Enterprise security, finding the balance between protection and performance

See AMP Version

It’s an evidence, no enterprise wants to discover a security breach in its IT systems and applications and make the news with its data all over the Internet. Cybersecurity is an obligation for all enterprises to which they must comply; and today, enterprise security goes way beyond IT systems and applications.

In the last few posts, we discussed the many advantages of Cloud Services of which cybersecurity is key; like data protection (encryption on the wire, sometimes in the DB, protection from hackers, backup, etc.). So, what about IT systems and applications in particular, and your enterprise in general?

Protect but don’t affect

The reality is, major cybersecurity breaches done by hackers that break the news are very rare events. The vast majority of enterprise security problems, including IT systems, are mostly due to organisational laziness (nobody wants to take responsibility for security) and human negligence (employees).

All departments are reluctant to put into place security measures. Therefore, enterprise security very often comes after productivity and profitability concerns, way after…

Evidently, not all enterprises need the same level of security, be it IT or other.

So, the question is: what is the right balance between protection and performance for my enterprise?

To help define the right balance of enterprise security, here a few basics to consider:

  • Is my enterprise on the « Cloud » or do we have our own servers?
  • Is my enterprise hosting itself our critical applications?
  • Are our applications Windows, Web or both?
  • Are we using a Web Hosting service?

Further down, we will explain in details how to execute; that is, identifying risks and where to apply  enterprise security measures.

5 basic sources of enterprise security risks to consider

Here are 5 « ABC » security ensembles to help you elaborate your « enterprise security strategy ».

Environment

  • Is your network configuration regularly reviewed and documented?
  • How are your web servers distributed among your network, isolated or segregated? Located in dedicated DMZs?
  • Do computers go to sleep after a few minutes (need a password to awaken)?
  • Is the location well protected (cameras, locks, visitor’s registry, etc.)?
  • Can a stranger penetrate the place without being requested to identify?
  • Are there post-its or unprotected files containing passwords publicly displayed or easily accessible?
  • Are all servers’ OS up to date (security patches)? Have you set up an automatic updates alert system?
  • Is your domain server asking for passwords reinitialization at pre-determined intervals?

 

Communications

  • Are all routers protected with complex passwords?
  • Do routers enable connection only with computers which they have the Mac Address (Is it necessary?)?
  • Are all data encrypted (must they be)?
  • Does the firewall open only the necessary ports?
  • Does the firewall restrict users access to illicit websites?
  • Are all firewall softwares up to date? Have you set up an automatic updates alert system?
  • Are all firewall rules set on « anything not expressly permitted is prohibited »?

 

Personnel

  • Do you consistently do a « background check » before hiring candidates?
  • Are the personnel regularly trained and made aware of security issues?
  • Are users’ roles well defined with appropriate access rights (Group Policies in Active Directory)?

 

Data

  • Are they encrypted (do they need to)?
  • Are data used for tests « cloaked »?
  • Are unnecessary sensitive data being stored?
  • Are historical data being stored for no reasons?

 

Mobility

  • Are mobile devices access being protected (code, print, schema…)?
  • Are critical data being stored on mobile devices?
  • Is the communication with office being done in a secure manner (VPN)?

 

Conclusion

The list of enterprise security measures one can implement could be infinite depending on the level of risks you have to cope with; as for businesses like Banks which demand a greater level of cybersecurity, there is normally a department to manage this aspect.

In any case, whatever your situation, it’s all a question of balance between protection and performance.

Ask yourself if implementing an enterprise security measure will slow down a process or add useless execution steps resulting in a negative impact on either business profitability, employee productivity or clientele satisfaction.

If so, then you should assess if the risks of not implementing this enterprise security measure could be critical to your enterprise (competitiveness, reputation, loss, etc.). Choices and options should then appear more clearly.

Do communicate thoroughly your motives to each clientele; any client, employee or partner will always appreciate being informed instead of being hold ignorant when it comes to his/her security and they will mostly systematically choose the annoyance over the risks.

Our intention with this post was to raise awareness regarding basic enterprise security measures and issues and get them back at the top of your priorities and To-Do list.

And remember, in doubt, the ultimate question in terms of enterprise security is: “Is it worth the risk?”

 

Denis Paul & Michel

Leave a Reply

Your email address will not be published. Required fields are marked *