19 Essential Cybersecurity Best Practices

19 Essential Cybersecurity Best Practices

Every company, no matter how large or small, should have a robust cybersecurity strategy in place to protect their company’s digital assets. Staying secure in the digital era is no longer and set and forget practice. You must be diligent in your security practices and always on top of new trends.

To help you ensure your data is secure here are nineteen essential cybersecurity best practices.

Document Your Cybersecurity Policies

It is important that you document all of your cybersecurity policies. This not only helps ensure that all employees are following protocol but also helps ensure that new employees can be properly trained. Even the most robust cybersecurity policy is only effective if employees receive the training they need to properly adhere to it.

Keep an Eye on Things

One of the most important things you can do to keep your company’s data secure is to keep an eye on your network and accounts. Your employees should be trained to identify potentially suspicious activity and should know what to do if they encounter it. If a cyber attack does occur the best thing you can do is catch it early, hopefully before it does any extensive damage. If you don’t detect the problem you might not know anything is wrong in the first place.

However, most small and medium-sized businesses don’t have enough employees to monitor their system 24 hours a day, 7 days a week for 365 days a year. To help keep your company, and its data, safe you may want to consider a Managed Security Services Provider (MSSP). A good MSSP is able to monitor your system 24/7/365 and is staffed by a team of cybersecurity experts who can protect your company and its data, alert you to any potential cybersecurity problems, and help you address problems should they occur.

Learn more: What is a Managed Services Security Provider.

Use Firewalls

A good firewall acts as the first line of defense between your sensitive data and cybercriminals. In addition to a standard firewall, you may also want to implement internal firewalls to provide additional protection and prevent malware from spreading if the external firewall is somehow breached. To ensure your entire network is secure you should also ensure that any employees that work remotely also install firewalls on their home networks. To enforce this policy you may wish to consider providing all telecommuting employees with firewall software.

Back Up All Data Regularly

You should backup all of your data on a regular basis so that you are never at risk for losing all of your data. This is not only important from a cybersecurity standpoint but will also help ensure your data is safe should your office experience a fire, flood, or another potentially catastrophic disaster.

Install Anti-Malware Software and Keep it up to Date

Should one of your employees accidentally open a malware-infected file or visit a malicious site Anti-Malware software will offer your company an additional line of defense. This software is designed to detect suspicious attachments and websites and either keep them from delivering their malware payload or isolate any computers that have already become infected.

Keep All of Your Software up to Date

As companies detect possible security holes in their software they develop and release patches to fix them. However, you can only take advantage of these fixes if your software is up to date. Known software vulnerabilities that have recently been issued patches are a prime target for cybercriminals, who will often specifically look for companies that have not updated their software to include the new patches. Keeping your software up to date, and ensuring your employees do as well,  is a quick and simple way to help protect your company’s digital assets.

Protect Sensitive Data

You should avoid storing sensitive data (such as credit card information or health information) on desktops, laptops, tablets, or mobile devices, especially if those devices leave the office. Sensitive data must never be stored in unencrypted forms, and any sensitive data that is no longer needed should be removed from your system.

Be Prepared

All companies should run regular tabletop exercises and pen (penetration) tests. These exercises allow your employees to practice what they have learned about cybersecurity n a no-stakes environment. They also give you time to refine and adjust cybersecurity protocols if necessary. Tabletop exercises are similar to fire drills, where employees are presented with a hypothetical cyber attack and use company protocols and their skills to respond to it. Pen tests involve hiring an ethical hacker to purposely try to break into your company’s network, and then tell you how they did it so that you can strengthen your current protocols.

Educate Yourself

It is important for any business owner to understand the basics of cybersecurity so that they can take steps to safeguard their business and its digital assets. You can do this by talking with your internal cybersecurity team or scheduling training meetings with your cybersecurity provider so that you can expand your knowledge.

Educate All of Your Employees

Especially in small and medium-sized businesses employees may fulfill a wide variety of roles. This means that all employees should be familiar with your company’s cybersecurity policies and should understand who they should go to if they think something is fishy or encounter any possible cybercriminal activities. You should also make sure that your company’s cybersecurity policies are reviewed regularly and evolve to address new potential threats.

