When you leave your house to go shopping I am sure you lock your door on the way out. You may even set your alarm. Once at the mall you lock your car and maybe park under a light if you know it will be dark when you leave. Simple steps to make sure you keep the things you care about stay safe. So the question can be asked, if you keep your personal life safe shouldn’t you follow the same approach for IT Security?
There is an old saying “Security never goes out of style” and no matter what the latest technology trend might be security is always part of the conversation. Your company is responsible for a number of different types of sensitive information. Common items include personally identifiable information about your employees, your organizations financial information, customer data and your organizations intellectual property just to name a few.
Yet you would be surprised how many times I see a company effectively leave their “keys in the door” when it comes to IT security.
What can you do to improve your overall IT Security?
It has been said that the only secure network is one that is unplugged, but there are a few simple steps you can take to protect your company’s data. It comes down to following a few simple best practices and a handful of tools to help keep the door closed. Today’s hackers continue to be more and more sophisticated. Threats can include hackers phishing for user password and data, using ransomware to hold your data hostage, and good old fashioned social engineering where psychological manipulation is used to get a user to give up their passwords or provide sensitive information and breach IT security.
Below are a few steps you can take to decrease the chance of a security breach.
- Employ Identity and Access Control: Most business environments have a corporate domain which leverages a central user directory. Lightweight Directory Access Protocol (LDAP) and Microsoft’s derivative known as Active Directory (AD) for all Windows networks. These protocols allow you to control your users and their access to resources found on the network. Users can be removed or disabled with a simple click.
- Use Anti-Virus/Anti-Malware: The biggest threat to IT security begins at your user community and not externally. Make sure they have licensed anti-virus and anti-malware software. I cannot tell you how many times I have walked up to a PC that hasn’t been renewed and has gone months without receiving security updates.
A lot of these tools go beyond just anti-virus and anti-malware. AVG for example has a Business Edition that also alerts you or your network administrator when an attack occurs, has a firewall for the desktop, scans websites you surf and alerts you if the site is suspicious and protects you against malicious downloads.
- Use a Network Firewall: Make sure your protected at the edge of your network where you connect to the public Internet. Also, ensure your firewall is Business Class, leave your Linksys and Netgear SOHO routers where they belong, at home. Vendors like Fortinet, Dell SonicWall, and Cisco provide economical business grade firewall that provide Intrusion Prevention Services (IPS), allow for port forwarding of critical services like web and email, and log activity. A Network Firewall is at the core of your IT Security plan.
- Scan your E-mail: For those who have already gone to the cloud and use Office 365 or Google Apps for e-mail, this service is generally built in those offerings. If you still host an e-mail server at your location or use POP mail, you should consider a filter to block spam, malicious code, and phishing attacks that can enter your environment via your e-mail.
These services can be accomplished with an on-site filter like the Barracuda E-mail Firewall, or using a hosted service like Trend Micro or Proofpoint. Additionally, many of these solutions can be configured or have add-ons that allow you to send encrypted e-mail that you can use to send sensitive information.
- Protect the Web: Make web surfing safe for your entire organization with a web filter. These filters have standard rules that can be easily applied to block sites that host pornography, weapons, anti-Semitic and racial overtones that can contribute to a hostile workplace, but also can be tuned to block “time wasters” like social media, shopping, entertainment and other sites.
These filters also block threats coming into your environment via the web. A web filter can block file uploads preventing employees from taking corporate data and saving them into unsanctioned cloud file storage services like Dropbox and Box.net. These filters are often an optional service that can be applied to your firewall or can be purchased as a stand alone software package but serve as a critical step in and overall Data loss Prevention plan.
- Backup your Data: Yes, you have heard this one before, yet it is still not done regularly. Most corporations backup files from a central location with many employing automated off-site backup services to support the need for disaster recovery. Where most IT departments stop is at your desktop. If you are one of those people that save files on your desktop or create new folders in “My documents” there is a good chance that data is not protected. Always save your files to the corporate network shares if you want to rest easy.
If you are working home office and don’t connect to a corporate network, this burden is now on you! Make sure you backup your data to an external drive or use and online service like Carbonite. Backup is often the most overlooked component of an overall IT Security plan.
These are a few steps you can take to better protect your critical information. I will be posting in the future on some advanced security tools you can use to better monitor and contain threats to your network environment. Be aware tools cannot substitute for common sense, be sure to educate yourself and staff to understand what data is considered sensitive and how to handle that data. Also, I recommend you have an acceptable use policy for your users to both communicate what is acceptable use of the business tools, but also o protect you if you need to release someone for improper use of your IT assets.