The protection of your organization’s information security will involve one key principle: control over access. Whether through mistake, compromised log in credentials or fraud, a user can inflict significant damage on your organization’s sensitive data if that user has free reign over several databases or networks. Logical security protocol makes it more difficult for one user to be the source of a major issue.
A strong set of controls over access, also known as logical security, covers several elements, including: user segmentation, permissions, detective controls and mitigating controls. A review of your policies in light of what a strong logical security strategy entails can help your organization strengthen its cybersecurity.
One person should not have the keys to the kingdom. This is particularly important for financial data. A user should not be able to create a vendor, write a check and send it out without another person authorizing the check; such a situation would be highly vulnerable to fraud. A second person should also review any journal entries before they are authorized and posted.
From a software perspective, proper segregation of duties often involves change management controls. A user who makes several updates to a system should have at least one other person approve it before the updates are moved into production.
Log in credentials also help with user segmentation. Although it may be tempting to use a general log-in for certain software, having unique user names helps IT personnel trace any issues that may arise back to a specific, named user.
Closely related to user segmentation are permissions. Permissions may be one of the strongest preventative controls organizations have at their disposal because they keep unauthorized users from accessing sensitive information.
Most organizations have various levels of user access into their data and systems. Part of the cybersecurity strategy should entail how those permissions are monitored. As employees leave or take new positions, permissions will need to be reviewed and updated timely
Other permission controls may help protect your organization’s systems from malware. Admin features should be disabled on employees’ laptops to reduce the risk that an employee accidentally downloads a virus or form of malware when attempting to install unauthorized (and possibly infected) software on their local workstation or laptop. Your IT department may also want to consider disabling the flash drive on a laptop because flash drives tend be common way viruses are introduced into a network environment
Physical access permissions are also important because many organizations work with third party storage facilities or IT functions. Organizations should have comprehensive lists (that are kept current) on who has access to servers, processing areas, and other storage areas whereby sensitive electronic and paper data resides. Physical access permissions should be continually monitored for changes to personnel, locations and job role changes.
An information security breach can only be stopped once it’s detected, which make detective controls essential. Anti-virus software is among the most common detective controls organizations employ, but there are others worth considering as well. Alerts about firewall failures, server malfunctions or other unusual activity can help accelerate response time for potential information security issues. Reporting features may also help with detective controls because they can allow administrators to see user activities and detect patterns in behavior before it becomes a significant problem.
Robust security generally involves several layers of protection, and information security is no exception. Your organization’s information security protocol should have mitigating controls so that if one set of controls fails, there is another control in place. For example, if a device is lost or stolen and an unauthorized user is able to log into a company-issued device, an IT department should be able to remotely wipe the device’s data to prevent further data compromise. This mitigates the risk the confidential client data is exposed.
Some organizations allow employees to bring their own devices to work. Home computers, phones and tablets can be extremely vulnerable to malware and other viruses that could lead to an information security breach. Any time a personal device is used to access sensitive organizational data, the company should consider installing its anti-virus software on the device or at the very least, software that would allow for the remote deleting of data should the device be compromised.
Complex passwords are also important. If your organization does not follow a policy that passwords are changed after a set amount of time, it should consider implementing one. Another emerging trend in password protection is for employees to use “pass phrases” as part of their log-in credentials. Log-ins with more than 32 characters are harder for an unauthorized user to guess and may be easier for employees to remember if it is a phrase with characters and letters.
Logical security should be a key component of your ongoing cybersecurity risk evaluation. For more information about how to incorporate strong logical security components into your risk mitigation strategy, please contact us.
Previous Issues of the 7 Ways to Strengthen Cybersecurity Series
Copyright © 2017, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).