As you work to create a strong information security posture for your organization, it is important to consider the security framework surrounding executive communication with each other, the board of directors and even third-party partners. Executives frequently need to review and communicate about sensitive information while on the go and outside your network. As more mobile communication options become available, organizations must take precautions to secure the mobile apps and data executives are using.
In this slideshow, Diligent Corporation, a provider in secure collaboration tools for executive teams, shares five steps you can take today to tighten security around executive communication.
Securing Corporate Communications
Click through for five ways organizations can secure executive communications and bolster their overall security posture, as identified by Diligent Corporation.
Use Trusted Native Apps
When selecting a means for executives to communicate while on the go, web-based apps have long provided a great convenience. However, as mobile technology evolves and cyber threats continue to grow, communicating via native app has become increasingly important. Native apps, which are developed specifically for mobile devices, are much harder to tamper with, while web apps are susceptible to many hacking threats. SQL injection (SQLi) attacks, in particular, have been used to steal the personal details of World Health Organization employees, take data from the Wall Street Journal and infiltrate the systems of the British telecom company TalkTalk. In these instances, an attacker can execute malicious SQL statements that control a web application’s database service. Since an SQLi vulnerability could affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous that applies to Web applications.
In general, a trusted native app will provide its own strong encryption and strong password that are separate from the user’s own device encryption and password, which are simply not enough in this age of BYOD (bring your own device). Additionally, look for native apps that allow you to lock down access of a particular user to a pre-identified device or set of devices. This device authorization can provide an additional critical security control; in the instance that an executive’s app credentials were stolen, those credentials would only work on pre-identified and approved devices.
Embrace Two-Factor Authentication
Two-factor authentication adds an extra step to your basic log-in procedure, providing yet another layer of security around executive communication. When you have to enter only your username and one password, that’s considered a single-factor authentication. Two-factor authentication requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a PIN, password or pattern
- Something you have, such as a cell phone or fob
- Something you are, such as a biometric like a fingerprint or voice print
While it adds an extra step to your login process, two-factor authentication gets a bad rap for being difficult to use. However, the more technology improves, the quicker and easier two-factor authentication can be implemented. Many vendors take as little as two seconds to transfer the needed verification code.
Set User Access Restrictions and Permissions
Collaboration and communication are key elements to the success of any organization, but when it comes to handling sensitive data, there are plenty of cases when access needs to be limited, even among members of the executive team. Smart tools are available that can enable both user- and role-based permissions all the way down to a specific page within a document. This is equally important when sharing sensitive data outside your organization’s firewalls with third-party partners or regulators. Look for apps that enable a partner’s seamless, mobile access but with security comparable to that of your existing network infrastructure.
These tools should also operate as secure containers that allow total control by the company. Sensitive materials should not be able to be saved to a user’s device and additional printing and email capabilities should be managed by the company and set on a user-by-user basis.
Both of these steps help ensure that no information falls into unintended hands and the information goes no further than the company desires.
Watch Out for Third-Party Attack Vectors
Third-party vulnerabilities are one of the most likely “attack vectors” in the information security landscape today – with retailer Target being the most notable victim of late. But conducting business without relying on any outside partners is nearly impossible and certainly cost prohibitive. It is imperative to have a comprehensive vendor risk management strategy and analysis that includes a digital security component. Understand the risks of outsourcing functions and make sure that you’re comfortable with the vendor’s privacy and security posture in advance of committing to the relationship.
Additionally, don’t overlook nested relationships that come with doing business with third parties. Know how your vendors are protecting their relationships with other parties and the potential impact that could have on your sensitive data. Look for partners that own security end to end within their organizations and, at the very least, be diligent in evaluating and determining what additional parties are also involved in the service provided.
Ensure Proper Training
Purchasing tools and technology to support and secure executive communication is only the first step. It is imperative that your executives are properly trained on these tools to ensure successful adoption – and mitigate the temptation to continue to use less secure methods.
Each user should receive one-on-one training from an expert on the product, preferably from the vendor itself. Knowledge of and comfort with technology varies dramatically from one person to the next and this methodology enables the user to ask questions without judgment from their peers.
