The Internet is rapidly changing,
as are the ways that you should
protect yourself. This is
relatively current information
that factors in the use of mobile
technology and cloud
Image by National Institute for Occupational Safety and
Health (NIOSH), via Wikimedia Commons
Why we need to be protected:
Safety of clients, staff, data, and property
Compliance (PCI, HIPAA, etc.)
Want something you have, or
Want to extort money from you by taking what you
Want to attack others by using what you have.
Two kinds of risk:
Sensitive Information Breached
Image by Setreset (Own work), via Wikimedia Commons
Data Sensitivity must be assessed:
High - Medium - Low
Risk to organization vs risk to clients, etc.
Labor/time to reproduce
Security policies should be based on these assessments
Image by Friedrich Graf, via Wikimedia Commons
Core Cloud Considerations:
Established cloud services might offer higher data security
than you can
How many certified IT Security Specialists do you have on
staff, compared to Google or Microsoft?
But also have low accountability for confidentiality
Vendor might give data in response to subpoenas that you
Moves software from capital to expense
Subscriptions cost more than maintenance renewals, but are possibly offset by
infrastructure and support savings
Huge benefits for remote access
Make sure that you backup your data
locally and are able to access it if a
cloud vendor goes out of business
Clearly delineate duties
Never agree to termination fees
[Image: “The Land of Contracts” by David Anthony Colarusso]
As of 2013, 35 insurers
covered this1. Now many
Third party and first party
Costs vary widely, as do items
covered (shop around!)
Third Party Coverage
First Party Coverage
Theft and Fraud
Data Loss and Restoration
Photo by Jon Crel
Passwords aren’t secure.
Any password can be deciphered
Any network can be hacked
The old rules about password safety
Image by nikcname
But passwords are still critical.
Long phrases are better than words
Upper case letters, lower case letters,
numerals, punctuation, spaces.
Not too difficult to remember - or
Stored in a Password Manager
Subject to two-factor authentication
Unique across systems
New Thinking on Passwords
Changing the password regularly is not as important as
changing it after a breach.
Fingerprint readers and other physical alternatives are
only secure if they aren’t compromised - a fingerprint
can’t easily be changed.
Password Managers are necessary.
Dual Factor Authentication
AKA “Two Factor Authentication” “2FA”
Insures that a hacker with your password
can’t access your account
Multiple methods: text, phone, email, fob, or
Home and work PCs can be trusted
Image by Brian Ronald
Only one password to memorize
Fills in passwords across computers and devices
Generates secure passwords
The best include breach alerts and security checks
Image by HLundgaard (Own work) [CC BY-SA 3.0
via Wikimedia Commons
Core Mobile Considerations
Business data on mobile devices is not subject to
network security measures
Mobile devices are easily lost or stolen
Public WiFi networks are often insecure
Malicious apps surreptitiously copy private information
from mobile devices
Image by Alan Levine
Passcodes are safer than patterns
Fingerprint, facial recognition only good if phone isn’t hacked.
Encryption (SSL Anywhere)
Two Factor Authentication
Hotspots (as opposed to public WiFi)
Mobile Device Management Software
Mobile Device Management Systems (MDMs) offer a degree of security for
mobile devices. With them, you can
Remotely wipe data
Remotely install/remove applications
Block application installs
Enforce security options
Policies and Education
Key to safely letting staff work with company data (email, documents, etc.) on
mobile devices is solid policies and user education.
The best security in the world won’t protect you if staff don’t know how to protect
passwords and detect scams.
Policies should be sensible and not so prohibitive that staff are compelled to
work around them.
If you have IT staff, you likely have these things in
Firewalls, anti-virus, anti-spam and other standard
security tools can only protect what passes
Mobile devices, USB drives and other portable
media can bypass security
Servers open to the public (web servers, remote
access, client-facing applications) are at greatest
risk. Photo by Ilya Sedhyk
Monitoring and Perimeter Testing
It’s important to have software that monitors the systems and alerts IT staff in
case of hardware issues or attacks.
Investigations might be critical in case of a breach.
Perimeter Testing should be done regularly to identify security issues.
Pricing varies widely on this service
Find best mix of pricing/frequency
Can be a requirement/cost offset for cyber-insurance
PC and/or server drives are encrypted and data inaccessible until a ransom is
paid to hacker
Triggered by links in emails or infected media (such as flash drives)
Backup to cloud or alternate media
Spam and virus filtering