your kingdom within your organization and from the outside as a contractor. Cybersecurity professionals are taught the Principle of Least Privilege. Simply put, this foundational principle promotes giving users minimal privileges based on their job.
If you don't need access to a system or data to do your job, you should be kept from accessing it. This principle minimizes the attack landscape within an organization. If you were in charge of the local zoo would you give every employee the keys to the lion exhibit? The Federal Trade Commission brought a case against Twitter because they gave administrative permissions, or access, to more employees than needed. That opened up the number of potential opportunities for hackers. We talked about the people accessing the systems and devices.
Now let's think about the devices that access the systems. Not all computers need to talk to each other or the network in your organization. Computers used for making financial transactions should be kept separate from the network or other business. If you can afford to purchase a device that is used for financial transactions exclusively, meaning no one opens email or goes on social media on that device, that will help limit the opportunities for criminals to access financial accounts.
The Federal Trade Commission also brought a case against the shoe company, DSW, because they were breached when a computer at a local store was compromised and then used to access the company network to steal credit card numbers. The FTC asked DSW to stop letting all store computers access the main company network, which that then limited the number of open holes to be exploited. Once of the most important access policies you can have concerns how you deal with terminated employees or employees leaving the company.
When you have a thorough inventory and access list, you'll know before an employee leaves what account access needs to be terminated. Your company is at risk when an employee leaves with login and passwords that are still valid and can be used to access accounts and steal data. Be sure you know who has access and how you can take away their access in a timely manner when they leave. Third party vendors or contractors can be an important partner in getting your business done. Sometimes a company needs to give network or account access to these partners.
The Target breach of 2014 happened, though, because the login used by their HVAC firm was compromised. Not only do you have to secure your system, but choose partners who also have good security. CA Technologies has created a guide called Five Best Practices to Manage and Control Third-Party Risk. Key recommendations include using strong authentication to validate users, building in access controls and processes that validate users using technology, and monitoring network activity for suspicious events.
Knowing what data and devices you have, and who has access to them, will give you the foundation and understanding needed to start protecting your valuables.
- Physical security vs. cybersecurity
- Identifying what you have that's valuable to others
- Protecting valuable data and accounts
- Detecting a breach
- Responding to an incident in an efficient manner
- Recovering from a breach
- Technology checklists for small and medium businesses