I wrote some time ago an article called “IT Security essentials for companies and small businesses”. I tried to pitch it to some companies that have to do with security and… nobody wanted it.
Good for me. My good friends for (ISC)2 have good connections to Computer World UK and they got the 600 words version published.
See below the short version. The long version (over 1400 words) will be published on (ISC)2’s blog.
It’s no secret that the cybercriminals go where the money is. In particular they go for targets that are easy to breach as they get high rewards for minimum effort. Usually, these targets are SMEs as they generally have money and are easier to infiltrate. With that in mind, the tips below are designed to help companies not only to survive in the cyber world, but also keep the attackers away.
Teach employees hot to act and react.
Companies often believe that security is the IT department’s responsibility. End-users are easy targets through which attackers can gain easy access to corporate networks and digital assets. Commonly used techniques include malvertising attacks, spam and phishing emails and third-party applications bundled with malware.
Also, people generally just want to get their jobs done. They often see security as something that slows their workflows down and as such disregard it. Employees need to be properly educated on the threats out there and why proper security matters to overcome these hurdles.
No platform is safe, including Macs
The most frequently attacked operating system is undoubtedly Windows. But even if you are a Mac user that doesn’t mean you’re safe. There is an increasing volume of malicious software out there for Macs (especially Trojans) as well as a rising number of vulnerabilities. Fortunately, there are plenty of security solutions to protect against these threats – even on mobile devices – and the good news is that the majority of them are completely free.
Up-to-date software is less vulnerable
Vulnerable programs are the most common vector to attack victims and steal personal data. All major cyberattacks like Uroburos, Stuxnet, Duqu and Flame have used known exploits in software. Also, major vulnerabilities in server software such as Poodle (in SSL) and Heartbleed (in OpenSSL) have been exploited, and in these cases it is not even known how long they were used and how much private information was stolen. Keeping programs up to date can help prevent these issues.
Filter web traffic, block suspicious sites
Filtering isn’t just about restricting access, it also means ensuring that traffic is cleaned up before it reaches the user. Even the most trustworthy websites can still infect their visitors for example through third-party advertis that exploit vulnerabilities in browsers or in Flash Player, Silverlight and other web technologies.
One of the certainties in life is that hard drives will fail. It is just a matter of time until a catastrophic hard drive failure happens. You should always backup, and encrypt any stored data as you never know who may get access to the drives or tapes in future. Using a cloud based backup service is another way to mitigate these risks. Likewise, the most important thing to do before using such a service is to encrypt the data.
Encrypt devices and storage
The biggest data breaches happen for two reasons: careless employees lose devices containing confidential data or hackers obtain access to company’s infrastructure.
While the second is a very complex topic to address, the first one has a simple solution. First of all, policy should dictate that no confidential data and especially PII (Personally Identifiable Information) should leave the company. Laptops should ideally have a power-on password and a username-password requirements to login in the operating system. You can find tips on how to create good passwords here.
Sorin Mustaca, (ISC)2 member and CSSLP, Security+, Project+
All these and many more topics are in the free eBook "Improve your security" available here: www.improve-your-security.org.