We currently live in a world where almost every device is connected to the internet. Each one of these devices could be a possible target for an attack considering every organization has “sensitive” data. This data could be your company’s personnel records, internal emails, or even the secret plans for your next big product. Historically, many companies only think about IT Security when their business falls under regulatory compliance. For example, if they have to meet specific requirements for PCI, HIPAA, etc. However, IT security is something that every organization should be looking into. How harmful would it be to your organization if your data fell into the wrong hands? Did that grab your attention?
Here are some small steps you can take to help protect your organization:
Use Strong Passwords
In 2017, “123456” and “Password” were ranked as the top two among a list of the 25 most commonly used passwords. Using weak passwords will increase the risk of being compromised and the potential loss of data within your organization. Below are some recommended password requirements and guidelines:
- Make sure your passwords are at least eight characters long (the longer, the better).
- Use at least three of the four character types (UPPER, lower, number, or symbol)
- Do not include your first name, last name, username, or initials in your password
- Avoid using passwords that may be easy for others to guess. For example, your pet’s name, child’s name, etc.
You may also want to consider requiring your users to change their password every 90 days and prevent them from reusing their last five passwords. Most modern operating systems and online services have settings you can adjust to enforce the use of strong passwords.
Encrypting Mobile Devices
Most employees travel with at least two mobile devices. These usually include a laptop computer and a smartphone. Some employees may also have a tablet as well. Each of these devices, at a minimum, may have access to your organization’s email system. The loss of one of these devices could allow unauthorized access to your data. Encrypting your mobile devices is an inexpensive way to prevent loss of data if a mobile device is lost or stolen. Most devices have full disk encryption built in. Apple MacOS has FileVault, and Microsoft Windows has BitLocker. Most Apple and Android phones have built-in encryption, and many of them now ship with this feature already enabled. Enabling encryption is one small step that can make a significant difference in your security footprint.
Keep your Devices Updated
New software vulnerabilities are being discovered every day. Apple and Microsoft release patches for their operating systems at least once a month. Smartphone and tablet patches are published several times throughout the year. It is critical that you keep all of your devices patches with the latest software updates as they occur. Larger organizations may want to consider deploying a third-party patch management system if they have a large number of devices. You may also want to deploy vulnerability scanning software. This software will help you identify vulnerabilities in your installed software as well as potential weaknesses when it comes to equipment configuration.
Implement Antivirus Software
Antivirus software is your first defense against virus and malware. Having an infected system could provide a backdoor into your organization, cause your information to be leaked, or even prevent you from accessing your data (e.g. ransomware). I have witnessed several organizations who have let their antivirus software expire and never renew. Doing so will leave your systems vulnerable to new threats. The ten antivirus applications for 2018 are found here.
Backup your Data
Ransomware is becoming more prominent and is impacting more and more businesses each year. Ransomware encrypts all of your data and demands that you pay a ransom before you can regain access. Even if you pay, there is no guarantee that access to your data will be restored. Your best defense is to maintain a backup of all your data. Having backups will allow you to restore a version of your data before it was infected and encrypted. Tripwire released an article of the ten most significant Ransomware attacks from 2017. You can find the article here.
Train your Employees
What your employees do and don’t do are the most significant threats to your organization’s information and assets. Educating your employees is inexpensive and adds the most significant and long-lasting improvements to your IT security. There are online resources you can use to develop your security awareness training program. Additionally, there are paid online services offering advanced features such as social engineering tests.
The items above are just a few items you can implement to improve IT security within your organization. It is by no means the complete list to IT Security, but one thing to keep in mind is that IT security will always be an ongoing process. There is no finish line. There will still be new threats and policy and procedures you can look into deploying to mitigate any threats now or in the future.