An internal security review is necessary, but not sufficient. IT should be looking externally too.
"You passed our annual security audit," said the security consultant. "Of course, there are a few things to fix."
Like all the other tech professionals in the room, I looked at the list. The report identified problems such as unpatched apps, weak passwords, and active—but unused—network services. Everyone agreed the items should be fixed.
"Did you look outside at all?" I asked. "For example, at the mobile or web apps the organization uses?"
"No," the security consultant said. I was disappointed, but not surprised.
Many organizations still live in a world of on-site apps or small-scale hosted services. In February 2016, Gartner released a study that indicated 13% of "identified publicly listed companies" host email with either Microsoft Office 365 or Google Apps for Work. "The remaining 87 percent of companies surveyed have on-premises, hybrid, hosted or private cloud email managed by smaller vendors."
SEE: Information security policy template (Tech Pro Research)
Yet my world of developers, entrepreneurs, and investors teems with mobile, social, and web apps. These all thrive "outside the walls" and present potential security concerns that an internal security audit ignores.
"Can you identify at least the major external issues we might look at?" I asked. The consultant indicated that was outside the scope of the project.
So, here's my short list of external items to review and secure—even if your organization's IT environment is not yet in the cloud.
1. Domain name registration
Review the renewal dates for all your organization's domain names each year. Keep your payment information current, your administrative and technical contact information accurate, and your login information to your domain name registrar secured.
If you lose control of your domain name, you lose control of both your website and email. A person with malicious intent could redirect web traffic elsewhere. Control over your organization's email routes could expose your organization to additional hacks, since access to email often serves as an authentication method for online accounts.
2. Web hosting
Also review account security for both your web hosting provider and web content management system (e.g., Drupal, Wordpress, etc.). While you're at it, review—or renew—security certificates for your sites.
3. Social media
By now, most organizations maintain a presence on social media sites. These accounts are often managed by people proficient in communication, not computer security. Yet, a hacked social media account can cause damage to an organization's brand, image, and reputation.
Review social media site security settings and adjust the settings, where possible. For example, enable two-step authentication for every person who serves as an administrator on your organization's Facebook page. Deploy a password management tool to allow long passwords to be securely shared on sites that don't directly allow multiple users (e.g., Twitter) to manage a single account—or switch to a social media management tool, such as HootSuite, that provides multi-user account management.
4. External collaboration tools
Look carefully at collaboration tools—especially those used by executives and leadership. Board management tools like BoardEffect support governance conversations among leaders but, like social media, these tools are often maintained outside the IT environment.
Examine external systems that hold customer data. For example, MailChimp and Constant Contact contain customer emails. Event registration, surveys, and polling tools often capture customer data as well.
SEE: 5 best practices for reducing third-party vendor security risks (TechRepublic)
Review workflows, too. In one case, an IT staff member discovered that a colleague sent emails that contained both an account username and a password—in the same email. The staff member redesigned the workflow to protect account login information.
6. Mobile devices
Finally, if you allow people to use mobile devices, make sure the devices are actually managed. Even without a third-party solution, both Google Apps for Work and Microsoft Office 365 provide many tools to secure and manage phones and tablets. Apple's early 2016 battle with the FBI might have been avoided if the owner of the iPhone, the San Bernardino County Department of Public Health, had deployed the device with a mobile management solution.
The organization I mentioned at the beginning received a passing score on their annual security audit, yet the audit entirely omitted any review or mention of the six items above. Worse, since these six items often sit out outside of IT staff's direct control, each represents a real risk to the organization.
Other items to add?
Short of a complete security audit, what other external items do you review as part of your security efforts at your organization?
- How to manage iOS devices with Google Apps (TechRepublic)
- Use Google Authenticator to securely login to non-Google sites (TechRepublic)
- Apple/FBI battle highlights IT blunders and need for strong mobile device management (TechRepublic)
- Keeping your corporate social media accounts secure (TechRepublic)
- Tech, privacy and security: A debate we need to have (TechRepublic)