assessing your security
TRANSCRIPT
Assessing Your Security
September 2016
Introductions
Joshua PeskayIdealware Expert TrainerVice President, RoundTable Technology
Introductions
Peter CampbellChief Information Officer, Legal Services Corporation
Introductions
www.idealware.org
What We’ll Cover Today• Imperfect Security• Assessing Your Risk• Common Risky Practices• What Do You Do if You
Experience a Data Breach?• Establishing Policies for Your
Organization
Poll Question
On a scale of 1-5, how concerned are you with your data security?
A False Sense of Security
Why Is Everyone Talking About Security?In the digital age, data risk is the new normal.
A False Sense of SecuritySome are overwhelmed. Others are just gambling that their number won’t come up.
Survey link:
Avoiding Security Won’t Protect You
Neither Will Your Nonprofit Status
Survey link:
Data thieves are usually pros—they don’t care who their target is. If they can steal valuable information, they will.
Small Nonprofits Are Attractive Targets
• Fewer resources
• Limited IT security
• Not likely to notice an attack until much later
What Are Your Risks?
And what should you do about them?
Photo Credit: Women of Color in Tech Chat
Assessing Your Risk
It’s a Process
To understand the risks and your comfort with them, you need to carry out a thorough assessment of your data.
Inventory Your Data
Make a list on sticky notes and group them by where the data is stored (e.g., case management system).
Classify Your Information
• Confidentiality: Data that can’t be exposed.
• Integrity: Data you can’t lose.
• Availability: Data you can’t lose access to for any period of time.
If you have data that’s not very high in any of these categories, then it’s likely not essential to your organization.
Consider the Risks
Think through:
• What could happen to your data?
• How likely is it to happen?• How bad would it be if
something happened?
Photo Credit: Women of Color in Tech Chat
Into the Chat: What Risks Worry You?Are there specific risks that keep you up at night?
8 Common Risky Practices
1. Unmanaged Personal DevicesDo staffers use their personal devices for work?
You Can’t Control Access
• A personal device may have additional users.
• Terminated employees are likely to still have organizational information after leaving.
Virus/Malware Risk
How do you know personal computers and devices have basic protections?
Software Ownership
Your nonprofit might purchase the software, but not control the license.
What Can You Do?
• Provide virus and malware software.
• Establish software licensing policies.
• Provide devices for work, if possible.
• Mobile Device Management exists, but is expensive.
2. Lack of Password ManagementAre a lot of people using weak passwords?
Bad Habits
• Sharing passwords. • Reusing Passwords
• Not changing default passwords.• Writing passwords on post-it notes.
• Trying to keep it too simple.
Multi-Factor Authentication
Something You Know
Something You Have
Something You Are
Password Managers
What Can You Do?
• Implement password management software such as OneLogin.
• Dual-factor authentication.
• Establish password creation policies.
• Provide training.
3. Consumer-Grade Cloud StorageIs there a difference between Dropbox and Dropbox for business?
Hard to Control Access to Data
• Convenience• Cost Savings• Staff preference
Less Security
You often get what you pay for with free Cloud storage.
What Can You Do?
• Use business-grade Cloud storage and set controls that limit access to your data.
• Add-on services such as BetterCloud can also give you deeper audit and policy controls.
4. Poor Backup InfrastructureWhat if your office experiences a disaster?
Data Needs to Be in a Safe Place
If you have to store it physically, take your backup off site.
The Cloud is a great option for backup.
Think Beyond Backup
It’s just one of many business continuity challenges. What will you do if the data is unavailable for a period of time or you experience a data breach?
What Can You Do?
• Regularly schedule backups.
• Create incident response, business continuity, and disaster recovery plans—and test them!
5. Poor Software ManagementIs the software your team is using safe?
DIY Downloads Don’t Happen
It’s inconvenient, so people are likely to skip downloading patches and updates.
Out of Date Software
Hackers keep up to date on security holes and are always looking for opportunities to exploit them.
Unwanted Applications
They can affect both productivity and machine health. And some carry malware.
What Can You Do?
• Establish patch management procedures.
• Manage software installations.
• Perform regular tune-ups.
6. Overlooking Physical SecurityIs your office protected?
What if Someone Walks in the Door?
Would it be easy to access or steal computers?
What Can You Do?
• Take basic office security measures.
• Lock computers to desks.
• Institute a check out policy for shared devices and keep them locked away.
7. Unsafe Wi-FiIs your connection secure?
Office Wi-Fi Needs to Be Protected
You can’t just plug in a router and assume everything is fine.
Coffee Shops Can Be Risky
Is that connection vulnerable to spying?
What Can You Do?
• Make sure your network is protected by a firewall and a password.
• Avoid working in unsecure environments.
8. Security TrainingYour staff members are your most important security measure.
Awareness Can Prevent Many Incidents
People want to do the right thing, but they often don’t know what that is or why it’s important.
What Can You Do?
• Regularly provide short training sessions.
• Incorporate security issues/discussions in existing meetings.
Establishing Policies
Form a Committee
A diverse committee can help you see risk from multiple angles and come up with smart ways to deal with those risks.
Ask Tough Questions
Anything you overlook has the potential to be a hazard in the future.
What Will Prevent a Breach?
Think of all the ways a breach might occur. Write rules that govern activities such as how to create and handle passwords or how files can be stored and shared.
How Will You Respond if a Breach Occurs?
Map out a response plan that includes steps and roles for data recovery, business continuity, and communications.
BYOD?
Write clear usage guidelines for things such as what security software needs to be installed and whether your organization provides IT support.
Policy Making Is Iterative
You’ll need to review your rules and update them periodically to make sure they’re addressing your needs.
Policy ExamplesGo to http://bit.ly/SecurityPolicyExamples to find examples and
templates that you can use as your starting point.
Additional ResourcesIdealware and RoundTable technology have many resources that can help you better secure your technology and data.
• What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk (Idealware)
• Incident Report Form (RoundTable)• Backup, Data Recovery, and Business Continuity Primer
(RoundTable)• Information Identification and Classification Template
(RoundTable)
Perfect Security Isn’t Possible
There will always be risks out there.
Practical Security Is Within Reach
Into the Chat: What Resonated?What security steps will you take over the next month?
Questions?
Ask Idealware…On Twitter: @idealwareOn Facebook: /idealware