Telecom & Tech
Emergent
Technologies
Tech security tips to keep your business safe
By Tracy Barbour
N

ew and evolving technology—from virtual private networks to artificial intelligence—offers diverse benefits that businesses can use to enhance their operations. But new technology also comes with inherent vulnerabilities that can jeopardize a company’s infrastructure, reputation, and other assets. However, by employing best practices and remaining vigilant, businesses can protect themselves as they evolve right along with exciting new technological applications.

Telecom & Tech
Emergent
Technologies
Tech security tips to keep your business safe
By Tracy Barbour
N

ew and evolving technology—from virtual private networks to artificial intelligence—offers diverse benefits that businesses can use to enhance their operations. But new technology also comes with inherent vulnerabilities that can jeopardize a company’s infrastructure, reputation, and other assets. However, by employing best practices and remaining vigilant, businesses can protect themselves as they evolve right along with exciting new technological applications.

Virtual Private Networks
A virtual private network (VPN) is an effective way for businesses to protect their corporate applications and data. A VPN allows users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Essentially, a VPN creates a safe connection over a less secure network like the public internet. VPNs are critical for the growing number of remote corporate employees, business travelers, and other mobile workers who need access to their company’s network resources. “While the corporate network perimeter has become increasingly porous, it is still important for remote workers to be able to use mobile devices and laptops,” says Jason Poirot, information security program manager at Alaska Communications.

A key attribute of VPNs is encryption, according to Poirot. This typically involves encrypting data at the sending end and decrypting it at the receiving end. An additional level of security entails encrypting not only the data but also the originating and receiving network addresses. “It remains critical that business data be encrypted and that IT personnel manage access control,” says Poirot. “Multifactor authentication and the use of a good endpoint security solution are also important.”

Cloud Storage Management
Today, cloud storage is typically more secure than conventional on-premise storage, but businesses should be very careful when selecting a cloud provider. There are a variety of cloud options available, from a basic operating system to a fully-managed solution. People should keep in mind that the “cloud” is just someone else’s computer or server and not all cloud solutions are created equal, says Michael Strong, GCI’s chief information security officer. They also need to conduct proper due diligence when choosing providers. “Cloud providers will promise you access to your data, even if they have a change in business status,” Strong explains. “But like any business, if they go into bankruptcy, their good intentions have also gone into bankruptcy. This is a reminder to make sure you have robust data backups—with a different provider. Don’t put all your eggs in one basket.”
“It remains critical that business data be encrypted and that IT personnel manage access control.”
Jason Poirot, Information Security Program Manager
Alaska Communications
Larger, more established providers like Microsoft Office 365, Dropbox, Salesforce, and Intuit generally can offer better security and protections than small businesses can achieve on their own. However, it’s important to read the fine print of the provider’s service-level agreement. Strong says: “There can be a lot hidden in the terms and conditions, such as granting others the permission to read and use your data. This can be particularly troublesome if your business generates sensitive personal and confidential data. If your company needs to comply with certain privacy regulations, such as HIPAA [Health Insurance Portability and Accountability Act], make sure the cloud storage solution you’re selecting meets those requirements.”

Cloud storage solutions must be managed in the same manner as on-premise resources, according to interim GM/CEO and CTO of Arctic Information Technology Dave Bailey. Many businesses assume that cloud resources contain all the necessary security measures, but that’s not the case. Take geo-redundancy, for example. With geo-redundant storage, a company’s data is duplicated and stored on servers in different locations around the world, which can be a lifesaver if a disaster or other emergency happens. “If you don’t elect to have your data be geographically redundant and a server goes down, you won’t have access to your data,” Bailey says.

Whether companies use on-premise or cloud storage, it’s not possible to achieve 100 percent security. Still, businesses—not just their provider—are ultimately responsible for safeguarding their data in the cloud. They should ensure their cloud storage is encrypted and uses different credentials than their on-premise resource. Bailey says: “You’ve moved the physical responsibility of that technology resource from your own infrastructure to someone else’s, but the administration and security of that resource is still your responsibility… If you look at the service-level agreement for Amazon Web Services and Microsoft, they tell you there is no guarantee of security.”

