Are You the Biggest Threat to Your CT Company's Cyber Security?

Data security is a concern for anyone who runs a Connecticut company, but surprisingly, Connecticut entrepreneurs and CEOs may be the worst offenders when it comes to opening up the corporate enterprise to potential security risks.

In order to have a secure network infrastructure, you need to have inviolable security protocols in place, including who can load new applications. However, CEOs and senior executives tend to be masters of the computing workaround, introducing maverick software and solutions that can expose corporate data.

Balancing Security and Productivity

According to the Code42 CTRL-Z vulnerability report, senior managers and CEOs are often the ones responsible for putting corporate data at risk. Despite the fact that 63 percent of CEOs claim that losing corporate data would destroy their business, 75 percent of CEOs and 52 percent of business decision-makers are responsible for introducing unauthorized applications into the network: software not approved or tested by the IT department.

The CTRL-Z report shows that 80 percent of CEOs and 65 percent of decision-makers use unauthorized applications to improve productivity. At the same time, half of IT decision-makers say that protecting company data is vital to protecting the company’s brand and reputation, and 50 percent of CEOs and 61 percent of CIOs agree. This is a growing concern, because IT professionals report that 60 percent of all corporate data resides on laptop hard drives rather than a central server that can be better protected. While the majority of organizations have laptop backups in place (86 percent), only 13 percent have tested the backup programs, and 95 percent have server backups in place, but only 8 percent have tested them.

The Risk of Unauthorized Software

For every Connecticut company, the issue becomes one of balancing risk against productivity. Unauthorized software poses a number of security concerns.

Hackers are continually hunting for new vulnerabilities that give them access to company systems. In fact, small businesses have become a bigger target for hackers. More than seventy percent of data breaches have been perpetrated on companies with fewer than 100 employees. Unauthorized software makes the hacker’s job easier, because it is unmanaged, which means that software patches aren’t up to date, and configuration may create vulnerabilities.

Seemingly innocuous applications can pose the greatest risks. Applications that use instant messaging and peer-to-peer communications, for example, are especially vulnerable to malware. Browser extensions also can pose a potential threat.

There also are regulatory risks. Any Connecticut company in the healthcare sector, for example, has to comply with HIPAA regulations to protect patient privacy. Unauthorized software can pose a security risk that could mean thousands of dollars in fines for HIPAA violations.

Corralling Maverick Applications

So how can you rein in maverick applications? Here are just a few strategies to consider:

• Administrative restrictions – For laptop and workstation users, the IT department should eliminate the option to access administrative privileges. Without administrative access, users can’t install their own software or make registry modifications. Potential damage and compatibility problems from illicit software, as well as security issues, are directly related to the level of user privilege. Wherever possible, limit users to running applications, not modifying them. The same is true of managing corporate data; lock data to prevent users from downloading sensitive files to a laptop or portable drive.

• Prevent illicit installations – Every organization needs to have a single authorized group to evaluate, test, deploy, and manage company software. Users who are not part of that group should not be able to access external software. Most unauthorized applications are introduced via email, web downloads, or removable media. To prevent loading of unauthorized apps, set up perimeter security controls to block executable files (e.g., .exe, .msi, .bin) along with certain types of multimedia mail attachments.

• System monitoring – It’s also important to monitor the network in the event something does happen. Enterprise systems monitoring can uncover anomalies or odd behavior that could indicate a data breach. Monitoring can be performed locally, but remote monitoring services tend to be more comprehensive and often spot problems that local system monitors may miss.

• Secure data backups – In addition to watching for security problems, you need to be prepared to recover from a security breach. Maintaining clean backups, both of critical systems and business data, can provide a fail-safe in the event of a security breach. Data backups are a routine task that is usually more cost-effective to outsource to an external service provider.

A managed service provider (MSP) is in an ideal position to monitor for unauthorized applications and ensure systems security. MSPs like NSI provide consulting services to Connecticut companies, showing them how to protect their enterprise systems and eliminate unauthorized software. MSPs also provide services such as remote systems monitoring and backup and disaster recovery services.

So, don’t think that your CT company is immune to cyberthreats or that your employees aren’t adding unauthorized software and programs to company hardware. You can prevent a possible data breach by locking down your computer infrastructure so that only authorized users can add or change system software. Your local MSP can help you develop a software management strategy that doesn’t have to sacrifice productivity for security.