If you're using October – National Cyber Security Awareness Month – to take a hard look at your security practices, policies, procedures and systems, we'd like to offer a starting point for a security checklist, examining some of the key considerations from a people, process and technology viewpoint.
People: Disgruntled or uninformed employees are one of the biggest risks to any organization. An unhappy employee with access to IT systems and applications can wreak havoc in an organization, especially those employees who work in IT and have privileged administrative rights. Uneducated employees are prime targets for phishing attacks or other social engineering tactics used to gather information, access and online credentials.
- Have all my employees done cyber secuity training? Training needs to be part of the on-boarding process for new employees and should be done for all employees at least once a year. Many organizations choose to add additional security training (and testing) by secretly putting employees in situations to test how they would respond. For example, by planting USB drives on the ground or floor around or in the office, the security team can test employee knowledge and practice of USB use and security.
- Consider background checks. Many businesses and organizations require background checks before it hires an employee or accepts a volunteer. There are several services available to consider if you feel its needed for your business.
- Physical security plays a role. Although it technically may not be considered cyber security, physical control of who enters the workplace is important for both personal safety and cyber safety. It keeps the wrong people out of a building where computers may display applications and data or files may be on desks with useful hacking information. Having physical security in place can even help with forensic work if there is a breach. Ask yourself: Even though we use gates and badges, are employees "sneaking in" behind the car in front of them when the gate goes up? Are all employees scanning their badge or is a group walking in together as one employee opens the door?
- Third-party partners can be the overlooked risk. If you outsource any of your work to third-parties and they have access to your IT systems, this is a risk factor that must be addressed. Some of the biggest breaches have been attributed to bad actors getting in via a third-party partner credential. Sit down with your partners and make sure their security is acceptable for your policies and ensure there is a security clause in your contract with them.
Process: Various processes can add layers of security and control, making it more difficult for bad actors to impersonate an employee or use their credentials. Other processes are mandatory to address regulations and guidelines.
- Two-step or multi-factor authentication. This also can be considered under technology, but the process of using at least two-factors to access your systems and data is a must-do in today's computing environment.
- Keep passwords unique and don't reuse them. Passwords are here to stay, at least for the foreseeable future, so make sure you practice good password hygiene and use strong passwords or phrases that are long easy for you to remember, but hard for anyone else to figure out.
- Compliance. If your company is governed by regulations, are you meeting all the audit demands? The regulations are often presented clearly; it's up to you to implement the processes and procedures to implement them.
Technology: Today everything is Internet connected. The technology you are protecting from intrusion and tampering ranges from routers, VPNs, computers and mobile devices to databases and servers, cloud services, software applications, copiers and printers, and more.
The team at the National Cyber Security Alliance and U.S. Department of Homeland Security has assembled a great technology checklist to use year-round, not just during National Cyber Security Awareness Month. It provides a comprehensive list of technologies you need to think about and tips for protecting them. If you don't have a cyber security technology checklist, it's a great place to start. You can download it here: https://staysafeonline.org/wp-content/uploads/2017/09/Technology-Checklist-for-Businesses.pdf.
Cyber security is not something you want to leave to up to chance. Questions would you like to request a consultation to see how ZZ Servers can support your cyber security needs? Contact us today.