Firewall Security
Businesses can also look for ways to enhance network security by effectively using firewalls. Firewalls—which monitor incoming and outgoing traffic—have historically been an important line of defense for companies. They provide a virtual boundary between a trusted internal network and untrusted external network like the internet to block unauthorized access of information. But firewalls aren’t an infallible solution for protecting a network’s perimeter because misconfigured or out-of-date firewalls can be exploited by nefarious actors. Or worse, firewalls can be completely circumvented, which is what happened with the March 2017 data breach of Atlanta-based Equifax.
“Cloud providers will promise you access to your data, even if they have a change in business status. But like any business, if they go into bankruptcy, their good intentions have also gone into bankruptcy.”
Michael Strong
Chief Information Security Officer, GCI
Hackers bypassed the credit reporting company’s firewalls, uploaded malicious script to enable remote control of its servers, and then downloaded the personal information of millions of consumers—all because Equifax failed to promptly patch a security vulnerability.

In the cloud, the firewall importance increases. That’s why it’s essential for companies to ensure firewalls are properly functioning and updated to minimize cyberattacks. It’s also critical for businesses to have the appropriate expertise to manage firewalls and other security layers. Strong says: “Gone are the days where businesses can be given simple tips and tricks for managing firewalls or cybersecurity solutions themselves. The consequences for mistakes are too great… Just as small companies use professionals for legal or tax advice, if they have sensitive information, they should seek professional help with cybersecurity.”

Some entities are looking beyond the firewall to focus their cybersecurity efforts on users and their devices. Google, for example, is working on developing BeyondCorp, a cloud-based solution that authenticates every user, computer, and mobile device attempting to access its network—no matter where the user is located. So, the system essentially builds its own security “perimeter” in response to each log-in. It uses a “zero trust” approach to assess each risk that emerges whenever someone tries to tap into the company’s network.

Zero trust is a complex information security methodology that’s being used primarily by larger companies like Google. “At the most basic level, it’s the idea of always knowing who has access to an asset [physical, application, or data], regardless of where that asset resides and always checking and rechecking the identity of the requestor, regardless of where they are and being able to deny access if you suspect that the requestor shouldn’t have access—or providing greater levels of checks to be very sure they are who they say they are,” Strong says. “Zero trust focuses greatly on identity and being very sure that you are who you say you are and that you have access to certain information under the right sets of conditions.”

Artificial Intelligence, Blockchain, and Tor
Artificial intelligence (AI) and blockchain are emergent technologies with varying types of risk. AI, which makes it possible for machines to learn from experience, involves a human element. And like any technology, AI evolves and has vulnerabilities that can be exploited. “When we look at risk around AI and machine learning, you have to remember that they are manmade,” Bailey says. “So, they are only as good as we program them to be.”

Blockchain technology is not infallible—and that is the biggest risk, Bailey says. There is significant value in the principle of blockchain because it stores incorruptible blocks of information across a shared digital network. Because of this, blockchain is being viewed as a tool with the potential to transform a wide variety of industries. For example, a project known as Maritime Blockchain Labs is exploring whether this technology can help minimize dangerous and costly container ship fires. Blockchain may also be able to revolutionize the future of trucking and logistics by creating a new system of completing transactions, tracking shipments, and managing fleets.

But the reality is that blockchain still requires a human to be involved. Therefore, it is susceptible to risk and hackable. “I think the vulnerability in blockchain exists today because of ignorance,” Bailey says. “It’s evolving too quickly, and it’s impossible to develop a strategy—plus there’s a lack of regulation.”

“Gone are the days where businesses can be given simple tips and tricks for managing firewalls or cybersecurity solutions themselves. The consequences for mistakes are too great… Just as small companies use professionals for legal or tax advice, if they have sensitive information, they should seek professional help with cybersecurity.”
Michael Strong
Chief Information Security Officer, GCI
The Onion Router or Tor represents another area of risk for businesses when employees use it to browse the internet anonymously at work. Tor, a free and open-source software program, allows users to protect their privacy and security against anyone conducting network surveillance or traffic analysis. It was originally developed for the US Navy in the 1990s to protect government communications, and its application has since expanded.

