I overheard a conversation at a trade show the other day indicating that “the boss” is very concerned about IT security.  According to this employee, it is one of the things that keeps the boss up at night.  I couldn’t help but wonder if he was doing anything about his concerns.

Let’s face it, IT security is not something most of us talk about.  That could be because it scares us, because we don’t really understand it, or because we are blissfully unaware (this isn’t a good thing).  And yet, it is something many of us worry about.  How do I know I don’t have some lack in my network that allows something bad to happen, or that one of my team won’t inadvertently let some nasty virus in that shuts us down?

The best way to really understand the state of your IT security is to do an assessment.  An IT Security Assessment measures gaps in your technology and procedure as compared to a recognized standard like NIST, ISO, or HIPPA.  Your type of business dictates what standard would be best to use in measuring IT security.  In addition, an IT Security Assessment uses software tools to probe your network for both internal and external security holes to see if any exist.  Often the assessment will also identify any information that is at risk and where it is located on your network.  While this may seem like a big company thing, IT Security Assessments are valuable to organizations of all sizes, and can be tailored to be affordable even for small companies.

If you aren’t quite ready for a security assessment, you may want to consider a few of the commonly recommended solutions that come out of an assessment.  Sometimes these things are quite simple and affordable.  So, if you already have the basics covered, here are three specific measures you may not have covered that will improve your IT security peace of mind.

1. Dual Factor Authentication

We are all familiar with this concept from our interaction with financial services companies.  If you want access to your bank account online, you must have the PIN texted to you, or use an app, or have a key generator.  Many of us login to our company network remotely with a VPN or some sort of portal.  Having this VPN or portal opens our networks up to the Internet and to the same risks as banking sites face.  You can add dual-factor authentication to your network with relative ease using a product called Duo.  For a low monthly fee, it will secure almost anything by requiring a second pass-code that is either sent via text or generated via app.  This tool works very efficiently and adds dual-factor authentication for remote connections, VPNs, the network login, and a whole lot of other applications.  It gives you a huge boost in security for many reasons, but the most important is that it keeps phishing scams from gaining access to your applications and computing resources.  Even if a hacker gathers a login/password combination from an unsuspecting user who responds to that official looking scam email, they still can’t get in.

2. Security Awareness Training

I find that most companies have been hit at some point by Ransomware or have some familiarity with it.  It is that nasty thing that once it is unleashed on your network, encrypts every file and then pops up and tells you that you must pay the hacker in Bitcoin to unlock our data.  It is still one of the most common strains of virus, and it is crippling.  Right now, it is transmitted mostly (if not completely) by email.  This means that to be infected by this virus, somebody who is on your network or has remote access chooses to open a not-so-legitimate email with an attachment or follows a link.  We should all be smarter than this by now, but the hacker is smart, well-funded, and out to extort money.  The tactics change, the emails look more and more legitimate, and it is so easy to just click.  Security Awareness Training is the solution.  It is a service where regular training videos are sent to your team members and tracked to see who has completed the training.  Once training is complete, they get a “test” email or two or three to see if they fall for it.  You then get a report and can see who might be falling short.  Through systematic training and testing, people learn over time and stop clicking and your risk goes down dramatically.  This type of training is painless, requires little time from your team members, and has great results.  It trains people not to click!

3. Encryption

Encryption is one of the techy IT topics that sounds like it is only needed if you are in a high-risk industry that could be a target for corporate espionage.  It couldn’t be further from the truth.  Unencrypted data that is being sent by email can be read in transit or as it queues on a server on the Internet before landing at its destination.  If you are sending anything confidential by email, it should be encrypted.  Even data sitting on a laptop or a server that is confidential like employee bank account numbers for direct deposit, social security numbers, credit card numbers and more should be encrypted.  The risk is that if someone steals a PC, laptop, or server, or if they are disposed of improperly and someone gets at the data, it could be a huge issue, and if not financially impactful, could harm your reputation.  There are lots of ways to encrypt, and it can be done transparently, so that nobody even knows it is happening.  Encrypting data at rest on a PC or server is fairly simple with hardware features that are now available and with Microsoft Bitlocker which is built into most newer operating systems.  Encrypting data in motion like in emails has gotten much easier as well and if you have not evaluated anytime recently, it is time to take another look.

If you haven’t looked at your IT security recently, it is probably time to take a step back and look at it from another perspective.  Sometimes with a step back and a little more formal review, we discover that we need to step up our game.  What was good enough a few years ago, often falls short today because of the ever-changing security landscape.  The people, the methods, and the technology in use are constantly getting more sophisticated.  Our security vigilance must adjust with these changes.  Consider these three technologies to up your game, or better yet, do a full IT Security Assessment to gain an understanding of your real risks and how to remediate them.