May 13, 2014
Are you responsible for your organisation's information security, or a part of it? It's no easy task. If you want to maintain organisation wide information security, you'll need to actively consider the following 8 important tips. How many of these does your organisation think about?
1) Perform Regular Assessments
How often does your organisation run security assessments, like penetration tests?It's no good running assessments once every few years. Assessments need to take place regularly, otherwise new vulnerabilities will go missed. Large organisations are dynamic beasts, where the information security situation changes on a daily basis.
2) Protect Your Data
Make sure that only people that need access to sensitive data, have access to it. Providing access to entire teams, or groups who don't need access to perform their role could result in unanticipated security challenges, for example an employee leaving and selling large amounts of sensitive information to competitors.Another layer of protection on top of this that should be applied to confidential data is encryption. Make sure encryption is used, especially when data is being transmitted with third parties. Your data is vulnerable to third parties whenever it is communicated, especially over public networks.
3) Educate Everyone
Whether it's your CEO or the receptionist, they need to be educated on security best practices. That means knowing how to choose secure passwords, and avoiding other common threats. Every single employee in your organisation could be a potential vulnerability, even by innocently bringing in a USB stick they used at home.
4) Passwords Are a Bigger Threat Than You Think
Weak passwords are one of the biggest threats faced by most organisations. If your workforce isn't educated on password best practices, and your systems aren't designed to reduce the risk of password breaches, your organisation could be readily brute forced by attackers in minutes.Take a look at our post for some suggestions on tackling the password problem.
5) Don't Over-Rely On The Firewall
A firewall is much like the five locks fitted to the front door of your house. The locks are great at stopping someone breaking in through the front door when it's locked, but they'll do nothing to stop an attacker from climbing in through the living room window.Don't over-rely on your firewall. Whilst it will stop some attacks, it can't make up for vulnerabilities in specific applications your organisation uses, and definitely won't stop everything.
6) Think About Viruses
Viruses are a constant threat to organisations, big and small. As many as one in ten email messages contain a virus, so don't put your organisation at risk. Viruses can destroy the integrity of computer systems, release confidential files and cost your organisation huge amounts in reparation.Many of the costs of viruses are indirect, too. Viruses can frustrate employees, resulting in higher turnover, and system failures can result in lost customers. Ensure that employees are educated when it comes to viruses, and that your systems are setup to protect against them.
7) Backup, Backup, Backup
This shouldn't need to be said, but all valuable data needs to be backed up. If you think there's even the slightest chance that data is important, have it backed up. Backup solutions come down in price every year, and storage is now extremely cost effective for most purposes. There's no excuse for not having important data securely stored and recoverable.Think about backup times, too. Your most important data should perhaps be backed up on the fly, as edits are made, with other files being backed up at regular intervals depending on how often they're edited and their importance.
8) Protect Your Organisation From Employees
A lot of information security effort goes into protecting an organisation from external attackers, but what about employees? It's important that employees are considered a threat. This means thinking carefully about who is granted access to what, and ensuring that security systems are implemented on internal systems, as well as external systems.It also means running assessments like penetration tests on internal applications, and ensuring that they are secure from internal attack.Have any information security tips for organisations of your own to share? Post them in the comment section below.