Security is a topic that can cover many volumes so treat the list below as just snapshot quick-fire summary. Nothing will substitute doing the hard work necessary to put together a comprehensive security policy and operational procedures to underpin it.
- Have a security strategy with executive level backing
It is a fundamental requirement for executives to define what the valuable assets hence what needs to be secured above everything else. The strategy will then underpin the protection of these assets via policies, procedures and governance.
- Design your systems with security at the core
Security has traditionally been tagged on business systems as an afterthought. As security threats are pervasive so must security mitigation. Hence security design needs to be incorporated into all elements of a business; clients, networks, services, applications and people. Some basic design techniques are listed below.
- Segment your network into logical system based zones so you can segregate critical systems and apply network security controls to them.
- Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web).
- Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access.
- Plan carefully home and remote users access – they should have equal security controls as users on the office network.
- Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relevant logs and events for your systems.
- Design for secure management and physical access to your IT assets.
- Protect your endpoints/servers
Once endpoints are compromised they can be used to propagate threats throughout the business. It is therefore critical to constantly protect endpoints and isolate that quickly if they become compromised. Endpoint protection tips include;
- Create and maintain and policy for patching and updates – keep up to date with patches and security updates
- Create a maintain a hardware and software repository – know what you have in your network
- Limit user rights to do changes to endpoint
- Access to sensitive information should be done in a secure manner and data encrypted in transit and at rest.
- Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software Firewalls, which support centralized management and can be integrated with your network security controls and monitoring tools
- Regularly do backup of important data in a safe manner (encrypt and secure data in rest in motion) – mitigates the effects of ransomware attacks
- Train your personnel
Security is as good as its weakest link which often times are people working in the business.
Users should be made aware of the importance of security measures in place, what threats are out there and triggers that should raise their suspicion – simple things like:
- unsolicited emails with strange hidden links – aka think before you click
- file attachment with general but well-sounding names
Users should be given Social Engineering training and be aware of the techniques used. The training and education of personnel should be an ongoing process not a one-time thing
- Test, test and test!
The only way to really know your security level is to regularly test it!
Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. The range of test should include;
- Formal security audits that would look at procedures and if they are being followed/enforced
- Automated vulnerability assessments – usually performed every 2-3 months and done internally
- Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
- Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorized people either via phone or in person or to get physical access to company restricted areas
Speak to one of our Experts?
We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.