Part 2 of a 2 part series on security basics. Last week, we focused on staff, and this week, we give a security basics overview for managers.
Managers have a particular role to play to ensure the IT of their department or organisation is secure. A detailed knowledge of the technical aspects of cybersecurity is not a prerequisite for this role, but it is important to be familiar with the basic concepts and principles. Don’t worry however, these concepts are really not too difficult to get to grasps with.
CONTINUOUS TRAINING
You should engage with a reputable cybersecurity professional at regular intervals. The objective of this is to re-enforce security basics at manager and employee level, and also to raise awareness of recent security threats. A culture of security should pervade your organisation, and an important feature of this is where a staff member can approach you when they suspect they may have clicked on a potentially dangerous link. Unless he/she can report this without worrying about negative repercussions for them, they are unlikely to volunteer this information, and the potential risk may go undetected. Here is an excellent (and free!) starter training course offered by ESET that you should provide to all your staff, as a basic security posture assessment.
POLICIES AND PROCEDURES
A system of very clear policies and procedures should exist, which outline the organisations approach to security, and how all staff are expected to comply with this. Include at least the following elements: customer data protection; policy for onboarding new staff, and offboarding former ones; data backup and retention; and staff training.
MULTI LAYERED APPROACH
Your security arsenal must be comprised of multiple levels of security, some of which are deliberately redundant. The objective is that even if one or more levels are breached, the likelihood is that the remaining measures will ultimately prevent a serious data breach. However, each layer should be treated as if it is the sole level of defense, in order to avoid any semblance of complacency. The various layers should cover:
- HUMAN – This is probably the most important level, and the one most often breached. Security at the human layer ensures that users are trained in threat awareness, and follow company policy regarding interacting with email, internet, and data usage. The key point to remember here is that a user clicking on a malicious link can potentially damage your network/data security.
- PHYSICAL – Ensuring your IT assets are physically secured, e.g. building is locked and alarmed, and server is locked in a separate room/cabinet
- NETWORK – Is your network protected with an industry recognised firewall device, like SonicWALL? A firewall is analogous a secure perimeter fence around your property, and besides overall network security, its features include providing secure remote access to the network for remote workers, and restricting access to specific websites, and types of websites.
- ENDPOINT/DEVICE – All computers and servers should be protected by enterprise class anti-virus software like ESET. In the past, we also recommending encrypting drives on mobile devices like laptops, but we now recommend that all computers and server drives are encrypted. This provides much greater security than just a Windows password.
- APPLICATION – All applications should be secured with complex passwords, regularly updated, as well as multi-factor authentication, to protect against compromised password events.
- DATA – All critical data should be replicated/backed up to a separate location, in the event it is accessed and encrypted. This may involve auditing how employees store their data, and creating policies to ensure that data is saved to an agreed location, or ensuring the backup system covers that particular user’s work habits. The backup routine should be tested regularly, and the recovery time objective (basically, how long you can expect your data to be unavailable in the event of a data breach/hardware failure) should be agreed and understood by all parties.
- PASSWORD POLICY – Use complex passwords for your various logins, don’t reuse any, and refresh periodically. Ideally, passwords should be at least 8 characters long, and contain mix of upper and lower case letters, numbers, and special characters like ?.
While this may seem daunting to the uninitiated, the good news is that we can guide you through this process, or manage it entirely for you. Contact us today to learn more.
