There is no need to say that data security is important. Everybody knows that, everybody agrees. On the other hand, knowledge that ‘admin1’ and ‘password1’ are not strong login credentials is also pretty common…but that doesn’t mean they are not still among the most commonly used. The trick is to treat IT security seriously and as a top priority. Remember that it is a process, not a product, so it has to be checked and updated regularly as the market situation changes rapidly and the war between security experts and hackers escalates.
No sophisticated tool will protect your business if you ignore the basics. Here are the things that need to be secured, why they need attention and how you can rise to the challenge.
Home and Mobile Working
People feel the need to always be connected. Most of us are used to checking mails, news or messages dozens of times a day, and our social media habits cross over into our professional lives. We want to be up-to-date always, and wherever we are. Some companies support this trend by encouraging their employees to work from home (or any place other than the office), as this means flexibility (highly valued by young or working parents) and savings. If it works for your business, that’s great, but what you (and your people) should remember is to use a VPN connection (and definitely DO NOT connect to public networks), pay serious attention when entering passwords and protect screens from being photographed.
Removable Media Control
Removable devices such as USB sticks can be used to share necessary files, but they are also a means by which unscrupulous parties can install malware on your computer. It is better to lock USB ports as default, unlocking them only if needed and approved by the IT team.
Secure Configuration
Secure configuration is very important, as misconfigured controls (poorly secured databases, patches that haven’t been installed) are among the most common sources of data breaches. Proper configuration gives you a clear view of what you have, what functionalities should be removed or implemented, and what vulnerabilities should be fixed.
User Privilege Management
Use the minimal access rule: every employee should have the fewest privileges possible for them to do their work – and no more. IT teams should check users’ accounts regularly, delete inactive ones and revoke unnecessary admin rights, access to systems and shared tools. Thanks to this approach, if an employee’s account is stolen, an attacker might not get too much access to the company’s internal resources.
User Awareness
Human error is one of the top sources of security incidents, so provide your employees with appropriate awareness training. You can never provide too much training about strong passwords, being careful when working from home or in a public place, downloading or phishing methods.
Incident Management
Security incidents happen. If your prevention methods fail, you need a strategy that should include policies and procedures that will help you to act quickly and minimize damage. The worst thing your IT team can do is to panic; make sure they protect your company at every stage.
Monitoring
Prevention is better than cure. Good security monitoring can detect anomalies and prevent or stop an attack before it does serious damage.
Network Security
Network connections can be vulnerable to attacks. Make sure your network architecture is well designed and maintained. If you have doubts, ask your engineers to check it, or hire an external IT company to perform an audit for you. Implement recommended changes and prepare policies and measures that will help your company to avoid issues caused by exploitation of existing vulnerabilities.
Malware Prevention
IT infrastructure can be infected with malware in many ways, for example by email attachments, links or removable devices. To decrease this risk, companies should implement anti-malware software and ensure their employees are trained in IT security and aware of risks associated to opening an email from an unknown sender.
Technology changes quickly, as do the tools and methods used by hackers. Unfortunately, the availability of cybersecurity specialists is falling. Security will become a top priority for many organizations in the coming years (if it is not already – and it should be) because the consequences of a data leak or data loss can be extremely severe. Not only might you lose data, money and damage your reputation, but a business operating in the EU could also fall foul of GDPR rules. IT security is an important investment, and there are no shortcuts. If you cannot afford to hire an in-house team of qualified people, consider outsourcing your security to an external company or buying products and services only from vendors which have experience, knowledge and a security team on board. Do not let the hackers win!
