Q: Can you speak to infrastructural security measures like network segmentation and how the actual construction of an IT system can lend to better or worse cybersecurity?
Charles: “Absolutely. I remember when I was early in my career and just having a network was a really interesting thing. Having one flat network was fine. And that just isn’t the way it is today. Now, we know that building one flat network where everything is interconnected is very simple, but it doesn’t provide the kind of protections we need. We need to be able to create barriers to malicious intent or even accidental mistakes that cause damage. By taking various kinds of devices with different information requirements and security requirements and segmenting them from each other, we build smaller containers that we can then secure with the correct security rules. It helps prevent the spread of problems if something does go wrong. It also makes it easier for us to design a security structure that is robust. It requires more work up front, to architect and design and set up and implement the system, but it pays dividends over time.”
Q: We saw in the Target incident that login credentials were harvested from the HVAC contractor. As a company, we provide password managers, anti-phishing tooling, phishing simulations, and requirements for password strength. But, as IT providers, we can only put the tooling in place and educate staff on how to use it. Can you speak to how important it is that staff and technology users be motivated and proactive about being educated and practice securing their information?
Charles: “Yes, technology measures can only go so far. If you don’t have the correct technical security systems and tools in place, that can be a severe problem. But once you deploy the necessary security systems, the people using them and interacting with them must know how to use them well. If you have built a solid technical security system, the most obvious point of weakness would be a person who does not know how to utilize it well. That’s not because that person isn’t intelligent or competent but rather because these systems are so complex and interconnected, that any person who is not educated about that specific system could easily misunderstand it. Training employees about how to safely use the systems available to them and how to spot attempts to deceive them is critical in having a successful outcome. An educated staff with a subpar security system and a solid security system with uneducated staff are both problematic. Invest in both IT systems and staff education to protect your company. It’s why we continue to educate our clients when we make changes to our systems. It’s just as important that they know how to utilize the tools they have access to as it is to provide those tools in the first place.”
Q: At Sterling Ideas, we proactively protect our clients against threats like this using a host of security tools. What do you think the advantage of partnering with an MSP is, regarding security against criminal threats?
Charles: “We have, over the last years, been building a toolkit of systems to protect our clients. Our toolkit is comprised of many tools that anyone could procure for themselves if they so desired, and then there are some that are a little more specialized. But the real power of what we built is not in the individual tools—it’s in how we’ve built them up together, so that each one works with the others, making an even stronger environment than any one tool could by itself. The benefit of working with an MSP like us is more than just our different tools and our service to your company; it’s about the years and years that we’ve spent investing in the systems we build so that your company can reap the security rewards today.”