The 13 Boxes You Need To Check To Keep Your Enterprise Secure
Oct 6, 2021
7 min read time
If you’re in business today, it goes without saying that you have a tech security plan in place. And because you’re aware that the threat landscape is constantly evolving, you’re probably open to ways of making that security posture even more robust.
Good news: There are hundreds of credible vendors that have products and services designed to help you reach that goal. But there’s bad news, too, because those products and services cover, at best, only a handful of the vulnerabilities common to any organization that’s connected to the internet.
Right now, you have an opportunity to identify and correct the vulnerabilities that are exposing your enterprise to risk. But first you have to know what those vulnerabilities are.
By my count, there are 13 potential attack vectors that must be covered before your enterprise can be deemed secure. Covering 12 but leaving the 13th open means you’re still open to humiliating and costly attacks, as you’re about to see. If you’re compiling a shortlist of security providers for your organization, you need to know how many of the following 13 boxes they’re able to check. (Spoiler alert: Only Tehama checks all 13.)
🔲 1. Vendor automation workflow.
Today’s businesses are relying more than ever on outside support. And that makes it more important than ever to limit how much access they have to sensitive data. Luxury retailer Nordstrom found this out the hard way in 2019, when a contractor accessed confidential employee data, including Social Security numbers, birthdates, salaries, and details of employees’ bank accounts. To avoid repeating Nordstrom’s mistake, ask the question: Do you have a Payment Card Industry or audit-compliant system for managing your vendor workflow?
🔲 2. Endpoint security.
The rigor of your internal security policies won’t protect you against attacks on unprotected endpoints. In 2018, the Florida-based marketing firm Exactis unwittingly left nearly 340 million individual records exposed on a publicly accessible server. The database is said to have included personal information about almost every adult in America. Ask yourself: Are your endpoints secure? Where are your company’s laptops, and what’s on them?
🔲 3. Identity and access management.
You need your people to have quick access to the tools necessary to do their jobs. But the access must not extend beyond that authorized group. In 2016, lapses in Uber’s IAM led to the exposure of data involving more than 57 million customers and drivers. So, ask the question: Are you using a password manager, or at least a hard-to-crack mnemonic phrase? How about your colleagues?
🔲 4. Operating system workspace security.
How secure are the virtual desktops used by your personnel? Do you have the defenses you need against malware and ransomware? BJC HealthCare didn’t, and a 2020 phishing attack led to an exposure of patient data from 19 hospitals in the BJC network. Remember, the complexity of virtual desktop infrastructure (VDI) means that users have access to east and west network movement. One phishing email can strike multiple users on a session border controller, or multiple desktops on a virtual LAN. Ask the question: Can a nosy outside VM or desktop deliver malware to your system?
🔲 5. Data in motion.
When data is moving — whether by email, through mobile networks or in downloads, it creates an opportunity for criminal intrusion. Case in point: the 2021 attack on Amazon, Facebook, Apple, and eBay. Malware was downloaded through emails and pirated software, allowing hackers to scoop nearly 26 million login credentials from almost a million websites. It’s no secret that restrictions on data movement were relaxed during Covid. So, ask the question: How are you monitoring what’s coming into your organization?
🔲 6. Privileged access management.
If someone has access to critical systems, it stands to reason that that person’s access should be managed and audited. Such was not always the case at Eventbrite. In 2011, customers of the ticketing company had their credit card details harvested after two iPads holding the information were stolen from an Eventbrite employee. Once again, the question needs to be asked: Do you understand how often or how easily your critical infrastructure items can be accessed?
🔲 7. Network segmentation.
Reducing the number of users who have access to a particular zone should be a standard security practice. Unfortunately, network segmentation was not part of Marriott’s security posture in 2018. The hotel chain surrendered millions of customer records to an intruder who gained access to one of its reservation systems.
🔲 8. Contextual policies.
A good security policy will allow you to examine what kind of device is attempting to access your data, and from where. In a 2013 cyber attack, the retail giant Target fell victim to criminals who were able to dupe a third-party vendor via a phishing email.
🔲 9. Data loss prevention.
Data loss prevention software prevents data breaches by detecting and blocking sensitive data while in use, in motion, and at rest. Such software might have been helpful to Blue Cross Blue Shield, which earlier this year lost control of more than 200,000 patient records following a sophisticated phishing attack.
🔲 10. Data at rest.
Stored data can be as vulnerable to attack as any other form of data. In 2017, Equifax failed to update various patches and encryption certificates as recommended. Cybercriminals soon gained access to Equifax’s servers, stealing the personal data of hundreds of millions of people. The company eventually agreed to pay up to $700 million in compensation to its victims.
The 10 points of vulnerability I’ve just outlined all have one thing in common: If organizations address them at all, it’s usually in a piecemeal way, with a cobbling together of various policies, services, and pieces of software over time. Those uncoordinated measures leave gaps in security, and cybercriminals are becoming more and more skilled at finding and exploiting those gaps.
I mentioned at the start of this post that Tehama checks all the boxes necessary to thwart the attacks described above. That’s because Tehama addresses the foundational elements of data security, thus doing away with the need for a grab bag of solutions assembled from a long list of vendors.
Tehama delivers foundational security through an all-in-one Desktop-as-a-Service (DaaS) solution. Our cloud-based virtual rooms, offices, and desktops can be deployed anywhere in the world and scaled up or down in seconds. Tehama offers you built-in security, scalability, compliance, and workflows. As such, it is the one solution that allows you to check the final three boxes of a robust security posture:
🔲 11. Session visibility.
Tehama workspaces can be monitored live by authorized personnel, or later via a session recording. Every action taken in a Tehama room can be tracked and investigated.
🔲 12. Analytics/machine learning.
Tehama’s new Desktop Intelligence and Automation tool gives you the deep insights you need to optimize the performance of all your devices. It can also alert you to unusual activity that might compromise the security of your data.
🔲 13. Audit and compliance.
Tehama makes it easy and affordable to comply with all leading security standards, including SOC 2 Type II, NYDFS 23 NYCRR 500, NERC/CIP, FIPS, HIPAA, PIPEDA, and CyberSecure Canada.
Unlike conventional VDI or DaaS solutions, Tehama does not require on-premises infrastructure or additional tooling. It is your all-in-one solution for confidently managing a secure and compliant hybrid workforce. In short, Tehama is the obvious way to check all the boxes you need for modern data security.
Learn how to set up your secure remote workforce in just 17 minutes. Book your free demo of Tehama here.