Enforce Safe Password Practices

Password Security Best Practices

Though choosing good passwords and changing them regularly can be inconvenient it is important that your employees select strong passwords and change them frequently. NIST (the National Institute of Standards and Technology) offers comprehensive guidelines in section 5.1.1.1. (Memorized Secret Authenticators) for choosing secure passwords.

Use Multifactor Authentication

Multifactor authentication is a simple and minimally intrusive way to empower your employees to help keep company data safe. Employee cellphones work well as multifactor authentication devices since it is unlikely that thieves or cybercriminals will have both an employee’s password and their cellphone.

Avoid Phishing Scams

You should ensure that all of your employees are trained to recognize potential phishing scams, and should know who to report them to. Though phishing scams are more likely to be deployed using email they can also be carried out by phone, text, or via social networking sites.

The best way to avoid falling victim to a fishing scam is to avoid opening files or clicking links that appear to be suspicious. A good general rule to follow is that if something looks suspicious it probably is, so you should tell your employees to always check with your cybersecurity team before doing anything the message suggests.

Never Leave Devices Unattended

Physical security is a large component of cybersecurity that is often overlooked. Laptops, tablets, and mobile devices should be secured when not in use. Ideally, employees would never take computers, tablets, or mobile devices that they use at work home with them but this is not feasible for companies that employ BYOD (bring your own device) policies.

However, all employees should remember to lock their devices when they are not in use. Employees should also not store sensitive data on their devices unless it is absolutely necessary.

Make Sure Mobile Devices Are Secure

You should make sure to educate your employees on how to properly secure their mobile devices, both personal and professional, that connect to your network. All devices should be locked using a PIN or password, and should not be left unattended in public.

Employees should only install apps from trusted sources, and should not click any links or attachments found in unsolicited emails or text messages. Everyone should make sure their mobile device software is kept up to date, and data should be backed up regularly. Employees should also install programs such as Find my iPhone or the Android Device Manager so that lost or stolen devices can be tracked.

Use Public Wifi Wisely

Public wifi hotspots are everywhere, but not all of them are as secure as they should be. Make sure employees only connect to wifi networks they trust. If an employee must use a public wifi network make sure they forget the network when they are done using it. This prevents their devices from automatically reconnecting at a later date.

Be Smart About Found Flash Drives

One of the oldest cybercrime tricks in the book is to leave infect a flash drive with malware and then leave it in a parking lot or other semi-public place and hope someone picks it up. If an employee plugs the infected device into their computer it will release malware that can potentially infect your entire network. You should make sure you have protocols in place so employees know who they should talk to if they find suspicious flash drives or other devices.

Don’t Share Everything

We all know by now that we should never write down our passwords. However, you should also have policies in place that ensure your employees don’t accidentally share sensitive information. Employees should not take photos of their desks, and they should be careful about what information they share on social media.

It’s Okay to Ask for Help

We aren’t all cybersecurity experts, and that is okay. If you are unsure how to keep your company and it’s data safe from cyber criminals you should reach out to the experts for help. A good cybersecurity expert will help you identify weak spots in your current policies, and help you improve your overall cybersecurity by creating robust policies and training your employees on them.
 

DNS Spoofing: What It Is & How to Protect Yourself

DNS Spoofing: What It Is & How to Protect Yourself

Last updated September 27, 2022

Summary:

  • DNS stands for Domain Name System. Think of it like a phonebook for the internet: it matches the links you type in or click with the corresponding URL of the site you’re trying to reach.
  • DNS spoofing is a technique cybercriminals use to reroute user traffic to sites other than the ones they’re trying to visit. The idea is similar to changing someone’s number in the phonebook to misdirect people who call them.
  • Cybercriminals typically use DNS spoofing to direct users to phishing sites that steal their information, direct massive amounts of traffic to specific sites in order to overwhelm them (a DDoS attack), or prevent users from accessing specific information.
  • Monitoring your company’s DNS server, making sure the websites you use are HTTPS (instead of HTTP), and updating your antivirus software can all make DNS spoofing harder for threat actors. Cybersecurity experts can help you with these tasks.

