Have you ever gone through the process of buying a car? You look around and consider a particular model, maybe even in a particular colour – then all of a sudden you notice there is a much greater number of those cars on the road! It is as if magically there are more of these cars than ever before.
Over the last few months, we have been going through the ISO27001 certification process. This is a certification for information security and it includes culture, process and practises of the business to ensure that data and systems are secure and fault-tolerant. Just like seeing everyone driving around in the same car, I started seeing the same security issues everywhere I looked.
As I looked, I noticed a few very different approaches to dealing with the problems we are all facing with managing cybersecurity. This article shares some radical ideas I have seen emerge in both our business and the organisations we work with that have dramatically reduced, or in some cases, completely removed entire classes of security threat. I call these approaches radical because often they seem to run contrary to popular wisdom or accepted practises – yet, these ideas simplify security and make companies and employees much safer.
Idea 1. No attachments
Email has pervaded our corporate lives now for decades and a seemingly essential part of email has been the ability to attach documents. Today, 92.4 per cent of malware is delivered via email – so it stands to reason, if you can disable email attachments, you remove a vast attack surface of your organisation and make everyone safer. The obvious problem is that everyone needs to be able to send and receive files to conduct business.
To solve the problem of not being able to send and receive attachments, online secure collaboration portals have taken the place of the file attachment. The process is such that employees will invite known partners into the collaboration portal where they can then share files securely. By forcing the two parties sharing the file to collaborate via a channel other than email, vastly better security measures can be put in place to keep employees safe such as multi-factor authentication and IP address geolocation filtering.
Idea 2. No network
Trying to maintain a secure network is incredibly challenging, and it also creates a false sense of security encouraging lax security practices by some teams within the ‘secure’ network providing a perfect environment for ‘lateral movement’ once an intruder finds a crack in the security of the network. No network doesn’t really mean to not provide any networking infrastructure (even though that would be the most secure option!) it really means not to consider any part of the network is more secure than any other.
This shift in thinking means you connect to other devices on the network using more secure channels like virtual private networks, and services that are developed to be available within the organisation are held to a higher standard when it comes to secure development practises and systems administration.
By treating every network like a ‘public’ network, people in all parts the organisation change their attitudes and behaviours on that network. This leads us to the final big idea…
Idea 3. No fileservers
Well, not the traditional idea of a fileserver. The fundamental issue at play with fileservers is that even Microsoft’s latest protocol for fileserver authentication is chronically insecure and the fileservers themselves require the concept a secure network in which to operate. So once you treat the network as public, how do you support a traditional fileserver? The solution is to find an alternative.
What we found is that solutions like Google Drive Stream and Dropbox amongst others provide the convenient appearance of a file server for employees while at the same time providing a vastly more secure underlying protocol and many features that traditional fileservers cannot provide such as integrated disaster recovery, cloud-based synchronisation, and ransomware prevention.
Hopefully, these ideas provoke ideas for your own teams to consider or adopt. As usual, if you would like to discuss any of the ideas in this article further, don’t hesitate to send me an email, contact via our website, or send a tweet.
Image courtesy of Novalite