Data breaches are becoming regular news – from mid-sized businesses to large enterprises, everybody is taking some hit. Your company may be small, even a small family business but you are not safe either. From one person shops to large enterprises everybody has to keep an eye on the security issues.
Security does not need to come with a large price. It is not always the case that the dedicated, expensive equipment is the solution to all your security needs. In fact, the situation is just the opposite in many cases. Let’s see how you can increase your security with little to no investment.
Let’s start with updates. There are reasons that companies are employing programmers to code updates and distribute them to the users. Believe me, if the updates were not so important, no company would employ these people to release update patches. A significant percentage of these updates – sometimes most/all of them – come as security updates that keep you protected with the current security scene. Failing to apply the updates means exposing your company to security risks. I do agree that updating is a time consuming for the administrators and means downtime but it is a crucial and the first step to keep your company secure.
xNext, be vigilant. Keep an eye on the security area and figure out the emerging threats. For the beginning it will be enough to go through the RSS feeds of your hardware and software vendors’ security pages. Oftentimes, the security risk pages also include information about how to defend yourself against that particular threat. In many cases you will see that simple changes in the configuration files or installing a patch that does not require a reboot is all you need to do. My advice is to read, be open to the learn new methods, take training and connect with the relevant communities.
After that, take a look at your network. What are the security risks that are so obvious that they are forgotten and – God forbid – became the norm.
Let’s start with the wireless service. Your company can have a wireless service for the employees and a wireless service for the guests. The former may not be that necessary but the latter certainly is. But this does not mean that your company’s wireless connection should be without protection. The first thing that I advise is to separate your wireless guest access network from your company’s network. Purchase an additional line (you do not need that high-bandwidth, dedicated lines, you can just go with a consumer-level line) and have the guest traffic there. Plus, change your wireless password on a weekly basis (all you need is a recurring task and a random password generator). In countries like mine (Turkey), you need to log all the traffic and have to present it to the authorities when required. The solution many companies deploy is to record the social security number, name and the mobile number of the guests and send an SMS with their passwords. So, in case of an audit, the logs presented to the authorities are complete with all the personal details.
Speaking of passwords, you need to take a look at your password policies if you haven’t done for a while. Make sure that you set and enforce password policies for all your staff, the more stringent policies for your IT staff. End users can change their passwords in longer periods, but for the IT staff this period has to be not more than 30 days. This password policy also applies to the wireless passwords, BYOD users and any device that access the company network. I know this will become a pain in the very short term, but no device can assist you if your users have weak passwords.
To make access harder for malicious intents, the strongest route is two factor authentication coupled with VPN and full disk encryption. Office 365 and Google offer two factor authentication. This method should be the default where it can be used. Then, if you are allowing remote access to the company resources, you have to make sure that there is no access to company resources wihout VPN. I know how painful it is to set up and maintain a VPN but it is an absolute necessity. Do not allow any access to company data without VPN. And finally, encrypt everything that you can. Start with the mobile equipment – especially laptops, phones and tablets. You can then move on to servers and other data drives.
IT staff alone cannot do all of these to be frank. After the top management, HR has to step in; especially for the people who try to get around these or plainly break it. As the IT staff you did all you can to make the company as secure as possible but an employee undermines it. This is when your company data is no longer safe.
To overcome such unpleasant attempts, the first thing to do is to properly train new hires on the security issues. This security training should start with what security is, what are the company measures, how an employee becomes a target for the attackers and what the methods of the attackers are. Of course nobody knows the real motives and intentions of a new employee, but it is IT and HR’s duty that the new hire learns as much about security as possible in this training.
Then the top management and HR should agree on the actions that the company will take in case of a security issue. The issue need not to be a breach, undermining security, trying to go around it, or having questionable, unexplained actions need to be addressed and communicated clearly. IT security must be like an area where nobody is “allowed to touch” other than the designated staff. Anyone who is not respecting this has to suffer the consequences. This may be hard to do at first, because it will come to employee termination in some cases. But when the users understand how serious the issue is, your security policies will be easier to enforce.
Finally, you need to remember that security measures are not “set-and-forget” things. Rather, they evolve, become further complicated and morph into something else everyday. If you do not think and act this way, then simply put, your datas is at risk. On the other hand, implementing the measures I have discussed in this article will put you in a pretty good shape, without spending too much from your budget, in some cases anything at all.
References
- Featured image: http://www.csoonline.com
3 Comments
When I got a bank account in Sweden, I was amazed at how much more protected the accounts were. I had a little gadget that provided a randomized password every few seconds, along with a PIN to get into the device and a user name. It made me feel so much more secure knowing that I had multiple layers of protection. I’m glad you pointed out that security issues evolve in the same way that technology does — you can’t just have a great security measure and then leave it put for years. Sad but true.
Hi Kavitha, so nice to hear that. Wish you a more secure 2016!
Really useful post. Sure security of our site very much important because our businesses run using data. I already started improve my security. Thanks.