This is a guest post by Sam Bocetta, a retired engineer and current freelance journalist who specializes in writing about cyber defense, data privacy, and online security.
Cybersecurity is a process, not an event.
Though there are some tools and systems that you can put in place to dramatically improve the security of your workflow, in reality the best way to protect yourself against hackers is to stay constantly vigilant for emerging threats.
For this reason, rigorous cybersecurity practices should be built into your general workflow. They should be an integral part of building a knowledge management system, and integrated into everyday business practices.
One of the most powerful ways of doing this, and one that will also ensure that you don’t miss anything important, is to use checklists to codify daily, weekly, and monthly security tasks.
This system should also clearly indicate responsibility for each task, and specify mitigation steps should any issues be found.
In this article, we’ll cover:
- Building a security checklist
- Creating a security culture
- How to use Process Street to incorporate security into your workflows
- More information security resources
Before specifying the tasks that should be part of your security workflow, let’s look at why having a regular security checklist is so important.
Building a security checklist
The truth is that many teams seek to ensure the security of their systems at the wrong points of their product and system development workflow. This has been concisely referred to as the “Security Sandwich”, and is most often mentioned in the context of software development, but it has a lot to teach businesses of all kinds.
The thinking goes like this: teams that take their cybersecurity responsibilities seriously have become used to thinking about the security implications of new products. Equally, they have become adept at responding to security breaches and hacks at both technical and managerial levels. The problem is that there is a gap in between these processes. There is no “filling” in the “sandwich”, in other words.
In short, many businesses don’t do the kind of ongoing monitoring that will stop unforseen security vulnerabilities becoming major incidents. They know how to conduct a safety inspection on their systems, but too often this gets forgotten in the process of either bringing a new product to the market or firefighting recent issues.
So, let’s go through what this kind of monitoring should involve:
1. Review your encryption
Encryption is one of the most powerful tools when it comes to preventing cyberattacks. Strong encryption can defeat attempts to monitor your network traffic – attempts which can otherwise compromise key pieces of data. In addition, the alarming rise in the number of ransomware attacks means that giving hackers access to plaintext data (of any type) is a huge risk.
You should therefore review your encryption systems on an annual basis, or when you add any new system to your larger IT infrastructure. Ideally, all data, whether at rest or in transit, should be encrypted. Solutions for doing this involve the use of encrypted cloud storage, VPNs, and team communication apps that use end-to-end encryption.
2. Review your vendors’ security
Secondly, you should regularly monitor whether any of your vendors have been the victim of a hack or data breach. The third-party companies you work with have a vested interest in trying to keep this kind of incident quiet, and so unfortunately they may not tell you about every vulnerability they have discovered.
As a result, the best way of incorporating this kind of check into your weekly workflow is to review the security procedures the web vendors use on a daily basis yourself. For instance, the web hosting company you use daily for your website should offer security features such as a firewall, support for the latest version of MySQL, and 24/7 security monitoring. Many hosts boast of offering DDOS protection, but the reality is that it’s not always enough.
Equally important, all of the vendors you work with should be able to give you quarterly reports on the threats they have identified, and what they have done about them. If they can’t, they are not taking security as seriously as you, and it’s time to look elsewhere.
3. Check your backups
If you are reading this article, you probably back up your website or systems regularly, and this is likely automated. This is great, but you should also check the integrity of your backups on a regular basis.
Changes in infrastructure, in file systems, or migrations to new vendors can often render backup repositories unreadable. And if you don’t check them, you won’t know that until the worst happens.
Ideally, checking the integrity of your backups should be done with the same frequency that your systems automatically backup. While you complete this check, you should also look into hardening your backup systems against external threats, and ensure that the level of access to backups is as limited as is feasible for your business.
4. Meet with IT
Another critical part of your security checklist is to talk to the people who handle the technical side of this. In many organizations, IT departments are only involved in the roll-out of new systems, or limiting the effect of cyberattacks: just as in the “security sandwich” example above.
Scheduling regular meetings with your IT department has a number of key advantages. These staff members are likely to be more aware of emerging threats than executives, and can often provide advance warning of where security needs to be improved. Second, IT staff can give you the technical assistance you require to complete the other tasks on this list.
At a more general level, however, forging a closer relationship between your team and the IT department is also a way of improving communications. If staff groups feel able to talk to each other, then your staff are more likely to ask IT for help if they spot potential security holes. Equally, with a good relationship they will feel less annoyed when IT points out that their way of working is hopelessly insecure.
5. Review your internal communications
Internal communications remain something of a blind spot for a lot of companies. Business managers and IT pros alike get so used to looking for threats from outside their organizations that they forget that the biggest source of vulnerability are staff members.
There are two major components to this kind of review. The first is technical, and involves giving your staff the tools they need to communicate with each other securely. That can include secure email solutions or giving them access to an encrypted messaging system (see above).
The second major component of this kind of review is that you should look at the behavior of your staff. Cybersecurity professionals have long known that end users cannot be relied upon when it comes to ensuring the security of the systems that they use, and often staff will attempt to get around the security procedures you have in place in order to work more efficiently. This is particularly true if your staff work remotely, because there are significant security challenges that come with remote work.
This review should therefore include asking staff about how they communicate, and looking for multiple logins on the same systems at the same time – a sure sign that your staff are sharing passwords.
