Is your sensitive data secure? Cyber security best practices and ways to protect data are becoming the focus of discussion within companies. It takes only one look at the current headlines to understand why companies are so concerned with IT security. Constant reports of state-sponsored hacking attacks, denial of service attacks, ransomware, and leaks by malicious insiders reflect the cyber security threats that government organizations, education and healthcare institutions, financial firms, banks, law firms, retailers, nonprofits, and many other organizations are facing everyday.
The number of successful high-profile attacks and data breaches are also indicative of the security weaknesses that many companies and organizations have. It’s no wonder that in our age of quickly evolving threats and ever-changing regulations, companies struggle to keep their data protected at all times. Information security is all about hard work and persistence – you need to make sure that your security has a solid foundation, but also adapt well to new challenges.
While there are some basic network security measures that everybody is aware of, such as physically protecting your infrastructure, using firewalls and antivirus software, there are also very effective policies and procedures that not every company employs.
1. Employ a risk-based approach to security
The right approach is the key to effective cyber security. Unfortunately, many companies put too much focus on compliance, thinking that as long as they meet all regulations their sensitive data will be thoroughly protected. Such companies often take the approach of simply going down a checklist, crossing off requirements as soon as they’re met, and not putting too much thought into the risks that the company faces and how they affect the bottom line.
A much better approach is to form your data security strategy by prioritizing measures based on how much they will affect your bottom line. In order to do this, your best tool is a thorough risk assessment.
Here’s what a risk assessment allows you to do:
- Identify all valuable assets
- Identify the current state of cyber security in your company
- Identify the most pressing threats your data faces and how those threats may affect your bottom line
Fines for failing to comply with regulations, remediation costs for potential leaks and breaches, and the costs of missing or inefficient processes will all factor heavily into the final results of your risk assessment. Taking all of this into account will allow you to correctly prioritize your security and make sure that your security strategy serves the corporate bottom line in the best way possible.
2. Form a hierarchical cyber security policy
Why is a written cyber security policy important?
First, a written policy serves as a centralized, formal guide to all best practices for cybersecurity as well as all security measures used in your company. It also allows you to make sure that your security specialists and employees are on the same page, and gives you a way to enforce rules that protect your data. However, the workflow of each department can be unique and can easily be affected by needless cyber security measures.
This is why, while a centralized security policy can be very effective as a basic guideline for the whole company, it shouldn’t cover every process in every department. Instead, allow your departments to create their own security policies based on the central policy.
There are many benefits to staking out your security policies in such a hierarchical manner. By doing so, you make sure that the needs of every department are accounted for and that their workflows, and your bottom line, will not be compromised in the name of security.
3. Update your software
Why are software updates so important? The main reason is because the majority of malware out there doesn’t target new and unknown security vulnerabilities. Instead, it uses well-known exploits that have already been fixed in the latest versions in the hopes that companies haven’t updated.
So what keeps companies using old software? There are several reasons:
- Removed or altered functionality in newer versions may force staff to relearn or readjust established processes.
- Update processes may be too complex and may disrupt existing workflows.
- Updates may be too costly or even unavailable, forcing a company to switch to a more modern solution.
There are no easy solutions to these issues, particularly for legacy software. Despite the pain, updating is worth it in terms of your bottom line, as it allows you to prevent very costly breaches and leaks and helps keep your sensitive data protected.
4. Backup your data
Data backup is another basic security measure that has gained increased relevance in recent years. With the advent of ransomware – malicious software designed to encrypt all your data and block access to it until you pay a hefty sum for a decryption key – having a full current backup of all your data can be a lifesaver.
How can you best handle backups? You need to make sure that your backups are thoroughly protected and encrypted and that they are very frequently updated.
5. Use the principle of least privilege
Beware: having too many privileged users accessing your data is extremely dangerous.
Many companies, particularly smaller ones, tend to grant new employees all privileges by default. This allows employees to access sensitive data even if they don’t necessarily need to. Such an approach not only poses an additional risk in terms of insider threats, but also allows external hackers to get access to sensitive data as soon as any of your employee accounts is compromised.
A much better solution is to use the principle of least privilege, in other words to assign each new account the fewest privileges possible and to escalate privileges as necessary. At the same time, when access to sensitive data is no longer needed, all corresponding privileges should be immediately revoked.
We realize that constant privilege management can be difficult and time-consuming, particularly for large companies, but there are a lot of access management solutions on the market that can make it easier. Particularly, one-time password functionality can prove a lifesaver when it’s necessary to grant additional privileges to a regular user.
