Our crack Communications Director Jackie recently came across this infographic from Microsoft. It’s a ten-question security self-assessment; you can view or download it here. To be fair, it’s not actually an assessment. It’s more like something to get you thinking about security. I’m going to expand on the concept here, because answering these ten security questions will certainly give you an idea about how secure your organization is. I will reproduce the questions, then comment on what each question means. I will spare you the part about which Microsoft security service maps to each question. And don’t worry; there are no “wrong” answers to these ten security questions. I am sure the pursuers of the Holy Grail wished that were the case when they attempted in their noble quest to cross the Bridge of Death.
The Ten Security Questions
One: Do You Have a Single Sign-On (SSO) Identity Framework?
I remember some years ago when vendors started pushing the idea of Single Sign-On (SSO). It was a tough sell, because vendors focused on the benefit of making it easier for the user to sign on to assorted services. I would almost hear the reply from customers. “Begging your pardon, but we don’t really want to spend money to save our users a few clicks in their sign-on experience”.
Today we have a more compelling reason for SSO—security. With SSO, users don’t have to remember individual logins to the assorted services they access. Fewer logins mean fewer account credentials that can be lost or stolen.
So, your answer to this first of ten security questions should be “yes, of course!” There are plenty of SSO solutions out there. Microsoft has a solution baked into Azure Active Directory. Okta and Ping Identity are two popular solutions in the market.
Two: Which of the Following is True About Your Disaster Recovery Program?
The Microsoft-supplied answers range from “everything is backed up” to “gee, we better do something there.” There are tons of backup and restore solutions out there. Before you rush out to buy one, do a little homework.
- Do you want to back up just data? Or do you need to back up the servers and applications as well?
- What systems and data are most critical? What do you want up and running in an hour? A day? A week? Longer?
- Are you looking for high availability, a la a “hot standby”? Or can you live with restoring from a backup that is a day or two old?
Once you work out your answers, you will be in a good position to figure out what solution is right for your organization.
Three: Do You Monitor for Unauthorized Intrusion Activity?
Of the ten security questions, this one may be the hardest. Because for most organizations, the answer is “no, it’s too expensive”. I written before about how that may be changing as we see consumption-based pricing for this kind of monitoring. So, if you ruled intrusion activity monitoring out in the past, it’s time to reconsider.
Four: Do You Have a Security Policy in Place?
Congratulations, you probably answered “yes” to this question. But we’re not done here just yet. Is your security policy sufficiently comprehensive? For instance, does it cover the working-from-home scenario that we are all living with? Are you enforcing your policy? I have seen more than a few organizations that show me their security policy, but then tell me they are not enforcing it, “yet”.
Five: How Do You Connect Your Company to Cloud Services?
Ah, the VPN (Virtual Private Network) question. I believe (with very few facts, as is my custom) that VPN’s are outdated. At least, IPsec VPN’s fit that description. I suspect IPsec VPN’s come from an era when few people tried to work out of the office, and no one thought it was going to be easy. And they were right.
If you still have applications that you are running in-house, you still have a need for a VPN. Hopefully, you can use an SSL-based VPN. But, with more organizations moving their applications to the cloud, it makes sense to use the built-in SSL VPN capability of these services to connect. Let’s keep it easy for users to connect the way we would like them to, OK?
(If you need a refresher on IPsec vs. SSL VPN’s, here you go.)
Six: How Do You Monitor for Data Leaks?
Depending on your industry, this is a big issue or a not-so-big one. The first question to ask is, “what data do we have that’s highly sensitive or confidential?” Use that answer to focus on what data you want to ensure doesn’t escape in a poorly thought-out email. Then look for tools that will help you find the data and manage its release.
Seven: How Long Does It Take to Deploy Critical Security Updates to Software?
This might be the most important of the ten security questions. I hope your answer is in hours and not days or weeks. I get it that Way Back When customers felt they had to do quality assurance testing for software updates from their vendors. But that is not the case these days. And with release cycles sometimes measuring in weeks nowadays, organizations that want to do their own testing face the prospect of never catching up with new software releases.
Eight: How Do You Limit Access to Resources?
Hello, Zero Trust model! This is now a critical question to address. Not everyone needs access to everything, all the time. Think (especially for administrator users) who has what role and how that role constrains the data and systems they can access. No more shared keys to the kingdom!
Nine: Do You Perform Vulnerability Assessments on Your Environment?
“Or do you let hackers do that for you,” he cheekily asked. Don’t wait to find out how secure your environment is. Get a test! There are tools out there you can use. And there are plenty of consultants that can run the test for you. Most importantly, these consultants can sift through the pages of warnings to let you know what is most in need of attention.
Get a vulnerability test, at least once a year. Twice a year would be even better.
Ten: Are You Prepared to Deal with Ransomware Attacks and Demands?
We have noted elsewhere that ransomware attacks are on the rise. And the attackers are even developing pricing models that maximize the ransom demand based on characteristics of the victim organization.
Expect that it may well happen, despite your best efforts. Be prepared to restore data and applications to affected machines. Then give the hacker a good Bronx cheer.
Now That You’ve Answered These Ten Security Questions
OK, so how did you do? Likely, you are in good shape on many of the ten security questions and a bit nervous about a few other questions. Not to worry. Cybersecurity is all about getting better. You have come a long way. You’ve got friends that can help you get further. And that, as our friends have said, is a noble quest.