Cybersecurity crimes have plagued businesses large and small for years, but criminals are increasingly using DNS Spoofing as their tool of choice. In order to protect you and your business from cyber attacks like DNS Spoofing it is important for you to understand what DNS Spoofing is and what measures you can take to protect yourself and your business from it.

See also:

What is DNS?

DNS (Domain Name System) is a system that acts like a phone book for the internet. Whenever you click on a link or type a website’s URL into your web browser your computer sends a DNS request to the nameserver. This nameserver then checks its DNS resolver cache so that it can match the URL you typed with the URL of the website you are looking for. This is similar to using the phone book to look up someone’s phone number. Each website has one or more unique IP addresses that act like phone numbers.

Once your browser knows the IP address of the website you are looking for it downloads the necessary web pages, which then appear on your computer screen.

In most cases this entire process is completed in a few milliseconds, so you may not even notice it as you move from website to website. Most web browsers default to a nameserver that is specified by your ISP (Internet Service Provider), though many electronic devices allow you to specify your preferred nameserver in your internet connection settings. This allows users to choose whether they would prefer to use a public DNS server or a private one.

A popular example of a public DNS server is the Google DNS server, which you access any time you use Google to search for something.

What is DNS Spoofing?

DNS Spoofing occurs when a user (typically a cybercriminal) alters the entries in the nameserver’s DNS resolver cache. This is analogous to changing someone’s phone number in the phone book so that you can reroute their calls. When someone alters an entry it reroutes user traffic away from the correct site to a different site the cybercriminal has chosen.

Why Do Cybercriminals Use DNS Spoofing?

There are a number of reasons a cybercriminal would use DNS Spoofing for criminal activities. These could include:

Redirecting Traffic

An altered DNS entry might direct visitors to a website they never intended to visit. For example, a cybercriminal may direct users to a phishing website.

Phishing websites typically look almost identical to the real website but are used by cybercriminals to try and trick users into providing sensitive information such as usernames, passwords, credit card information, or even social insurance numbers. However, some Internet Service Providers also use DNS redirection in order to show users advertisements or collect user data before the users continue on to their intended websites.

Read more about phishing.

Launching a Website Attack

Cyber attacks such as DDos (Distributed Denial of Service) attack use tools such as DNS Spoofing to achieve their ends. When this happens a cybercriminal might redirect a large amount of internet traffic to a server that is unable to handle that much traffic. This causes the server to either slow down, stop working, or encounter a wide variety of errors. This, in turn, can shut down a website or a company server.

Censoring Information

How to Protect Your Business From DNS Spoofing

Since it is nearly impossible to browse the internet without using a DNS server of some kind whoever controls the DNS server controls who can see what on the internet. Some governments use DNS rerouting to censor certain content. This is done by rerouting DNS traffic to limit what the country’s citizens are allowed to see on the internet.

What Can I Do to Protect My Business?

The first step to ensuring your business is protected is to constantly monitor your company’s DNS server so that you can tell right away if it has been tampered with or infected with malware. Most of us are not in the habit of checking our DNS settings, but knowing if and when an attack has occurred is the first step to keeping your business secure.

You should also always check that the websites you are visiting use HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP and ensures that all communication between your browser and the website you are looking at is encrypted. You can check this by looking at the section of your web browser where you type in a website’s URL. If the website is secure then the address will start with “https”, a small image of a closed padlock, or both.

Imposer sites will not be secured, so you won’t see either the padlock or “https”. The HTTPS ensures that the website in question has a valid SSL certificate, and the padlock indicates that your connection with the site is encrypted. Unfortunately, not all websites use HTTPS, so this method is not entirely foolproof. If you come across a website where “https” is written but it shows up in red or is crossed out that means that the website’s SSL certificate is not valid and you should leave the site immediately.

