I gave a talk today at the Council of New Jersey Grantmakers’ virtual conference. I spoke about risk assessments—what they are, why they’re important, how to conduct them—but not surprisingly people asked all kinds of questions about other security topics as well. Since these might be security questions you’ve thought about, I wanted to answer them in this post. Let’s start with the security question that someone asked before the talk started. 

Do We Need Cyber Insurance? 

We don’t get asked this security question that often. That’s because a CFO (not an IT Director) is making the decision. Today, most people will tell you that yes, you do need to purchase cyber insurance. Why? There are two main reasons. 

• It will save you money. Like other kinds of disasters, a breach of your network will cost a lot to fix. In fact, many small businesses go out of business within six months of a breach. When you’ve been breached, there’s work to do to find and fix the breach, restore data, send out a communication and verify that the network is clean. 
• Buying cyber insurance will force your organization to adopt a cybersecurity program. Cyber insurers won’t write a policy for you if they don’t see evidence that you’re trying to maintain some defenses. Purchasing cyber insurance can kick-start a campaign to implement security measures. 

Are Cloud Providers Secure? 

As I talked about relying on a cloud services provider (such as Salesforce, Microsoft, or Google), the moderator stopped me to ask this security question: are cloud providers secure? 

The short answer is, yes, cloud providers are secure. That’s certainly the case with the major service and platform providers. These providers have a strong incentive to comply with various security standards. Without such compliance, cloud providers couldn’t sell to government, military, and educational organizations.  

There is some variety among cloud providers. Some comply with more regulatory guidelines and standards than others. We recommend that you check to see if the cloud provider you use (or are thinking of using) follows the standards relevant to your organization. Even if your organization isn’t subject to any regulatory standards, you still want to know if the cloud provider complies with a standard that sets a high bar. ISO 27001 and FIPS 140-2 are two examples of strong standards. 

Here are links to sites describing compliance to regulatory standards for a few of the larger cloud providers. 

• Microsoft: see here
• Google: see here
• Amazon Web Services: see here

Make Sure You’re Using “Enterprise-Grade” Services 

This wasn’t a security question anyone asked, but it is a point worth noting. We worked with a customer recently where users had set up Google Drive accounts that they used for sharing documents with partner organizations. Unfortunately, they had subscribed to the free, “consumer-grade” Google Drive accounts, which offer little in the way of sharing controls. I could tell you comparable stories around Box, Dropbox, OneDrive, and other services. Each of these services have “consumer” and “enterprise” flavors. 

It’s not that the data centers running these “consumer” services are any less secure than for the “enterprise-grade” versions of the same services. The problem is that the “consumer” versions typically offer more control to the user, less (if any) auditing, and fewer administrative controls. So, a good security question for you to ask is, “are we using the enterprise version of this service?” 

MiFi Hotspot Security Risks 

As I talked about home Wi-Fi network security, one audience member asked a security question about MiFi (cellular) hotspot security. She said that she works in a remote area, where cellular data service is the only choice for connecting to the Internet. 

I told her that the same security principles apply. 

• Like home routers, MiFi devices may have an administrative interface. It might be through an app or it might be through the smartphone itself. Regardless, you want to change the name and password for the admin account. Otherwise, someone could discover your MiFi device on the Internet and take it over. 
• You also want to password-protect access to the MiFi network. Password protection is probably on by default but turn it on if that’s not the case. 

Should I Use an Encryption Tool Other Than the One Microsoft Provides? 

Answering this security question is a little tricky because encryption happens in different places. We talk about encryption “at rest” and “in transit.” Encryption “at rest” refers to encrypting a storage device, while encryption “in transit” refers to encrypting data while it’s being transmitted or received. 

In either case, the tools that Microsoft or another cloud provider uses are fine. They’re based on the same encryption standards (e.g., AES-256) that other tools would use, and are robust. 

The other approach to this security question is to talk about use of a VPN, or Virtual Private Network. A VPN creates a secure, encrypted “tunnel” between the device and the network, so that snooping or intercepting data being transmitted would not be valuable. VPN’s were common when most applications and data resided on an organization’s own network. 

The challenge with VPN’s is that they are cumbersome to use. They insert overhead into the data transmission, which can be a problem in some situations. Also, most websites now use SSL (Secure Socket Layer) encryption, which ends the need for a separate VPN application. 

Do I Need Penetration Testing? 

When I heard this security question my first thought was, “who planted the shill in the audience?” (Did I mention we offer penetration testing?) The answer is yes, you need penetration testing as part of your cybersecurity program. 

Penetration testing uses a tool to examine the elements of your network and figure out if any software vulnerabilities exists. You can run penetration testing behind or in front of your network firewall. And you can go beyond this testing to see if any potential vulnerabilities can be exploited. You can read more about penetration testing here. 

We recommend that you conduct penetration testing at least one a year. 

That’s a Wrap 

I thought this was a great security discussion. I heard lots of good security questions from a non-IT audience. Plus, the house cleaners didn’t arrive until after the session was over, so I didn’t have to contend with noise management on my end. Yes, COVID-19 has changed the things we’re thankful for.