By Gregory Pings
About 15 years ago, a friend told me about her job at a private security firm. Her duties included finding information about people. She matter-of-factly told me how easy it was to obtain names, birthdays, addresses and phone numbers. Armed with this minimal information, she could call most businesses or agencies on the phone and learn everything she needed to know about anyone.
Guess who purchased a paper shredder the next day?
Information security isn’t just one thing, and paper isn’t your only exposure. But you already know that, and maybe you already know what I’m about to tell you.
The cost of cybercrime is expected to rise to $6 trillion by 2021 according to market research firm Cybersecurity Ventures. For the criminals, your data is at the core of a lucrative business model, which is why the threat landscape always changes. While information security is several things, it is never a one-and-done thing. Here’s a partial list of ideas that will help you think about your information security strategy:
Assume you’ve been compromised. The old saying “it’s not if, but when,” is officially overused because “when” has very likely happened by now. Find the vulnerabilities in your system and shut them down.
Automate. The threats are in the hundreds of millions, and the bad guys are also numerous. It’s too much for any group of humans to monitor. Invest in systems that detect and react to threats and leave the intelligent work to your people.
Do the basic stuff on your hardware. For instance, when the setup wizard asks you about ports, decide whether or not they should be open. Change or create passwords when prompted.
Don’t go it alone. Security is a team effort. Companies like McAfee, Cisco and Xerox work together and share information with each other, as well as with the wider industry. Look for partners who have partners. Allow your security team to talk to their counterparts in your competitors’ security teams.
Check your supply chain. A corollary to “don’t go it alone,” is to be sure that anyone who accesses your systems comply with your security policies and procedures.
Use your advantage. Despite all the sophisticated tools and programs cyber criminals have at their disposal, you own the physics of your space. Don’t let your adversaries take advantage of the weaknesses that you installed.
Upgrade. When an app pushes a patch to your computer or mobile device, verify it’s from a trusted vendor, then accept it. Refresh your hardware regularly, and look for products that have security built in. For instance, our AltaLink devices are the first multifunction printers to be certified by the National Information Assurance Partnership (NIAP) against the latest Common Criteria security protection profile for hardcopy devices.
Integrate. You should have several security solutions. Make sure they work together. Silos are not for technology.
Educate your people. For starters, don’t leave documents at the printer. Delete emails from people they don’t know, especially if it contains an attachment or hyperlink. If a “customer” calls, be helpful, but verify. There’s more, but be sure that you make it possible for your people to act. (Telling them to shred documents is no good if they don’t have shredders.)
But don’t take it from me. These are some of the ideas I took away from a Security Summit that Xerox hosted for our customers. The event was over-subscribed, mostly because of the topic but also because of who presented at the event:
Sergio Caltagirone, Director of Threat Intelligence and Analytics, Dragos
Steve Hoover, Chief Technology Officer, Xerox
Alissa Johnson, Chief Information Security Officer, Xerox
Kevin Mitnick, computer security consultant, author and hacker
Ersin Uzun, Director of System Sciences Laboratory, PARC, A Xerox Company
Candace Worley, Chief Technical Strategist, McAfee
Learn more about cybersecurity
Insights on Data Protection on Xerox.com.
More articles about security on this blog.
My nine-item list is hardly enough to protect your data, and we covered a lot more ground at the Security Summit. If you have been thinking about information security, I welcome your additions and clarifications to my list. Use the comments section below.
My friend never told me whether she used her tactics on me. I never asked, nor will I ever. And that paper shredder? A gear jammed after a few years of use. I’m on shredder No. 2 right now. It works really well.