You should also make sure your anti-virus software is up to date. This will hopefully stop any malware you do encounter from infecting your device or your network.

Read more: Hacked? Here’s What to Know (& What to Do Next).

Where Can I Get Help?

If you are ever unsure of what steps you should take to secure your business against cyber criminals you should consult with a reputable security expert. They will be able to answer any questions you have, audit your current cybersecurity practices, and recommend steps you can take to better secure your company against cybercriminals.

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices

Last updated September 27, 2022

Summary:

  • Keeping your organization’s website secure is just as vital as keeping your physical premises safe.
  • Easy tips for improving a static website’s security include getting an SSL certificate, keeping your software up-to-date, and continuously monitoring your network for evidence of breaches or other cybersecurity problems.
  • To improve the security of a database website (such as one built with WordPress), limit incorrect login attempts, rename your administrator account, and use a non-default URL as your login path.
  • To ensure you choose a secure hosting provider, check to make sure they monitor their network, employ antivirus and malware scanning or removal software, and use other tools like SSL, firewalls, and DDoS prevention.
  • Additionally, make sure visitors cannot access your site’s subdirectories, and use blacklists and filters to keep out bots. Cybersecurity professionals can help you with these tasks.

When you leave the office for the evening, you make sure your doors and windows are locked but if your website isn’t secure your business is still vulnerable. Whether your site is static or dynamic, it may be vulnerable to cyber attacks.

To help keep your website secure, and your data safe, here are nine things you can do to help keep intruders out.

See also:

3 Tips for Securing A Static Site

Ensure You Have an SSL Certificate

Have you ever noticed the little lock and the word “Secure” next to a website’s address in the address bar? That is there because of SSL. SSL establishes a secure, two-way tunnel that allows data to move between your server and the user’s computer, keeping private information hidden from prying eyes.

It also helps us ensure that we are connecting to the websites we actually want to visit. SSL helps ensure that when you try to visit your bank’s website (where you are likely going to enter sensitive financial information such as your credit card number) you can verify that you are actually visiting the real website and not a fake set up to steal data.

Even though your static website doesn’t have any user data or credentials that need to be protected you still need to protect your website’s content from being deleted, hacked, or defaced. You also want to ensure that your user’s privacy is maintained since cybercriminals can still target users who visit unprotected websites. Having an SSL certificate also puts users more at ease, and makes it more likely that they will visit your website again.

Keep Your Software Up to Date

One way that cybercriminals can gain unauthorized access to websites is by exploiting vulnerabilities that they find in out-of-date software. Once they gain entry they can deface your website’s content, knock your website offline, or even gain access to things like your server in order to host illegal files or send spam.

To counteract this always make sure that your web server’s software is always up to date. As programmers discover flaws in their software they create patches to fix them, but the patch only works if you have it installed.

Stay In the Loop

Securing Your WordPress Website

You may not visit your website every day, but you should still know what is going on. By using programs that provide uptime monitoring you can set up alerts that will let you know if your site has undergone any unexpected content changes.

This will alert you if a breach has happened, and let you mitigate or prevent damage as quickly as possible. A defaced or damaged website is bad for business and could send a bad message to legitimate website visitors.

3 Tips for Securing a WordPress (or Other Database) Website

Implement a Rigorous Username and Password Policy and add Multifactor Authentication (MFA)

It is important for you to educate all of your users about the importance of having strong passwords. To help users select strong passwords the National Institute of Standards and Technology (NIST) released updated guidelines in 2017. Suggestions for making user passwords stronger can be found in section 5.1.1.2 (Memorized Secret Identifiers).

One thing you should always do is make sure that are choosing usernames are not easy to guess. One way to do this is to have users use email addresses instead of usernames. If you need to store user passwords on your site for any reason you should make sure they are always stored in an encrypted form. To do this you may want to consider using OAuth or another third party identity management site.

You should also ensure that all users are employing multifactor authentication when logging into your website. Multifactor authentication adds another layer of security and alerts users when someone else is trying to log in using their account.