6. Review authentication procedures and access
Authentication procedures and access levels should also be checked regularly. The aim here is to ensure that the ways in which your employees use their systems is as secure as possible, and that no-one has access to critical systems that they do not need.
There are two kinds of checks that are important in this regard. The first is to ensure that you are using the strongest form of authentication available for your systems. One of the biggest network vulnerabilities is broken authentication, or when a hacker is able to bypass or capture authentication, such as through a dictionary attack or URL rewriting.
As a result, more and more vendors are rolling out two-factor authentication for their systems. You should regularly check which of your systems allow you to use this security measure, and implement it as soon as possible. You can further guard against broken authentication by not allowing session IDs to be revealed in the URL and setting session timeouts to expire quickly.
Secondly, you should regularly review the level of access that your staff have to every system that you use. This is because as staff leave, or switch roles within your organization, they can end up with privileges that are far greater than they need to be. Several high-profile hacks, like that of Capital One, have been caused by disgruntled former employees, and so you should shut down access the minute that staff leave.
The types of issues that you will encounter during a review of this type will be familiar: staff sharing passwords in order to access systems more quickly, and long-standing members of staff gradually gaining an access level out of all proportion to their importance. Both of these mistakes can be combated by explaining to staff the importance of good security procedures.
Which brings us to the last item on this list…
7. Train your staff
It might seem odd to put “staff training” on a checklist for cybersecurity, but in fact the best defense you have against cyberattacks are your employees. If everyone in your organization is following the best security practices, this removes some of your responsibility for ensuring procedural cybersecurity.
It goes without saying that all staff should receive thorough training on the importance of cybersecurity, and be able to use the security tools you have put in place. In fact, nearly 40% of all cyberattacks against small to medium businesses are successful purely because of a lack of cybersecurity training and education within the organization.
However, it’s also important to think about cybersecurity training on shorter timescales. Many organizations have seen success via integrating a quick cybersecurity check-up into their weekly meetings. This can be an opportunity for staff to ask security-related questions, or for your IT department to brief them on emerging threats. This is also an excellent place and time to reiterate the importance of strong, secure passwords and the importance of backing up work.
Creating a security culture
All of the processes above should be part of your workflow, because ensuring that you have a good oversight on the systems you are using is the best way to keep them secure. However, they should not be treated as a box-ticking exercise. Instead, having a rigorous system to check the security of your infrastructure should be seen as a way of creating a secure culture in your company.
Creating a secure culture involves a number of key principles. One is that staff should be properly trained, as we’ve covered above. Another is that staff should be given responsibility for the tasks in the list above. Cybersecurity at work is everyone’s business, and security breaches are often not the sole fault of IT teams.
This also points to an important extra consideration when it comes to the list above: it is worth sharing responsibility for these tasks across multiple staff members and teams, to avoid the temptation of one staff member becoming bored with their “weekly security checklist” and not giving them the time they deserve.
Of course, as your business grows and develops, and you start using more systems to provide more service to your customers, it might be that you end up spending an inordinate amount of time checking the security of your systems. In that case, and as we’ve previously pointed out, it might be time to take back control of your work with digital minimalism.
Just make sure that, no matter the number of systems you use, you check them regularly for security. Rather than installing a new security tool, and hoping that it will keep you safe forever, build security into your everyday practice.
How to use Process Street to incorporate security into your workflows
Process Street is a BPM that makes it incredibly easy to build your own custom processes, and just as importantly, makes it simple for your employees to use them. It helps break down processes into easy-to-follow checklists, so that work gets done more efficiently and consistently.
All you have to do is create a template, and then run the checklists from the templates you’ve created.
Here’s a great introduction video to help get you started:
Now that you have a better understanding of the basics of Process Street, you can see how it can be used to streamline many different kinds of workflows, for example, implementing better information security practices.
Process Street allows you to break down your company’s security processes into an easy-to-digest checklist, making it simple for you and your employees to follow and keep progress documented.
Here’s an example of a template we’ve created for Privileged Password Management:
This checklist was built to protect your company’s most sensitive information, such as log-in information. Typically, in large companies, only a select few have access to sensitive information in order to keep the data as secure as possible, but this practice can run into its own issues in the long run.
That’s why we’ve put together this checklist; to offer a solution that gives short-term access to employees who typically would not have that privilege.
More information security resources
Here are some more IT security templates that may come in handy:
- Network Administrator Daily Tasks
- Firewall Audit Checklist
- Apache Server Setup
- VPN Configuration
- Network Security Audit Checklist
- Penetration Testing
- Email Server Security
And if you enjoyed this post, here are some related resources that may interest you:
- 34 Linux Server Security Tips & Checklists for Sysadmins
- How Salesforce Built the Fort Knox of Data Security
- 8 IT Security Processes to Protect and Manage Company Data
- What is ISO 9001? The Absolute Beginner’s Guide (Free Templates!)
- Enterprise Collaboration Software: 8 Essential Tools You Need to Use
What steps do you take to protect your company’s sensitive data? Do you have any personal recommendations? Let us know in the comments below!
There seems to be a new story about a significant data breach affecting important firms and the numerous clients they serve every day. The present norm for security across our IT industry is subpar, especially when deploying or upgrading a new technology feature, despite the acknowledged risks of security breaches. Prior to development as well as after a feature is delivered, teams frequently conduct extensive research and analysis. Penetration testers occasionally perform vulnerability assessments during the process, although it is less frequent for security procedures to be in place during the actual development process.