This article is being written in surreal times. We are living through a truly worldwide pandemic called COVID 19 which has created a shutdown of businesses throughout the globe and has a large portion of the word under various levels of human lock-down. It’s crazy times. We are in fear of an invisible enemy that is creating havoc in our world. It is making people sick, causing unimaginable death and causing an untold toll on our businesses and financial markets. It is a truly scary time.

As a technology company we cannot begin to help with the solution to this pandemic. Our part has been to assist our customers to shift their business models an various ways that were unseen just a few weeks ago. We have moved large numbers of people to work from home. We have deployed mass quantities of new laptops and connected many businesses with VPN and remote solutions that were not in place prior to this pandemic. We are also seeing a spike in the number of users that are communicating via products like Microsoft teams, GoToMeeting and Zoom.

New Challenges

What we cannot forget in our business model is the daily operations. There may not be anyone at the office but the systems must remain. Servers are still required. Workstations are being used remotely. Cloud services must continue to function. This may seem like it’s a slowdown for the service providers but it is not. Instead we are seeing new challenges. The quick change in the model has presented a new set of security challenges that require new solutions. What are the challenges? Here are a few….

Securing a large volume of VPN connections
Securing connections using unknown home internet connections
Security problems with online meetings like Zoom hijacks
New attack vectors opened by new services such as Remote Desktop
Maintaining software updates on fleets of now remote laptops

These are just a few challenges that every IT department and Service provider is facing today. As we face these challenges we are seeing the emails begin to flow in to our inboxes. Software and hardware vendors are coming to our rescue with “Solutions” to all our security problems. Anti-everything (fill in virus, malware, intrusion, etc) is going to save us from what is lurrking around the corner on our “endpoints”. (endpoint is a fancy word for computers, phones and the things we use to connect to the world) Penetration testing solutions are going to help secure our networks and high tech (i.e. expensive) Intrusion Detection and Prevention systems are going to identify bad guys and kick them off our networks like a mall cop chasing down a kid on a skateboard.

Unfortunately it’s not that simple. Marketing guys can make their solution sound like the silver bullet but it rarely is. The reality facing every business today is that we are living on an internet that is the wild west. Attacks come from all directions and there is no single solution that will keep you secure.

The Egg vs. the Onion

For decades the key to securing our networks and data was the “hard outer shell”. This egg like model guided us to use hardened firewalls and protection devices at the edge of the network to keep bad guys out and good guys in. It allowed for a simple solution that worked well in the early days of the internet. As time progressed this model started to fail and we realized that the egg model secured the Yoke well until the egg was dropped and someone made it through the shell. You were then left with a network that looked about as hardened as an egg dropped on pavement from the roof!

Today we look to the Onion as the food of choice for our security. We want to create layers of security that need to be peeled back to get through our security. These layers provide the ability to slow down attackers, detect them and prevent them from getting too far before we resolve the problem. As you peel away each layer of the onion you find another layer of security.

Security as a Mindset (SaaM)

The internet is full of solutions for every sort of “as a Solution” buzzword you can imagine. Software as a service (SaaS) started things off and we now have everything from Infrastructure as a Solution (IaaS) to Security as a Solution. At Capstan Services we provide security solutions that permeate many areas of our business and the businesses we support. Unfortunately, we cannot say that we have the “Solution”. Nobody alone has the solution. Instead we need to look at Security as both a partnership and a Mindset. Lets call this SaaM to keep up with buzzwords.

As a services company we provide technology that is part of the solutions we offer. our recipe starts with a good firewall. Sprinkle in proper configuration. Stir in a generous amount of data segmentation and internal security. Add best in class solutions for systems maintenance. Throw in a helping of systems monitoring. Finally, top off with penetration testing and garnish with training. This is a recipe that can and should be provided by your service provider. The solutions are not just software but a mindset within our company that put security at the top of our minds in everything we do. It should start with training that instills the mindset from your service provider (or IT team) to your employees and management. From there it must be embraced and incorporated into all aspects of the business.

The mindset cannot end at the edge of our company. It must extend into all of our customers, vendors, partners and even to the vendors that do business with our customers. This is the hard part. For most businesses changing the mindset of the entire company to focus on security is not easy. Security is often hard. Long, random passwords are hard. Having to ask for access to other peoples data is intrusive. living by strict data security principles is not fun. However, these small challenges are what helps to keep your business safe and secure.

Do I have the Security Mindset?

We work with many executives at varied companies. In 30+ years of working in technology I have never met an executive that would not say that security is a priority. However I have worked with many executives who’s actions were not consistent with a security focused mindset. Are you security focused? That is a discussion you should have with your IT provider(s) in a safe environment where they are given permission to be critical without any repercussions. (guess how often this actually happens?) In the meantime, here are a few questions you can answer as an executive to see if you have the security mindset.

Are you a security focused leader?

1. Do you use password management software that is not part of a web browser?

2. Can you say that you have never asked an IT provider to make an exception to an existing process in order to enable productivity (business or employee)?

3. Does your company have a published security policy that all employee’s are trained on at least yearly?

4. Have you attended a training session on security in the last 12 months?

5. Are all your passwords unique? ( i.e. no case where you use the same password in more than one place)

7. Does your business have a plan for when there is a security event?

8. Do you see security and profitability as going hand in hand?

9. Does your business have a plan to make public notification of a security event?

10. Are all your passwords computer generated?

11. Do you know who is monitoring your systems for security and reliability?

14. Is there an IT professional engaged at the top level of your business? (i.e. C-Level or Board of Directors)

15. Would you be willing to shut down your business operations in order to secure a security breach?

If you can answer Yes to every question above you and your business are highly security focused. If you answer no to more than a small number of these questions it would be a good time to reassess your business model.

Keith McLaren is the CEO of Capstan Services, Inc.  Capstan Services is an IT services company which provides services to small and mid-sized businesses.  If your company had technology challenges or needs to find better profitability through technology then you may want to reach out to Capstan Services for a consultation.

Comment

IT Security: A mindset not a solution

New Challenges

The Egg vs. the Onion

Security as a Mindset (SaaM)

Do I have the Security Mindset?