By: David Wilson, Esq., CISSP, Security +, Titan Info Security Group
Business owners, you can no longer think of your network as an island that you can secure from all others. You may believe you have your network and data locked down but the companies and people you are connected to, those with access to your data and the people you do business with, likely don’t.
Do you know: who has access to your network, every connection, everyone with access to or possession of your data, can you identify any and all mobile and storage devices with your data on them, and, any and all devices connected to your network?
Think about how many people you as an individual are connected to and who potentially has access to just your data.
If you use webmail, then the webmail host has access, like Gmail; if you have a website with data on it, the webhost provider has access; your smartphone provider; accountant, lawyer, doctor, IT Company or IT friend; and the list goes on. Now, imagine the overwhelming number of connections for your company, especially the hidden or unknown connections!
In order to meet a “reasonable security” standard and perform due diligence you have to look beyond your network.
Remember Target? It was the HVAC Company with direct access to the Target network that was infiltrated by hackers who then leapfrogged into the Target network causing the massive breach. Target, regardless of the security lapse on the part of the HVAC Company, was not able to point fingers and avoid liability. Did they ask the HVAC Company about their level of security and verify?
As a business owner, CEO, president, board of directors, you must look beyond your network, understand your own company security and make sure your connections and those with access to your data are protecting it. This requires asking vendors and others point blank, “How good is your security; what steps have you taken to protect data; and when was your last security assessment or audit?” If they are not willing to answer these questions or do not do so to your satisfaction, find someone else to work with. They should also be willing to show written proof. If they answer to your satisfaction, then in a contract or service level agreement (SLA) capture the statements, assertions, guarantees, promises and assurances they have made and agreed to. Remember though, you may be asked the same or similar questions to get your house in order.