Unlike Google Chrome or Firefox—which take the most direct route between a computer and the internet—the Tor browser employs a random path of encrypted servers to conceal a user’s location and usage. For this reason, Tor is often considered to be a gateway for illegal activities. More innocuously, though, employees could use Tor at work to bypass security and web browsing restrictions and download movies or music. But businesses can easily use blacklisting/whitelisting capabilities inside their corporate network to prevent such browsing activities, Bailey says.

Email Technology
While email is not a new technology, innovative email-borne threats are constantly emerging. For instance, business email compromise (BEC) is rapidly increasing. These deceitful emails, which appear to come from an executive or other key individual in the company, often try to coax wire payment transfers or information from unsuspecting employees. BEC is especially dangerous because it doesn’t contain malicious links or attachments, which makes it hard for standard security measures to detect. It’s also difficult for employees to identify BEC because it’s designed to look like legitimate email.

BEC is becoming more ubiquitous worldwide. Between October 2013 and May 2018, there were more than 78,600 domestic and international BEC-related incidents and more than $12.5 billion in domestic and international exposed dollar loss reported to the FBI’s Internet Crime Complaint Center. And from December 2016 to May 2018 alone there was a 136 percent increase in identified global exposed losses relating to BEC.

Once business email has been compromised, multifactor authentication can limit attackers’ ability to use stolen credentials, Poirot says. And enforcing periodic password changes can prevent password reuse attacks. These phishing attacks, which can come from trusted vendor and coworker email addresses that have been compromised, remain the biggest single threat to businesses. In general, businesses can use email security gateways, web proxies, firewalls, and intrusion prevention products to prevent, detect, and stop many email-related attacks before catastrophic damage occurs.

“I think the vulnerability in blockchain exists today because of ignorance. It’s evolving too quickly, and it’s impossible to develop a strategy—plus there’s a lack of regulation.”
Dave Bailey, GM/CEO/CTO
Arctic Information Technology
However, employee awareness training remains the best, first defense against business email compromise, Poirot says. That’s because attackers can—and will—bypass all other security layers through the cunning use of social engineering and exploitation of complex IT systems. As such, he recommends that companies train their employees to:

  • Refrain from clicking on unknown links or opening unexpected attachments.
  • Carefully examine all unexpected emails that instill a sense of urgency, making sure to look for suspicious links, buttons, and attachments.
  • Use known phone numbers to call senders and verify the authenticity of any emails containing unexpected links or attachments.
  • Apply extra scrutiny when viewing emails on mobile devices, as it can be harder to spot the tell-tale signs of phishing.
  • Report suspected phishing emails to their IT department.
  • Delete all suspicious emails.
Other Security Tips
Poirot also emphasizes the importance of implementing multiple security layers. People and processes, as well as data and infrastructure, must all be protected, effective, and resilient, he says. A thorough IT security risk assessment can orient businesses to which layers are most vulnerable so they can prioritize security layer investments. However, companies generally have security layers or controls that fall into three categories: protective, detective, and reactive. Protective controls are tactics a company can implement to prepare for and prevent a cyberattack. They can include dual controls, segregation of duties, system password policies, access control lists, training, and physical access controls. Detective controls indicate that a cyberattack is taking place. And reactive controls are designed to respond to an attack in progress and/or mitigate exposure after an attack happens. “Strong endpoint security solutions, such as next-generation anti-malware solutions, provide important protective, detective, and reactive control of the most vulnerable systems in an organization,” Poirot says.

From Bailey’s perspective, it’s important to make attacks more difficult for cyber criminals by removing the path of least resistance. Companies should also have a vulnerability assessment done annually and, based on the results, mitigate their risk. Bailey says: “At a minimum, strengthen your credentials for access, separate your admin from user accounts, and enable multifactor authentication for everything you do. It has to do with the kind of data you have and the kind of data you’re protecting. It’s not so much the data, but the interruption to operations and what the cost of that will be as you assess risk.”

Strong recommends that companies start with the basics. They should use business computers for business—not for gaming or day-to-day personal web browsing. It’s also important to have up-to-date malware protection on every end-point workstation or laptop. He also advises: “Use good password practices, combined with multiple factor authentication. Encrypt hard drives and sensitive information as you store and transfer it. Only gather and store the information you truly need, and only keep it for as long as you truly need.”

In addition, businesses can enhance IT security by taking advantage of third-party providers and resources like the Center for Internet Security, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure Security Agency.