Tech Tip: Upgrade Your Policies and Procedures
So much about vulnerability management has to do with technology. From the hardware and software you use to the communications tools you rely on for remote employees, most information security measures address what you can do to make the technology safer. That’s why so many businesses rely on their IT departments and IT consultants to help them create and maintain their systems.
However, there is another aspect to vulnerability management that has little to do with the equipment you use: policy and procedure management. Considered the real “business” side of running a business, the policies and procedures you present to your employees are the backbone of your company. Your policies and procedures determine a standard for activity, morality, and business practices. They also provide a written resource for use across the board.
That’s why any good vulnerability management plan will include a look at your IT policies and procedures. When done correctly, this means you will address:
- Employee rights and responsibilities
- Data confidentiality issues
- Personal computer best practices
- Routine maintenance and repair
- Workstation configuration
- Risk management
- Security procedures
- Damage control
Putting these types of issues into writing and integrating them into company policy means that you have an additional layer of protection – especially when it comes to legal issues arising from federal information security standards.
After all, you can’t watch all your employees all the time, but by enforcing a general standard company-wide, you can ensure that you’re doing your best to cover all your bases when it comes to information security.
Vulnerability Management: Beyond Patching
Much of the time, businesses associate vulnerability management with patching and other types of IT repairs. To an extent, this is true; a large part of protecting your network against potential damages is to find the holes in your system and repair them.
However, patching is really only a temporary IT solution. Over time, continually relying on patches can start to wear on a system to the point where the solution becomes a problem of its own. It’s a lot like a favorite pair of jeans. One or two holes can be fixed with a needle and threat or funky patch, but there comes a point where your original pants are all but gone, and what you’re looking at is a collection of mismatched repair jobs.
There are a number of reasons why this might provide a strain on your system – and your bottom line.
- Some patches aren’t adequate to fix an entire problem. They may provide an immediate solution, but without follow-through work, the hole might simply reappear.
- Patches typically work for one issue only. You might be required to install several patches for several different holes; this is neither time-effective nor cost-effective in the long run.
- Your entire system can be burdened by “over-patching.” Instead of one, streamlined system, you’re relying on a bulky system that may require additional time for processing data.
- Relying on patches means you stop looking at the bigger picture – a good, well-working system. Instead of spending a few hours every week addressing problems on your out-of-date system, you could upgrade your network and let your system operate at its maximum potential.
System patches do have a time and a place in IT vulnerability management – they can secure your system and let you get back to the job you do best. However, if you find yourself spending more than a few hours a month addressing patches, or if your system hasn’t been upgraded (or checked by an IT professional) in a year, it might be time to readdress your vulnerability management plan.
I’ve Done an Information Security Scan. Now What?
Most companies already know that doing regular information security scans is good business. After all, by being proactive with your IT network, you can find weaknesses before they are exploited by hackers, malware, or simply overuse by legitimate customers. However, part of using information security scans effectively means doing more than getting that regular update: it also means doing something about it.
Vulnerability scanners and other information security scans have become a common part of almost any company that deals with technology and communication. Today’s most popular scans are faster, more accurate, and more effective at finding weaknesses than ever before – and they can be implemented by the most rudimentary IT staff.
However, one of the biggest problems with these information scans is that they only solve half of the problem. They are adept at discovering weaknesses and problems, and alerting you to them. They are not programmed to actually deal with these problems or even tell you how to go about doing it on your own.
That’s why any good vulnerability management plan will help you determine not only where your weaknesses are, but what you can do about them. For example, you will need to determine:
- How important/dangerous are each of the scan findings and how to prioritize them accordingly.
- What types of remediation strategies are available, and which ones are the best fit for you.
- How to patch, reconfigure, or upgrade your network to “fix” the problems determined by the scan.
- What the next steps are in keeping the system secure and up-to-date.
That’s why many companies turn to IT consultants or professional IT firms that specialize in vulnerability management for help. While it certainly is possible (and cost-effective) for companies to run their own information security scans, it can really help to have that professional guidance to make sure all the findings are addressed appropriately. In this way, information scanning is a lot like breaking a bone; while the x-ray technician may be great at discovering where the problem lies, you really want the doctor to set the bone. It’s the only way to heal properly and efficiently.
Understanding Information Security Scans
Information security scans are programs that search your IT network for areas that might need repairs, changes, or other alterations to strengthen your system. There are a variety of different types of scans, and many businesses rely on a combination of features to get the most out of their vulnerability management program.
