There has been a lot of news lately regarding security breaches, break-ins and data theft. Some of the more recent incidents have involved a leveraged combination of weaknesses in technology and/or spear phishing attacks to allow unauthorized access to sensitive data.
When it comes to security, there are two key areas of focus
- The technology itself
- The people using the technology
Having the right technology, configured properly is good, but it isn't enough; you must also train your people.
The Technology Side
- Making sure the technology is secure is half the battle. Let's start with the basics that are easy and relatively inexpensive to implement:
- Strong passwords on elevated accounts that are changed regularly
- Don't reuse passwords across multiple accounts
- Set account lockout polices across all accounts and devices with alerting when an account is locked out
- Run an Antivirus solution that uses the latest scan engine with definitions that are updated regularly.
- Deploy application updates on a regular basis, not just Microsoft products, but those "other" applications too - Flash Player, Adobe Reader, Java, Firefox, Chrome, etc.
- Regularly update firmware and embedded operating systems on servers, storage appliances, firewalls, switches, routers, printers, etc. Basically, if it is connected to the network, make sure it stays up-to-date.
- Resist the temptation and keep the Windows firewall enabled when connected to the domain.
- Use a next generation firewall with intrusion detection and prevention services that are updated regularly. These can go a long way to protect your network from external threats, including some Zero-Day exploits.
- Disabling protocols and services that aren't needed on servers and workstations, especially when they are Internet facing.
- Encrypt portable devices.
- Have a security response plan, which includes a good Disaster Recovery plan. Make sure it has been tested.
I could go on (and on, and on), but I’ll make that a topic for a later time.
The People Side
Even with rigorous security practices, your network isn't truly secure until your users are trained. Nor is it good enough to train someone once. Training needs to happen regularly and multiple times per user. Training outcomes also need to be tested.
When it comes to security training:
- Train everyone, even if your organization has people that don't use computers as part of their job. Discuss important topics, such as:
- Password management & security
- How to identify fake websites, phishing scams and other targeted attacks
- What business should and should not be conducted over email
- Mobile device security
- How to properly handle data, including portable media
- Reporting suspected threats (or mistakes)
- Security for those users that travel, especially overseas.
- Train regularly and repeatedly. Once a year should be a minimum. Schedule shorter meetings each quarter that review key topics, including areas where you feel your users need a refresher and keep it relevant by discussing recent or current events.
- Test your users' knowledge. Call your users and pretend to be "the new support guy or gal" - make sure you use an unknown or blocked caller ID. See if you can convince the user to give up their password or install software on their computer. Try the same thing via email.
The Balancing Act
There is a balance between security and usability, especially when working in the Small to Medium Business market. Make your network too secure or too difficult to use and your organization will lose productivity, spend too much on IT support or, worse yet, your users will simply revolt and just use their personal equipment to do their work. You'll also find your users complex passwords written down on sticky notes attached to their monitors. Be too relaxed and you risk viruses, ransomware or data theft or loss. There is a balance, and finding it requires an iterative process that encompasses industry best practices with the business' goals and user needs.