THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
We have seen a drastic increase in the number of companies and individuals that are working from home these recent weeks due to the outbreak of COVID-19 or the Coronavirus and the impact it has had on the global workforce. It is not just the technical industries that are finding that they need to support this suggested defense strategy for dealing with the outbreak. Being secure while working from home seems like a no-brainer, but in a corporate environment, you have more resources and security measures that are not available at home or that can be implemented. Network Connections One of the biggest issues that employees face is how they are able to connect to the network in the office. Whether this is a direct connection or over a Virtual Private Network (VPN) all of your employees will need to know what they need to do in order to be in compliance with your company’s policies. These will be difficult to maintain in a remote working environment, but it can be managed by communicating these specific requirements to the employees. Security Guidelines Some basic guidelines in how to enable the workforce to work remotely are needed. The following recommendations and industry best practices should be followed:
Changing Work Model
While the impact of COVID-19 may be unknown for years to come, it is important to see what it is doing to the modern work environment now and how that has drastically changed in just the last four months. With working remotely being an “added benefit” before the outbreak, to a “must have” now has helped drive the change for what work looks like in the 21st Century. As the pandemic drags on and we see surges in infections and additional areas being infected, where people work has changed. Having to go into the office in 2020 means that you are potentially putting yourself and your family at risk for a possible infection. Companies are also looking at what model they will be going with in the future and making plans for the changing work environment that has been hoisted upon them due to the pandemic and the response that the governments around the world have taken in order to combat its spread. Securing the Remote Office There are a growing number of technical workers that are creating or employing their own office environment in their homes. Whether this is because they have to in order to work or if they have chosen to do so, the remote office has become the norm in the time of the pandemic. Providing a secure and protected work environment may seem to be a challenge, but it can be done. Start by doing the following:
Summary While there may seem to be little that can be done with an employee that doesn’t come into the office to work, there is a lot that can still be done to secure their work environment at home. Also, extending the secure work perimeter needs to happen, and supporting the end user remotely should be encouraged as much as possible. These small changes can help to facilitate a more secure work environment and provides good “security hygiene” for when and if employees ever return to the corporate office environment.
0 Comments
With the continuing evolution of Smart Meters and the need for ever more data, companies are finding that they need to protect information that didn’t need protected before. Whether the utility provider is using data analytics to provide energy insights to their customers or using the information in new ways in order to provide value to a potential client, it comes down to IT Security to come up with ways to protect that data. While big data, smart meters, or other networked sensors provide a vast amount of data, the use of the cloud and “Big Data Analytics” has the ability to provide insight into the end consumer’s behavior and how they use their utility services. It is from this combination of sources and the ability to correlate the data in a meaningful manner that cyber criminals are finding weaknesses in how the data is protected. It is up to the utility or the support services provider to protect that data. Protecting the Undefined Much of the data that is collected and correlated through analysis are being done by organizations that may not have been responsible for this type of data in the past. For a large number of utilities and service providers, this is new territory that they are banking on to provide their customers information that will help to benefit their business. Part of the challenge is identifying what is considered Personally Identifiable Information (PII) and what should be taken to protect that data. Defining the limitations or the extent that those protections should be implemented will help businesses allocate resources that will be needed in protecting that information. Since this has not been an area of focus for any specific regulatory requirement, the implementation of current IT Security industry best practices have helped to fill this gap. PII Defined The following definitions and information is what is “normally” thought of as PII. But due to the nature of, and the type of data that is collected from utility customers, this data provides only a small part of the overall picture of the end consumer.
Typical Datasets Some typical datasets that are collected or that is used as part of the analysis process may be any of the following:
While these are not typical for use as PII, they can be used in conjunction with other publicly available data to provide targeted and detailed information about the end consumer that would not be available otherwise. This information does not identify one particular individual, but a whole category of individuals. But if the attacker knew a small piece of the information about a particular target, they would be able to collect additional information in order to create the “bigger picture” of who they are going to target. Example?? Business Benefit v. Data Protection When utilities collect data on end consumers, it is used to help the utility provide better services to the customer or to help with the overall effectiveness of the grid network and energy resource delivery. What these information providers are finding is that it is becoming ever more important to protect data that they have collected and are conducting analysis against. While the end consumer is driving this demand, utilities and support service providers are finding that they have to comply with this requirement as well. Securing the Data When a utility obtains data points on consumers, it is usually stored in large data repositories and this is where data can be readily accessed. This data pool is used to perform analysis against and can be accessed by a number of entities. This is especially true if the company employs a third-party service provider that will use the data to provide detailed information for use by the utility. This data repository is also where security controls can be implemented that helps to protect the information and its integrity within the data sets that are used for analysis. Encrypting the data at rest and in transit and only using secure and proven methods of transmission and storage is one of the ways in which this data can be secured. Preventing or restricting access to this data can also be helpful in preventing the loss or the leakage of this sensitive data. Also, there is a growing use of the various cloud services to provide the processing and storage capacity that is needed for these large data pools of information. Adhering to an established IT Security standard may provide some guidance on how to handle this information Compliance & Regulation
In North America there are two main compliance certifications that are becoming important for utilities and support services providers to follow, or at least to adhere to. These are:
While these compliance standards don’t directly describe or require specific requirements for the use and storage of the type of data that is collected by utility service providers, they do provide industry best practices for how to store and transmit sensitive data. Protecting the Consumer Utilities and support service providers have an obligation to protect the data that is collected and used or stored by the organization. Whether the data is stored in the cloud or used by a third-party for running analysis against, it is important for the company to take the needed steps to make sure that the information does not fall into the wrong hands. Utilities and support service providers can do the following:
Summary While companies have the ability to transform data that they get from diverse sensors, meters, and network nodes into actionable data, businesses that use this information have an obligation to keep the data safe and secure. With data that seems to be just noise in the background, it can be used in conjunction with other information to provide a more inclusive picture of a customer, or a potential cyber victim. The amount of electrical usage, or the times in which that usage is recorded and all this can be put together in order to form a more complete profile of a potential target. Knowing this information may provide the business an advantage against a competitor, it can also pose a risk if that information is not protected. Special Mentions A special thanks to Robert Smith who can be reached at his website TheDataScienceGuy for helping to review and critique this article. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|