What Are You Doing for IT Security and Compliance (+Training)?


(Dave Mackey) #1

Hi Folks,

I know this topic has come up before but was hoping we could have a fresh discussion on how you are handling digital security at your church. I’m eager to hear about anything you might want to share, here are a few areas I’m particularly interested in:

  • What do you use for endpoint security? We are currently shopping around for a new vendor.
  • What training do you provide staff on proper digital precautions?
  • Do you require staff to utilize a password management system? I’m personally a fan of LastPass.
  • Any best practices for securing servers and data storage?
  • Thoughts on cloud storage and apps, data sharing? These are a bit of a nightmare. Folks tend to utilize these without informing IT.
  • Do you utilize an IDS or similar software to proactively internally monitor your network? Ubiquiti has released IDS functionality as part of their network setup (in beta) with this latest release.

Anything you are willing to share is greatly appreciated. :slight_smile:

Dave


(Michael R. Beatty) #2

Hi Dave, I can speak to a couple of those areas.

  1. Endpoint security: Endpoint protection is a matter of defense in depth and risk modelling, there is no silver bullet protection and mitigation solution. As end-client-technology providers release regular product/software updates, security tools will become outdated - just as a rule. Multiyear endpoint protection commitments will leave you playing a constant game of catch up. The solution is a holistic internal security assessment that provides identifies and satisfies your desired endpoint protection feature set with the corresponding endpoint protection suite and a comprehensive implementation strategy. Really selecting and implementing
    Have you done a vendor assessment yet? I can show you my vendor assessment if you want.
  2. Training: There are a couple of LMS systems out there and you will probably want one that include most of the core IT processes surrounding IT security: DRP, BCP, risk management, external compliance, process controls and internal audits, security management and strategy.
    Let me know if you want to chat for a half hour and I can show you how we’ve done it.
    I hope this helps.
    Mike

(Andy Baker) #3

Hello Dave,
I can speak to a couple of points as well. Additionally, I am interested in what others are doing for security awareness training.

  1. We use Thirtyseven4 as our AV solution. We have not had a major infection since moving to them from Symantec Endpoint Protection 3 years ago.
  2. I’m interested the Security Awareness & training topic as well. We used a free code to get KnowBe4 to send emails to our staff to see who would fall for Phishing attacks. It was eye opening, 25% of our staff opened and clicked on links. The first email wasn’t even that tricky.
    We certainly are planning on budgeting for and partnering with KnobBe4. I believe they have a wealth of information and help with Security Awareness training for staff.
  3. Cloud Storage and Apps - I’m a big fan of cloud storage and apps as it helps our teams access their files from anywhere and any device. It also helps them collaborate on docs all at the same time. I would love for our whole staff to embrace the technology we pay for and have approved, Office 365 (OneDrive, SharePoint, Teams, etc,), but we do struggle with teams opening accounts with other cloud platforms like Dropbox for Business, Google Drive, etc. Microsoft has closed the gap a bit as far as ease of use, features, but teams tend to stick with what they are comfortable with. We do hold lunch and learns as a way to showcase the value of using Office 365, but they are only attended by about 10 - 15% of staff. There are certainly some cons to the cloud as well, Backups, someone leaves staff but had docs others need, etc. We are still working on many of these issues.
  4. We use Cisco ASA’s with Firepower enabled. This is one level of IDS/IPS protection. Additonally, ThirtySeven4 provides this at the endpoint level.

(Breffni Potter) #4

Used to use Webroot but dropping it like a hot stone, their exec team are running it into the ground, what used to be a great solution 3 years ago has become the new Symantec. BitDefender / Sophos / Trend Micro.

There’s no good training solution out there, KnowBe4 make the most noise but their videos are about as engaging as a health and safety presentation, we just drill into people to verify everything.

Would like a password management system, Myki is another alternative to LastPass and stronger because the data stays on the endpoints.

Loads of best practices :slight_smile: - If you have 200+ days of uptime on a box, you are doing it wrong, patch, reboot, on a regular basis.

Get OneDrive free with 365, using that with some local storage on a server currently.

With my pro IT hat on I’ve challenged vendors openly to prove the value of their UTM solutions with IDS, none have ever taken it up, I’ve done the same with IT pros and also met no response. They are often black magic boxes that are put in and they feel snug and secure but I’ve seen plenty of orgs suffer a breach with them with no difference.


(Alex Conner) #5
  1. Bit Defender
  2. The only product I’ve been impressed with is very expensive. Curricula is engaging and fast.
  3. I tend to rely on single-sign-on and hope for the best. Password managers are still a bit “advanced” for the average user.
  4. Cloud storage is good, shadow IT is not. The only effective deterrent for Shadow IT is to make sure the IT team is seen as an enablement partner and not as an old school BOFH-style department. This means you need buy-in from the top down, and you need to be able to spend out of other folks’ budgets. Then, as you find tools that are widely useful and the staff like - roll them out as widely as possible. If you force everyone to live within what gSuite / Office provides, they will move data outside of your purview and control and the organization will loose visibility, productivity and will have a lesser idea of what they’re actually spending on technology products.
  5. IDS is pretty useless on its own. IPS helps, but double-check the performance hit because UBNT’s gear isn’t really designed around security. Generally I’d implement IPS in tandem with several other UTM features if I had the equipment that could handle it, but it’s no substitute for proper segmentation, patching and general hygiene regiments.

(Jeff Bush) #6

We did some phishing tests with KnowBe4 a couple of months ago (with a 60% plus failure rate) and just started mandated KnowBe4 online training last week. There has been a positive response and appreciation from the Executive Team and conversations in the hallways “did you pass the test?” etc. so engagement is slow but everyone seems to think it’s helpful, we’ll do another test in a week or two and will expect a significant drop in failures.