Limit User Logins Based on the Number of Failed Attempts or Implement Rate Limiting

If a user can’t enter their correct credentials three or four times in a row, but don’t click on the “forgot password” button it isn’t a usually a good sign. Some cybercriminals will attempt to “brute force” a website in order to gain access.

They do this by trying common usernames like “admin” and pairing them with common passwords in the hopes that they will guess the correct combination. Restricting access after a number of failed attempts is a great way to keep unauthorized users out and discourage them from trying to gain access again.

Many unauthorized users use bots to try and brute force their way into websites. One way to dissuade bots from attacking your site is to implement rate limiting. Rate limiting allows users virtually unlimited login attempts but causes a delay between each attempt.

Even a delay of one second, which doesn’s seem like a lot, can hinder a bot’s brute force attempt by making the process impossibly slow by computer standards. This can also delay a bot from accessing your site, and increase the likelihood of someone noticing that the site is being attacked and have time to implement countermeasures before a potential breach occurs.

Rename Your Admin Account

One of the first rules of website security is to not use Admin as your administrator username or your WordPress username. By ensuring that your admin account’s username is less easy to guess it can slow down and even prevent unauthorized users from gaining access to your website. When you keep the default Admin username you are solving half of the login puzzle for any potential cybercriminals and reducing your website’s security.

Change the Login Path to a Non-Default URL

Securing Your Website Host

WordPress is the most popular CMS on the planet, and /wp-admin/ is the typical login path. Bad actors exploit this by quickly accessing your login page and attempting to brute force their way in. A simple act of changing the login path is surprisingly effective.

3 Tips For Making Sure Your Hosting Provider Is Secure

Make sure you vet your hosting provider carefully and select one that offers a secure hosting environment.

Ask if Your Hosting Provider Monitors Their Network

In order to prevent malware from spreading it needs to be detected first. If malware manages to get onto the server system your hosting provider is better able to keep it from infecting the server that hosts your site if they are monitoring their internal traffic diligently. When choosing a hosting provider you should ask for some details about how the support team monitors the network, which staff conducts the monitoring, and what sort of traffic raises their suspicions.

Look For Antivirus and Malware Scanning and Removal Capabilities

Before you choose a hosting provider make sure you understand what sort of protection from malware they offer and what you will need to do to ensure your website is fully secure. You should also be sure to ask if their support team scans files in your account and if you can access those reports. You should also be clear on what will happen if your account becomes infected and if your hosting provider will help you identify and remove malware.

Ask About SSL, Firewalls, and DDoS Prevention

Ask your provider about what sort of protocols they have in place to prevent cyber attacks. A good firewall can help prevent DDoS (Denial of Service) attacks from occurring in the first place. DDoS attacks flood your website with traffic, rendering it useless to legitimate visitors.

You should also check to see if your hosting provider makes SSL certificates available. You will likely be responsible for implementing the certificate, but your host needs to be able to provide them in order for you to do that.

There are a number of things you can do to help keep your website secure from cybercriminals. By having robust security practices (such as strong passwords) in place and keeping your software up to date you can dissuade cybercriminals from attacking your site. You also don’t have to handle all of your cybersecurity alone. By selecting a web hosting provider that has their own robust security protocols in place you can add another layer of security to your digital assets.

Lock Down Folders and Subdirectories

Preventing people from accessing subdirectories in the site helps ensure that they are unable to access exploits or vulnerabilities associated with back-end software, upload folders, etc. Setting these permissions to 755 is a simple way to keep people out.

Add Bot Filters & Maintain an Active Blacklist

Many bad actors utilize bot networks with known IP addresses and points of origin. Several blacklists exist that you can use to filter out these bots. Work with your web host to ensure your IP filtering and firewall is appropriately configured.

This a Great Start… But It Is Only a Start

Implementing the above precautions will go a long way in preventing intrusion. However, the above is very much “the basics”. Once you’ve got them completed, look into more advanced methods to keep your website and data secure.

