DIY Computer network security - Part II | Basic network security for 2022: Residential | Commercial
I. Provide a 101 for employees to minimise your attack surface
II. Educate yourself on PCI DSS compliance
III. Educate yourself on personal security
-----------------------------------------------------------------------------------------------------------------------
RegTech
Contact us today for a complimentary initial consultation.
-----------------------------------------------------------------------------------------------------------------------
I. Provide a 101 for all your employees on how to deal with unusual or suspicious behaviour
The saying, "Take care of (fill in word here), and it will take care of you" applies for this point. In other words, take care of your employees, and they will be your eyes and ears when you are not on site.
Being a business owner is more than about how to run a business effectively, it is about wearing the hats of HR (Human Resources), Business Operations and CISO (Chief Information Security Officer) simultaneously.
First, remember each employee you hire costs you money. To train, to learn on company time, and to mold to your vision. If you treat each employee as someone who is there to be told what to do, then a revolving door of employees will follow suit. The lack of financial concern for the company will be reflected in the impression and mannerisms you display.
However, if you teach them, guide them and indirectly mentor them by expressing your passion for what you are doing as an entrepreneur, they will guard your company as if it were their own. This is an intangible benefit for the growth stage of your company, and it paves the way for how the company will be viewed by current and future employees.
During orientation/training, provide a brief tutorial on what you consider to be suspicious behaviour which would be considered a vulnerable endpoint for your business.
For example, you could provide a simple PowerPoint presentation and verbally walk-through the importance of the following:
1. Anyone passing by areas which are normally reserved for employees. An attack will be scoping out what security measures you have in place and assessing your response to how many times they pass by, or a response to them loitering near restricted areas.
2. Attackers can repeat suspicious patterns of behaviour by spreading them out over days or weeks to conduct reconnaissance and see how consistent your responses are. This may be in the form of different people trying out the same behaviour over weeks, or modifying/changing the pattern until your employees fail to respond.
3. Do not let anyone (clients/external customers) give an employee an external storage device (USB drive) to print files out, as this drive can easily contain malware or tools which can be used to exploit your computer network and bypass any security software.
If you do allow this, as a courtesy to your clients/customers, dedicate a computer which is separated from your network and is used for this purpose only.
4. What incentives you offer for reporting social engineering attempts which can be validated/confirmed by you. For example, a customer may request to provide them with a side job if the employee will work for them on their own personal time, and this may seem like an innocent request.
Explain to your employees that you do not care if they do something on their own time, that is not company related, however if that customer begins to establish a bond and start asking them questions which ARE company related--that is YOUR concern.
Incentives may be scalable, such as providing a paid lunch break or so PTO (paid time off), depending on whether your employee is hourly or salaried.
II. Educate yourself on PCI compliance
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard is the set of requirements for companies who process credit card payments.
This is an article which provides an explanation on PCI DSS:
https://www.tripwire.com/state-of-security/regulatory-compliance/beginners-guide-pci-compliance/
The importance of being in compliance with PCI DSS is more than about minimising company liability, it is about catching patterns or anomalies which may seem insignificant at first, and over time (attacks on this scale always take time) reveal a pattern to the careful observer. You can put pieces together, not only to safeguard your business, but for the industry in which you operate in, as a whole.
As network security professionals, Regnata Technologies looks for these patterns and conducts cross-searches against current geo-political trends which may or may not be related to what your network is experiencing. Case studies are a good way to conduct independent research if you find unusual behaviour in your log files/reports regarding social engineering attempts, and are curious about understanding the global perspective when there is nothing else to go on.
III. Educate yourself on personal security
If you wonder why personal security is important, in general, it is important for those close to you. You may not consider it necessary for yourself, however an attacker does not care to harm you directly but will go for your weak point--those close to you. This saves the attacker time and money, by forcing you to comply with their demands.
Basic steps to ensure personal security may include:
A. Purchasing a used, inexpensive vehicle to drive to your business and leaving your luxury car at your personal residence. You never know who is watching you and may see an opportunity to exploit your hard-earned financial success, especially if you have a revolving door for employees.
B. Have a personal bag with you at all times, which contains items for self-defense. As your business grows and thrives, so does your attack surface.
C. External commitments which are ongoing and personal, such as belonging to an exclusive club or having a membership to an affluent business should be monitored for unusual events. These commitments, by themselves, are not dangerous, everyone has organisations which they belong to.
However, any type of event where you come in contact with a person who wants to communicate with you may be an opportunity to attack you or your computer network. If the potential attacker requests to meet with you, you might feel the inclination to offer to meet with them at your personal residence or place of business. Instead, offer to meet them in a neutral area where you do not expose your computer network to a social engineering attack. Do not drive your luxury car, if possible, and use your work vehicle instead.
Contact us today for a complimentary initial consultation.
Comments
Post a Comment