Are you Penetration Testing?
Your business has tremendous value. Your stock, your data, your intellectual property and, most of all, your staff. Can your business be penetrated by people after what’s in your business? I am sure you’ve heard the term penetration testing. When you hear the phrase, do you consider it to be just about your IT or about your business as a whole?
Let’s look at the various ways your business can be penetrated and what you can do about it.
It’s amazing how many have the nerve to simply stroll into a building, whether it’s an office, a supermarket’s warehouse space or any other area often marked Staff Only. They get through on confidence alone and the belief that nobody will challenge them. They know that too many people are afraid of getting something wrong and so they won’t be challenged. It doesn’t work so well in small companies, but in larger businesses or in multi-tenant buildings, it’s much easier. At the point people don’t know everyone who is supposed to be there, it becomes difficult.
- If your staff don’t wear a uniform, we recommend a security system with ID cards. The cards will work the door entry systems and, when they have a photo on them, provide a way of instantly seeing whether someone should be in the building or not.
- Encourage people to challenge those who aren’t displaying their cards. They should never get into trouble for challenging someone incorrectly. Suggest that this is simply an opportunity for them to get to know a colleague they haven’t met yet!
- If they do wear a uniform, make sure name badges are also on display. It helps other staff to confirm whether the person is really who they claim to be.
- As mentioned in our last blog, the front door isn’t the only way into a building. Fire exits and delivery areas can easily be used. Make sure these doors are closed when not in use. For fire exits, we recommend they are only used for their designated purpose. Alarm the doors so you know if one is opened. Needing a nicotine fix isn’t a reason for using a fire exit.
Your intellectual property and your customer data is on your network and it is valuable. Your network can be attacked both from outside your business and from inside. Let’s look at how you can protect your network:
From external penetration
- Your firewall is your first line of defence. Do not skimp on your firewall’s protective capabilities just to save a few quid. The latest firewalls have much more focus on threat detection and remediation. They will protect you from malware and alert you if your network defenses are being threatened.
- Anti-malware and anti-virus software are vital today. Emails and websites are the two main ways malware and viruses can penetrate your network. Look at products such as Malwarebytes and the ESET range, but there are plenty more on the market. Look carefully at their performance statistics and look at independent reviews as well.
- Develop a secure password policy for all network devices. This is particularly relevant if you use a hosted IT or remote desktop solution that allows your staff to work from any suitable device. Two-factor authentication would add an additional layer of security to this.
From internal penetration
Whether it is protection from unauthorized people, who get into your building, or disgruntled staff, you need to seriously consider how to protect your network data.
- Do staff need to be able to put data onto USB sticks for their job? If not, set up your network so the USB ports cannot have data flow through them. USB sticks are easily hidden and connected to your desktops/laptops in order to copy data.
- Do you have paper files? If you do, how are they stored and who can get into that area? You are legally required to keep certain data for up to seven years, but it doesn’t mean it has to be in paper form. Unlocked filing cabinets and store rooms give easy access to your data
- When you reach the point where this data ban be destroyed, what are you doing with it? Cross-cut shredders are the minimum you need, moving up to outsourced document destruction companies.
- Did you know you can set your email to be unable to send attachments to personal email addresses such as hotmail or gmail? Your staff don’t have to copy data onto a data stick to get it out of the building? By the way, do your contracts stipulate that you can monitor and read all company emails? Whilst you never want to have to, it makes sense for if you suspect a member of staff.
- Implement security checks. Checking bags and pockets near an exit is a perfectly legitimate security procedure and will make people think again before trying to remove something from the office they aren’t supposed to.
All the policies and procedures in the world won’t protect your business from penetration if they aren’t implemented. Penetration testing has to happen to find out if the policies are being implemented.
- See if someone can walk into your business unchallenged.
- Try and download data, either onto a hard drive or from a remote location
- See if someone can steal something physical, whether it is paper files or prototypes.
Protecting your business becomes ever more important as the ways to get into your business become more effective and harder to stop, but the key to all this is to test.
We hope we haven’t scared you (too much) with this article. If you are worried, give us a call and we’ll happily discuss your concerns.