Recapping DerbyCon 8.0

Recapping DerbyCon 8.0

Written by Tianyi Lu, Chief Architect
Compared to larger security conferences, such as Def Con or Black Hat, DerbyCon is more intimate. For me, this means that I’ll have more opportunities to engage speakers and have meaningful conversations. This intimacy is by choice: the conference is quite exclusive, with tickets selling out within minutes of being released.

If you’ve never attended, DerbyCon is held annually in Louiseville, KY and is typically attended by several thousand attendees that range from individual cybersecurity contractors to high-level security architects from major companies like Facebook, Google, Twitter, Walmart, and so on.

Moreover, it’s rumored that undercover agents from the NSA, FBI, and CIA are in attendance every year.

Seeing Red

Compared to other conferences, DerbyCon is heavily focused on the red team, with most of the talks being about exploits, how specific exploits/malware operate, and the TTPs (Tactics, Techniques, and Procedures) that malicious actors – members of the “red team” – utilize.

Understanding how malicious actors – the “red team”, as it were – operates is important in understanding how to defend against them. 

The blue team – cybersecurity firms and defenders (like us) – are constantly working to reverse engineering the thinking and reasoning employed by the red team. This is a constant struggle that we must participate and lead if we are to be successful in keeping the web – and our clients – secure.

Takeaways From a Talk About App Security

Tech companies value their security and the security of their users. No company wants their name, product, or operating system tied to the next big breach.

In one interesting talk I attended, Apple described their new built-in security features in the latest version of MacOS. Called code signing applications, it effectively acts as a digital notary. Developers seeking to create a new app for the Mac or iOS ecosystem are required to register with Apple and have a valid developer ID. This ID works with a security agent on the Mac (called the Gatekeeper) and is designed to ensure that the apps users are downloading are legitimate and safe.

Unfortunately, Gatekeeper is quite easy to bypass and thus doesn’t provide more than a cursory level of security. This is a prime example of why it’s important to take security seriously and be diligent. Even though device manufacturers go to lengths to secure their products and ecosystems, the red team is working just as hard to circumvent them.

Cat and Mouse

Every year DerbyCon unveils several 0-day exploits. These exploits – security gaps found in code that haven’t been patched or discovered by their respective vendors – represent a very real risk to people and organization utilizing the affected software. These exploits are not created by DerbyCon, but are “released” in that security professionals and researches disclose them publicly for the first time.
0-day exploits are particularly dangerous because the red team often takes advantage of them, using them in ways and antivirus/antimalware software often doesn’t recognize.

As usual, it’s an ever-evolving game of cat and mouse. As there is no singular security tool that can subdue the reds, we reply on changing the economics of an attack via a “security in layers” approach. Given that no one method or tool is invulnerable, this layered approach has demonstrated itself to be the most economical and effective way of approaching security.

By having many layers of defenses that work in concert with each other, you deter attackers and make yourself an unappealing target. Resources are limited, and carrying out an attack requires a financial and labor commitment. By being more secure than your peers, you become a less appealing target, and attackers will shift their efforts elsewhere.

We’ll See You at DerbyCon 2019!

All told, this years DerbyCon was an eventful one with great information and excellent opportunities to connect with security professionals from all over the United States (and the world). We will be back again next year.

Until next time!

IT Security vs Compliance: What Are Their Differences?

IT Security vs Compliance: What Are Their Differences?

Last updated September 27, 2022

Summary:

  • IT security can help businesses with satisfying compliance requirements, but the two are not the same. Just because your business is in compliance with IT standards for your industry doesn’t necessarily mean it’s secure from cyber threats.
  • Being compliant simply means your organization meets base-level standards for your industry—usually set by governments or regulatory agencies.
  • Most compliance standards do not require active monitoring of your network and IT infrastructure—two steps that are vital for reliable cybersecurity.
  • Active threat monitoring through SIEM (security information and event management) gives you the ability to detect and respond to network threats in real time. Virtual Armor provides this service for organizations of many kinds.

The past year has been one of the most eye opening for many businesses with respect to their cybersecurity needs. Thanks to numerous high-level data breaches and hacks, as well as the May 2018 roll out of GDPR, the importance of security is now front and center.

