Over the past few weeks we’ve talked to a few local law firms about the state of their IT, and these conversations got me thinking. Even with the amount of data these firms, and firms all over the country, have […]
At IT Freedom we take security seriously, especially when it comes to handling our customer’s data and keeping their networks secure. As a trusted IT partner for our customers, we logically have to take security that much more seriously since our customers trust us to protect ourselves and by extension their networks and data as if they were our own.
This week we will be posting a two-part series talking first about what we do internally as a company to build and maintain a top-notch security culture and then later on about some of the specific services and measures that we take to protect our clients.
In addition to a rigorous interview process, we perform industry-standard background checks on all new employees upon their offer of employment, and they don’t get access to any critical systems or customer data until their background check is complete.
Security Training and Continuing Education
Security is a big part of our company culture, and that means infusing security training and awareness into our day-to-day business. Every member of the IT Freedom team is required to go through trainings on industry best practices and procedures to safeguard both IT Freedom’s data as well as the data of our customers. We conduct regular topic-specific trainings after our weekly Friday all-hands meetings including quizzes to make sure that we keep on top of new threats and are living one of our core company values—to always get better. Our trainings include information and updates to our security policies on the disclosure of sensitive customer information, verification procedures for password resets, and many more topics from the deeply technical to making sure that everyone works from the same set of standard procedures.
All the methods we use to access and store customer data use strong encryption to keep them secure. All the offsite backup data that we store is encrypted both in transit and at rest in our cloud. All of our network management is done over standardized and strongly encrypted VPN connections. We encourage all clients to restrict access to applications through secure VPN connections or other secure access methods and to use two-factor authentication if possible. In short, we believe firmly that strong encryption, coupled with effective network architecture and management, are key to keeping our clients secure. And we live those values with every network that we build.
Whenever possible, any application we use is configured to require IT Freedom employees to use two-factor authentication. These applications include our documentation, email, ticketing system, VPN and many more. Two-factor authentication is a key element of defense-in-depth against attacks on weak or compromised passwords. In addition to using two-factor authentication aggressively internally, we strongly encourage our clients to do so as well wherever practical.
Comprehensive Updates & Maintenance
This is something we have been doing for many years now. We constantly monitor security notification systems from the government, large technology companies, and several other sources for security bulletins. We have senior engineers assess each bulletin, determine the appropriate response, and follow our documented procedures for deploying security updates and other countermeasures as appropriate. This most commonly includes vendor-supplied software updates, and we apply these updates or patches to operating systems on client servers and workstations to ensure that all known security holes are closed.
This may seem simple—trivial, even—but a huge number of preventable security breaches every year happen because this type of update management isn’t done consistently. Our standardized and long-time processes make sure that our clients don’t fall victim to this sort of carelessness.
End of Life Policy
We have a policy of not supporting software that is beyond its supported lifecycle. The supported lifecycle is exactly what it sounds like: the period of time within which the software developer is still providing support, maintenance, and updates for the product. Most critically for the purpose of this discussion, the vendor provides security updates for their products for some period of time but generally stops that practice at a defined date.
As an example: we stopped supporting Windows XP when it reached the end of its supported lifecycle and strongly encouraged our customers to upgrade past XP before the end of what Microsoft called its “Extended Support” period. Past the end of Extended Support, Windows XP stopped receiving security updates and it became much more dangerous to continue using it—any new vulnerabilities found in the operating system would never be fixed by Microsoft. This policy hasn’t always been easy to abide by, but in a world where a simple exploit delivered via a hacked web page can result in compromise of the machine and then the broader corporate IT network, that’s a big deal. Pushing for up-to-date systems has been extremely beneficial in terms of keeping ourselves and our clients secure.
Keeping networks and data safe isn’t always easy, but it’s one of the most important things you can do in your business. You should ask your IT partner or staff about these items and more—better IT security across the board means fewer risks for everyone!
Be sure to check back later this week for Part 2 of this 2-part series about the more advanced security measures and services that we bring to our customers’ networks!