Nick LaPalomento: Hi there. Thanks for joining us again for another Tech Talk. I’m Nick and I’m joined by Chad Hiatt, our chief information officer here at Aldridge.
Today, we’re going to be covering a big topic: security—what it is and how you can keep you and your company safe. Chad, let’s start with that. What is security?
Chad Hiatt: That is a big topic. Security is really thinking about where the risks are within an organization or in any sort of action, and really taking the reasonable measured compromises to control the risk.
Usually, that risk has a financial impact to it. The compromises that you make for security and convenience, or in having to go through a couple of extra steps or in controlling access to information, usually have associated costs. We just try to balance those two so that it’s right for the [level of] risk that the organization wants to achieve.
Nick: I think most people, when they think of security, they just think of their passwords. It’s usually the same password that they use for 30 things, and it’s “password123.” Let’s talk about some key security risks to get us thinking and get our minds in the right place about why we should think beyond just the password.
Chad: The start of security is proving you are who you say you are. Because once you can prove who you say you are in IT, we call that identity. Your identity determines what you have access to legitimately. If someone can compromise your identity—whether it’s a username and a password or something even more complex—they can take any action in the environment as if they were you, which means suddenly they have your privileges.
Security doesn’t end with identity, security starts with identity. We also have to think about what happens if there’s equipment theft. What if someone broke in and took a laptop out of a car or took servers or backup drives out of a server closet? Or, we even have to think that there are people out there that intentionally are trying to do fraud. What if someone calls up and says, “Hey, I’m your IT department. I need to log into your computer. Can you verify your password for me?”
“Oh, I need you to go to this website and please log in here so I can help you out remotely right now so we can fix this.” Security is not just a series of actions. Security is really a mindset to be aware of the risks to the organizations and the risk to your own identity, and to make sure that you are taking reasonable cautions to prevent someone from being able to get what they really shouldn’t have privileged access to.
Nick: What basic security steps can an organization take today to help harden their network or improve their security?
Chad: Let’s talk about the first and last line of defense, being you. The people are the first and last line of defense because the people are also usually the target of the attack. The simplest thing the organization could do to protect itself against financial risk is to make sure that it has good policies in place—such that if you were a check signer, for example, you could come to me and say, “I will never, ever tell you to wire money unless this, this and this.” If I ever ask you to do this, I want you to verify it by doing this and this, and work that out ahead of time.”
As a company, you can make sure that everyone understands that if they get a contact from a vendor or a contact from a shipment that’s delayed or something like that, and it’s not what they expect, you don’t have to trust the information that comes in the email. You should be able to go and independently verify that. Maybe go to a web browser and type in the web address of the actual vendor, call the vendor up on the phone using the phone number that you already know—not the one on the email—to make sure that you can reestablish and validate contact. It works both inside and outside and helps combat that social engineering.
From a technical perspective, we want to make sure that people are aware of where they’re leaving the information. If you have a company laptop, is it locked up? Is it in your control? Are you walking away from the laptop while it’s in the coffee shop in order to go to the restroom? Well, that laptop can be stolen. If you weren’t logged out at the time, you’ve already unlocked the laptop and you’ve given someone, potentially, access to the information.
You have to be thinking about the passwords and the credentials that you use. The most valuable password, a credential that you have, is the one that you log in to your main office network with. Because that one, especially in a well-managed IT, is going to give you access to all the other systems that you need. We always say we want to keep usernames and passwords unique for every service that you use; that one especially should be distinct, unique and never reused anywhere else. It’s the most valuable one that you have.
Nick: I think this has been very informative for anybody that’s watching. There are a lot of things that you can implement today to keep your company more secure. If you’re not currently using an IT outsourcing provider, such as Aldridge, you can find us at our website. We’d love to talk to you and see how we can be of service to help you implement some of these security practices in your business.
If you are a current client of Aldridge, hopefully this helps you feel more comfortable about the service that you’re receiving from us. If you do have any concerns or questions, you can always reach out to your CIO and they’d be happy to help. Thanks again, we’ll see on the next Tech Talk.
At Aldridge, our team of IT professionals provide your business with the resources it needs to reach its potential. We put customer service first and deliver support and strategic planning that effectively manages your IT. Our approach relives you of the hassle of technology management so you can focus on running your business. Contact an Aldridge representative today to learn more about cybersecurity for small businesses.