When companies like Equifax, Cloudflare, GoDaddy and Uber endure major (and very public) data breaches, it’s only natural for business leaders to want to ensure their security backyard is in order.

Increased awareness has driven a lot of conversations about the importance of being compliant with modern privacy and data protection standards (such as GDPR or HIPAA). However, being compliant is not necessarily the same as being secure (though your security will empower your compliance). Understanding the differences between compliance and cybersecurity is important to making the right decisions with respect to your businesses security needs.

See also:

Taking a top-down approach to compliance

In most cases, compliance is driven by external factors, such as industry regulations, government legislation, and other forces. Being compliant with specific standards means that you meet base-level security requirements, but compliance itself does not replace active cybersecurity (more on this below).

Understanding the outside forces that influence compliance

Healthcare has specific standards for how patient information is handled – called the Health Insurance Portability and Accountability Act, or HIPAA – that businesses in that space are required to adhere to. In the case of HIPAA, it stipulates the policies and technical safeguards that must be in place wherever patient data is stored.

GDPR is a bit different. In addition to placing emphasis on security, it also goes into depth about consumer data rights, data ownership, and consent. For a business to be GDPR compliant, not only are there security requirements to consider, but business and operational processes as well.

PCI DSS – the payment card industry data security standard – is another example where being compliant means making investments in certain security protocols, particularly with how data is stored and encrypted. It also dictates the type of data that can be stored/encrypted, and what can be done with it.

Standards like the above three examples help drive only a baseline for security.

Operational compliance

For many businesses, being complaint means “checking the right boxes” and ensuring that they would pass a security audit. In effect, being compliant is as much about demonstrating compliance as it is about investing in the technical or process-driven aspects of security.

It is important to understand that being compliant is not the same as being secure, especially since compliance rarely, if ever, calls for active monitoring of your network and IT infrastructure.

Being hacked and finding out days, weeks, or sometimes months later is what happens without active monitoring. The 2013 Target data breach is an example of that, as is the summer of 2018 breach of a Virginia bank that resulted in more than $2M in financial losses.

Security empowers compliance, but does not replace compliance

So, we know that we can be compliant but still have security vulnerabilities that threaten our data. Addressing these concerns is where your security team comes in.

Understanding modern cybersecurity

Modern cybersecurity focuses on three things: the user, the network, and active threat monitoring.

The user is the most common breakpoint. Bad actors often gain access to sensitive information simply because they were able to use a firm’s staff to do so. This can be done via face to face manipulation (this is also common over the phone), “visual hacking”, or the all-too-common phishing email.

The point is, bad actors often target your personnel first. It’s easier to be handed keys to the castle than it is to go and forge your own.

Through training and process modification, cybersecurity firms work to reduce the “people” factor in a businesses security mix.

The network is the technical side of your business. Security providers use firewalls, malware/virus tools, networking monitoring tools, endpoint (devices, such as laptops and cell phones) protection, and other types of network-specific hardware and software designed to secure your network and prevent unauthorized users from accessing information they shouldn’t.  This now of course more often than not will have a “cloud” element too.

Active threat monitoring, more commonly referred to as security information and event management (SIEM), is the foundation of modern cybersecurity. SIEM provides real-time network monitoring, threat identification, and threat response. When you invest in active security, whether it’s through an in-house team or a managed security services provider, SIEM is a major component of how they keep you safe.  This can all be accomplished with SIEM and the right ancillary tools to provide the logs in the first place and also provide the method of remediation once a threat is identified.

IT Compliance vs. Security

The best way to visualize the differences between compliance and IT security is to think of your business as if it were a building.

Being compliant with relevant standards – such as HIPAA – means that you have doors, windows, and locks that meet these standards. This doesn’t mean that these doors, windows, and locks are secure, or even actively used… just that you have them in the first place.

Investing in security is akin to having someone ensuring that the doors, windows, and locks are always appropriately secured and that they are not accessed or opened by anyone that doesn’t have authorization.

While you may be compliant and have the right lock, your security team will ensure that said lock is always kept locked and secure.