6. Use two-factor authentication
Two-factor authentication is an important security standard when it comes to account protection. It employs an additional physical device, such as a security token or a mobile device, to confirm the identity of the person behind the screen. This authentication method provides a very reliable login procedure as long as the secondary device doesn’t get lost or stolen. As an added benefit, it also allows you to clearly distinguish among users of shared accounts, making access control easier.
7. Handle passwords securely
While two-factor authentication provides a great safety net in case a password is compromised, it’s still not an excuse to not follow best practices regarding password handling.
The first thing you need to know is that passwords need to be long, complex, and fully unique.
Here are the main things you should consider regarding password handling:
- It’s better to use a longer, easy-to-remember phrase as a password than a short string of random characters.
- Each password needs to be fully unique – make sure to prohibit your employees from using their passwords on other accounts.
- Prohibit your employees from sharing credentials with each other. While it may be more convenient for them, it is extremely unsafe.
All passwords should also periodically be changed. Since you may not even know if your password has been compromised, it’s very dangerous to keep using the same one for a long time. The best way to go about changing passwords is to automate password changes for the whole company, requiring employees to enter a new password after a set period of time.
8. Change default passwords for your IoT devices
Many internet-enabled devices come with a set of default credentials hard-coded inside. Such credentials are usually freely available on the internet and widely known to perpetrators. Most malware targeting IoT devices looks for devices that keep using their default credentials in order to hijack them and add them to an army of bots that are ready to conduct massive denial of service attacks at the push of the button.
What can you do about this? The only way to make sure that your devices are protected from being infected is to change all default credentials as soon as possible. Make sure that your new passwords are fully unique and complex. It’s also a good practice to periodically change the passwords for IoT devices, although it’s best to fully automate this process.
9. Keep an eye on privileged users
The best way to minimize the risks of an insider attack by privileged users is to limit their numbers. This is where the principle of least privilege comes in. You also need to make sure that any privileged accounts immediately get disabled whenever a person using them is terminated. More often than not, disgruntled employees retain access upon termination, allowing them to exact revenge for perceived wrongdoing.
If a privileged user is already stealing your data, however, it can be very hard to detect, considering that such malicious actions may be indistinguishable from everyday work. In this case, your best weapon is user action monitoring solutions. At the same time, the default logging capabilities of most business software and operating systems have their limitations, particularly when it comes to users with a high level of privileges.
The simpler and better way to detect malicious actions by privileged users is to employ user action monitoring solutions that are specifically designed to record any actions taken by such employees. Recordings allow you to quickly see all actions taken by a user in the original context, and thus determine whether these actions were malicious.
10. Keep an eye on third parties accessing your data
Nowadays, almost every company has a network of third parties working with it remotely. Remote employees, subcontractors, business partners, suppliers, and vendors – this is only a short list of people and companies that may access your data remotely. Third-party access not only provides a greater risk of insider attacks, but also opens the way for malware and malicious hackers to enter your system.
The best way to protect your sensitive data from any breaches via third-party access is to use temporary passwords. Temporary passwords allow you to limit the scope of access that third-party users have and allow you to make sure that you know who exactly connects to your network and why. User action monitoring should also be used in conjunction with one-time passwords in order to provide full logging of all user actions, allowing you to detect malicious activity and conduct investigations when necessary.
11. Be wary of phishing
It’s worth noting that insider threats don’t end with malicious employees. More often than not, well-meaning employees inadvertently help perpetrators by providing them with a way to get into your system. Perpetrators use phishing techniques such as spam emails and phone calls in order to find out information about employees, receive credentials from them, or infect systems with malware. Phishing has seen somewhat of a resurgence in recent years, and today companies are drowning in spam emails containing malicious links.
So here’s what you need to do: get a properly configured spam filter and make sure that the most obvious spam is always blocked. Moreover, your employees need to be educated on the most popular phishing techniques and the best ways to deal with them in order to better protect themselves and your company’s data.
12. Raise employee awareness
Even if you have the best cyber security policies and procedures in place, your employees will ignore them in the name of convenience and productivity. Strict rule enforcement may make the situation better, but it doesn’t guarantee results and may even stress out your employees, costing you additional money.
The best way to deal with negligence and security mistakes by your employees is to educate them on why security matters. Raise awareness about cyber threats your company faces and how they affect the bottom line.
Make sure your employees know why certain measure are in place and why they’re important. Recruit them as part of your defenses, and you will see that the instances of negligence and mistakes will become less frequent. It’s much better to get your employees the proper training than to deal with a data breach caused by accidental actions.