Cyber security tips to protect your organization
(Last updated on February 11, 2020)
We’re kicking off cyber security awareness month with a very special blog post! Our resident IT pro Darren James is with us to discuss organizational security, and what you can do to protect your infrastructure in today’s threat landscape.
What are some of the security concerns businesses face today?
Data loss is a huge topic now! We still have the obvious things like ransomware, and bad passwords, but mostly it comes down to access control. How do you protect your company data from being stolen by someone plugging in a USB stick and stealing confidential company files? Even if there’s no malicious intent, losing sensitive files copied to an external disk/stick puts your company at risk.
Reputation and financial losses here are huge, especially if the data loss impacts the public, or the data of another company.
So what can a company do to reduce these threats?
Better password policies with multi-factor authentication (wherever it is possible). There’s also the classic best practices such as reducing domain/local admin rights in favour of delegation. The goal is to ensure that the right users can access the right resources at the right time, and for the right reason. I have a few recommendations, including:
- Use group policy to restrict what users can do on their domain joined machines – block USB and whitelist only programs that can be run
- Keep your antivirus definitions up-to-date
- Keep your machines patched
- Review firewall rules regularly
- Implement rights management on files so that they cannot be shared without specific permission
- Encrypt sensitive information and hard drives of roaming PCs
- Implement a mobile device management solution for any non-windows/BYOD machines
- Use a virtualisation solution to maintain control of company data
- Have better physical security – secure data centres, server rooms, secure backup servers/tapes, use port security on your switches, etc.
- Create a security awareness training program with a focus on helping users identify phishing and social engineering attacks
How can organizations protect themselves against the poor password choices made by their users?
If your company still uses passwords, then it’s all about user awareness and training. Users have a knack for using poor passwords, even when required to create a passphrase. With the right tools in place, you can create a policy to reduce that risk. The key here is finding a balance between security and usability – if the password policy is too stringent then users will resort to writing them down. You should also provide a simple and secure way for you users to reset their own passwords. Ideally that system should be in place before the new password policy is applied, to mitigate any impact the new policy might have on the service desk.
Another good practice is a proper password audit performed by an ethical hacking company, or internally by IT staff (once you have approval from the boss). This will highlight any weak passwords, and allow you to block future use with a password dictionary. Be sure to include words that relate to your organization (e.g. business names, addresses, towns, and local sports teams) to your password dictionary.
Finally, remember one size does NOT fit all. Create a unique password policy to suit the different roles in your organization. The people who work on the factory floor normally do not need to protect their account the same way as someone in the legal, finance, or IT department. Speak to the business, and come up with a policy that meets their needs, and the security requirements you need.