It's no secret that thousands of successful cyber-attacks are executed in the US every day. According to Newsweek, there were over 77,000 in 2015 and the number continues to rise. Cyber security and data protection have always played an important role in the culture of SMG. Being a trusted partner for hundreds of global corporations, we take that responsibility seriously—and it shows in our security strategy and the resources we commit to this effort.
Effective security starts with people
We believe effective security posture starts with an informed and aware workforce. KnowBe4, a respected company in ensuring employee compliance, stated in a recent whitepaper, “hacking a human is by far the easiest way to get into a network.” We begin securing our human network with an extensive background check. Once hired, the employee must undergo security training, pass a test on that training with a 100% score, and then participate in mandatory annual training that is updated each year to reflect new threat vectors.
The SMG office itself is secure, too. We protect our internal networks by separating corporate and guest network access. We protect all computers with antivirus and malware defenses. All tools and internal systems require appropriate credentials and are designed around role based access. Passwords must be strong and are reset every 180 days. We also have detailed procedures for both onboarding and separation which allows us to ensure only active employees have access to our systems.
Product security + partner trust
The SMG platform has also been designed for security. The platform leverages industry best practices including firewalls, intrusion prevention/protection, encryption at rest and in motion, application level monitoring and support for both strong passwords and single-sign-on (SSO). The data center has both physical and logical controls as well. For example, the data center is located in a separate and extremely secure location that has 24-hour armed surveillance of the physical premises and an array of software and hardware monitoring tools. The data center requires special credentials to access.
While we believe our processes and systems are secure, we conduct outside tests each year to verify. The tests include application and penetration testing. SMG has been awarded the SOC2 Type 2 certification after extensive and perpetual audits. SOC2 Type 2 is recognized as a premiere audit and certification of safeguards and procedures. These external tests provide confirmation that our systems and associated processes have integrity and meet the rigorous standards that are defined in each audit. In order to keep challenging our security stance, we continue to evaluate and implement additional tests, audits, and certifications for their usefulness to us and our partners.
Security as an ongoing investment
Security is more than just a buzzword at SMG—it’s part of our culture. A 100% secure system is impossible, but that surely doesn’t keep us from trying. Even when others in our industry are content with maintaining a level of “reasonable prudence,” our commitment to the confidentiality, integrity, and availability of our information and the data we collect on behalf our customers compels us to exercise an aggressive defense in depth strategy.
We're passionate about security at SMG. If you’re a current customer and have questions about any of our controls, please feel free to reach out to me directly: firstname.lastname@example.org.
Dennis Ehrich, Chief Information Officer
Vance Collins, CISSP