When choosing or working with your IT department to determine what kind of information security scan will work best for you, you’ll need to consider the following:
- Automation – Some information security scans can be set to run automatically on a weekly, monthly, or quarterly basis. Like most types of virus protection, these scans will alert you to any weaknesses or damages so that you can make the proper repairs. They are also similar to virus protection software options in that running the scan can slow down your operating systems.
- Penetration Testing – Penetration testing is basically your way of becoming a “hacker” into your own system. Your goal is to find a way in – only instead of getting in to do damages, you want to find the doors and effectively seal them off against future attacks.
- Data Compilation – Much of the time, the information you get from an information security scan is highly technical and specialized. While some types will allow for automatic repairs, you may need to call in an IT consultant to help you interpret the results and take appropriate actions.
- Regular Reviews – Because the Internet and information technology are always changing, the protective walls you have today might crumble by next month. If you aren’t using an automated scan (or if your automated scan needs an update itself), you might need to implement regular information security reviews into your company policies.
If you’re in any business that works with clients or communicates on a daily basis (and who isn’t?), information security scans are a must-have. There is no better way to ensure compliance with federal and business regulations and to keep your company running as effectively as possible.
What Exactly Is Vulnerability Management?
Vulnerability management is a bit of an IT buzzword these days. Many companies use it to mean everything from specialized information security measures to standard IT support – with plenty of room for interpretation in between. This can be confusing for businesses that simply want to know what they can do to make their business run more effectively.
At it’s core, vulnerability management is simply a way to address IT weaknesses in all aspects of computers and communication. From finding and reviewing IT issues to preventing problems and repairing them once the damage is done, vulnerability management is a way to keep your business running safely and efficiently – no matter what’s happening out in the big, bad world.
Some of the primary components of vulnerability management include:
- Security reviews, including penetration testing or other quantifiable issues
- Prioritizing vulnerabilities based on the potential for danger as well as the feasibility of addressing them
- Implementing solutions where needed
- Strengthen areas that carry the potential for weaknesses later on
- Regular reviews and updates
- Employee training to ensure proper use of all information security measures
- Company-wide policy and procedure creation
- Capacity planning for expected (and unexpected) company growth
- Disaster recovery planning and damage control in the event of a catastrophe
- Ensuring compliance with federal and state information security codes
Of course, your business will dictate exactly how in-depth each of these categories is and how much time and money you’re willing to put into your information security network.
At the end of the day, vulnerability management is really just a way to safeguard the way you communicate and secure customer information. It doesn’t matter whether you serve one hundred clients or one million; your business is only as good as the IT network you have backing you up.
Choosing Hardware with Information Security in Mind
Information security is typically one of those things that businesses consider after they already have all their equipments and networks in place. Like purchasing insurance or other protective measures, the leading mindset is that information security is like a blanket that goes over existing hardware and software, keeping them safe from malicious attacks or other breakdowns.
However, one of the best ways to have the securest system possible is to consider information security before you start making equipment purchases and setting up your network. In this way, you can cut costs over the long term, since you’ll be taking into account issues like hardware weaknesses, capacity planning, and the growth of your business.
For example:
- Mac computers tend to get far, far fewer viruses than PCs. There are fewer Mac users out there; therefore, it is less productive for hackers to make malware geared toward Macs. The end result is a system with a lower likelihood of attack.
- Wireless systems and networks within the business structure are more difficult to secure than landline networks. This is because wireless systems (even protected ones) are more vulnerable, especially when employees are working remotely.
- Onsite data storage makes saving your backup files easier, but they also pose a risk when it comes to issues like physical accidents and break-ins. Creating a system with offsite storage in mind can save time and money when it’s done upfront.
Although not all of these options are right for every business, the basic concept is the same: the hardware you choose to set up your business infrastructure will dictate how much time and money will need to be invested in information security.
That’s why bringing in an IT consultant early can be a smart—and cost-effective—business choice. Not only will you get the most secure business system possible, but you’ll also be streamlining everything about the way you do business.
Reduce Printer Output
We all remember the time before computers were commonplace. Sure, they’ve been around for decades, but it’s really only in the past couple of decades that they have changed how we live. More and more, we have come to rely on them to store data, to send messages, and to perform intricate calculations. We trust our computers to help us make safe purchases, to find information, and even to do our taxes. So, why is it that so many people still print out everything they receive?
One of the best parts of email is that you can communicate almost instantaneously with anyone around the world. As long as they have an email account and access to a computer, we can send them a message. Some of these documents are important for business, and we need to keep records of them. Paper files, however, can be a waste of both time and money. With so many data storage options, there’s just no need to print them out to store them.
