Security Controls Around Communication Channels
Safeguarding company assets have become more and more critical over the years. It seems like just a few years ago having a firewall, anti-virus software and partially aware employees were plenty to keep your company safe. Today, this is no longer the case. Every company needs layered security. Multiple layers of protection for a company is called defense in depth. This is the process of having more than technology in place. Companies need a human, physical and logical protection mechanism in addition to security technology.
Communication channels in a company give employees ways to collaborate and communicate like never before. This makes companies more productive and efficient. These methods of communication or channels need constant security. So much confidential, sensitive and proprietary information is stored in these channels. If one were breached, it could be devastating to the company.
Defense in depth to help secure these channels can consist of many different methods. Physical security is needed to restrict access to the office building or office suite. Each employee should only have physical access required to do his or her job. Someone in accounting does not need access to the IT rooms, but IT would need access to all spaces as an example. Doors should auto lock and employees are only are granted access based on the badge or code authentication. Companies also need a no tailgating policy. This will educate employees not to let other people follow them into a space without badging in themselves.
Human security is accomplished by constant awareness training. Employees need to be trained on the physical, human and software security measures. Each employee needs to know the difference between a legit email, spam email and a phishing email. They will also need to be trained on proper use of the computer systems, network, applications and email to name a few. Social engineering is a hacking technique that is picking up much traction. Employees need to be trained to be diligent on whom they come in contact with. This style of hacking can be done over the phone, in person or via email. This needs to be part of the onboarding training as a new hire and continuing education throughout their employment. Most of these topics are covered in the company’s acceptable use policy.
Software and application security help protect companies by providing logic security around authentication and access methods. Most of the critical information today is stored in some type of application. These applications need to be protected by the use of multiple forms of authentication, file and role-based permission and proper placement on the network.
Hardware security protects company data by providing solutions such as encryption. Hard drives can be encrypted at rest to prevent access to data if stolen. Hardware and software encryption can be set up to protect data in transit if sensitive data is transferred by email, web or FTP. Hardware appliance such as SIEM collectors can be implemented to monitor network traffic in real time for malicious activity.
These types of defense tactics can be deployed together to protect communication channels. Different communication channels provide distinct advantages and disadvantage per use for a company. Each channel also needs its own security solution design to protect the information contained within the channel.
Email is the most widely used communication channel. It is also the one that is most exploited. Most cyber-attacks today start with an email scam. Protecting this channel is imperative. A combination of encrypted email systems, DLP, spam filters and user awareness training need to be in place to secure a company’s email.
Smartphones and texting are becoming more and more used in companies. Companies are issuing phones to employees that will have access to company resources. The companies also allow employees to text each other for business purposes. Employees are also guilty of texting for personal reasons as well. These phones are critical to protect since they are mobile and contain so much company information. This is beneficial to a company because an employee can be more productive by having their email and apps on the go. Employees do need to be aware of their device at all times. A stolen smartphone can be an immediate breach for a company. User training in addition to security policies can protect the phones. Most companies have a mobile device management (MDM) solution to manage the phones. This gives the company the ability to remotely wipe all data from the phone to prevent theft of the information. MDM also allows security policies to be enforced on the devices such as passwords on pin codes to open the phones.
Social media is becoming more and more utilized by companies. This communication channel is excellent for reaching clients or prospective clients. You can market to these groups easily which allows for quicker growth of the company. This is a great benefit to a company when they can reach their market in just a few clicks. The downside is that social media is probably the most hacked platform in existence. If a social media platform or only an employee’s account is hacked, it can hurt your customer base. They could receive false messages from the employee’s account to hack their account. This is the new age worm virus. It could quickly ruin the reputation of a company if social media is misused. If employees are allowed or required to have company social media accounts, they need to be trained on proper use of their account. They need to be required to have strong passwords on these accounts and only post company related content. Social media monitoring software also needs to be deployed to automate alerting if anything negative happens on the company’s account.
Defense in depth is required to provide proper security to companies today. Company owners and executives need to be aware of what it takes to secure data and communication channels properly. Most of the people in these positions still have the old way of thinking. They believe that having a firewall and anti-virus software is enough, but it is not. They need to be educated on defense in depth. Also, they need to be educated on where their company’s data lives inside various communication channels. Once these channels are identified, the right protection can be implemented by using the defense in depth method.
Montesino, R., Fenz, S., & Baluja, W. (2012). SIEM-based framework for security controls automation. Information Management & Computer Security, 20(4), 248-263. doi:https://dx.doi.org.library.capella.edu/10.1108/
Beckman, M. (2005, 09). Protect vulnerable employee data. ISeries News, , 49-52. Retrieved from https://library.capella.edu/login?qurl=https%3A%2F%2Fsearch.proquest.com%2Fdocview%2F219545626%3Faccountid%3D27965[addtoany]