- IT is not security — two separate practices that should each have an intention.
- We help define what and how technology is being used prior to making any recommendations.
- How can we make you more resilient to an attack? Attacks will happen.
- Story example — checking multiple cars to see which are unlocked.
- Perceived Reality: How the business is supposed to operate.
- Current State: Information flow in/out, product development, data flow.
- Future/Ideal State: What are the threat models? where does Shadow IT or workarounds occur? How do we make culturally appropriate recommendations? How do we improve workflow?
Culture: How do we build a culture of resilience?
Today's MINIMUM Defense in Depth
- Security Education: Allows for staff reporting, weekly quizzes, optional phishing campaigns and safe-fails (a better learning experience).
- 2FA/MFA: Two factor and multi-factor authentication is typically a default but must be implemented, it can prevent 95% of incidents.
- Password Manager: 1Password.com or others, generates random passwords for all applications and you only need to know one master password.
- Advanced Endpoint Protection: Modern-day anti-virus, removes and prevents malware.
- Cloud Directory, Single Sign-On (SSO): Free for businesses with less than 10 employees, we currently use JumpCloud.com which is beneficial for onboarding and terminations for employee access.
- Advanced Email Protection: Built over time to protect domains (reduce junk messages) and to improve deliverability of mailing lists, newsletters, etc.
- Virtual Private Network (VPN): Traditionally used to allow work-from-home employees to access files at the office. Today used to protect individuals on any network.