So, how do you build the confidence to stop overwhelming the printer?
- Well, first and foremost, your emails should be being saved in your email application. You know those little electronic folders that you put stuff in? Aren’t those easier than hunting for the paper copy? If you rely on them, you can save paper, toner, and hassle.
- Better yet, you can back those files up to ensure you never lose the records. It’s not only easy, it’s smart for your business – and with options in onshore, offshore, and nearshore storage, your information can be kept safe and secure from both a physical and an electronic standpoint.
So, stop sending all of those pages to your printer. It’s a modern world, and it’s time to embrace the art of virtual file keeping.
Battery Life on the Road
It’s happened to all of us. You’re on a plane or somewhere out of the office steadily working. Just as you get into your groove, a little warning message comes up telling you your battery power is low, and if you want to save your important files, you’d better do it now. Sure, sometimes you’re near an outlet and you can plug your machine in, but why not take some steps to make sure this problem never surfaces at all.
- The easiest way to increase computer use is to recharge your battery at every opportunity. Are you at a coffee shop? Most of them have outlets next to some of the tables. Scout for one and plug your laptop in, and you can work for hours. When you are in your hotel room, charge up the battery as you prepare for your day or unpack your bags. There may not be time for a full charge, but every bit of power you can get into that battery can make a difference when you’re out.
- While you’re using your laptop, there is another important step you can take to conserve battery power. All you have to do is to lower the brightness. You’d be surprised at just how much extra power a small bit of light sucks up. There are usually buttons at the top of your keyboard that look like little suns. They are probably on your F1, F2, or other function buttons. Simply press “function” and also press the smaller sun, and you should see the brightness decrease. Lower the brightness as far as you are comfortable, and you’ll save battery life.
- Use travel energy options. You can purchase adapters that allow you to plug your computer into a car’s cigarette lighter. Planes also offer an in-flight power option in some of their seats, though you may need to purchase an adapter to make it work. You can also invest in a netbook or other energy efficient laptop for use during travel, since the battery life tends to be much, much longer in these products.
Now that you have some battery conservation tips, try putting them to use on your next foray out of the office. You won’t just save power, you’ll save yourself some hassle as well.
Hey, Buddy, Is Your System Safe?
Like a thief in the night, someone is scanning your network. They are looking for the weaknesses in your applications and in your infrastructure. With patience and some meddling, they slowly begin to understand how it is set up. Now they can begin to exploit those weaknesses, taking their time and trying to find their way in without being detected. If they get in, they could trash your system, steal your data, or even hijack control of your network. They steadily work at it, and with a little more maneuvering, they’re just about in. Will they make it?
This sounds like a nightmare, but what if it was actually a good guy trying to break in to your network? That’s what penetration testing is all about. Penetration testing is when you purposefully try to break into your own system in order to determine if there are security gaps. No matter how tight security is around your network, there may be some loopholes that you just don’t know about until you actually try to hack your way in.
The major difference, of course, is that when someone you trust is attempting to penetrate your system, you know there will be no damage. Instead, they will use the information they gather to further secure and update any weaknesses they find. By pretending to be an attacker, they can find loopholes you may never have known existed.
Could your network use a little covert penetration testing? Chances are, it could. You may be surprised at the weaknesses you find – and wouldn’t you rather the person breaking in be working for you?
Using Online Meetings for Efficient Communications
In this day and age, technology is everywhere. It defines how we communicate, how we work, and even how often we head into the office. Telecommuting has allowed people to live almost anywhere, yet still work together in a remarkably efficient fashion. Sometimes, however, the whole team needs to get together and have a meeting. If flying the group in to one location just isn’t feasible or in the budget, what can you do?
Host an online meeting, of course!
There are a variety of software options on the market that can help you conduct your meeting. You’ll need to be able to speak with each other and possibly even to see each other, and there are products that will allow every person attending the meeting to follow along on their own computer. Presentations and demonstrations can be conducted from one location while all of the attendees follow along and participate in real time. You can also create online blackboards that you update as you speak.
In addition to software options, you can also train your employees to get the most out of the telecommunications process using an IT consultant who specializes in the practice. Part of being successful at working remotely is knowing how to get the most out of a group of employees in different time zones and using different types of technology.
It doesn’t matter what type of business you’re in – there are communications options that break down traditional barriers. By tapping into new software and technology, you can find solutions that will help your online meetings be even more productive.