In today’s rapidly changing technological environment, having a minimum set of security practices is no longer sufficient to protect your company from malicious attempts, either internal or external. It is essential to have a well-defined information protection and risk management policy and a set of administrative and technical security controls.
In this article, I'll guide you through the most efficient practices and security controls which trusted service providers use to ensure they are adequately prepared to respond to any security-related incidents.
Core Information Security Principles
Maintain a properly functioning operating system environment to ensure that the information is available to authorised parties any time they need it.
Maintain the accuracy and trustworthiness of your information assets and protect them from being modified and tampered with by third parties.
Restrict access to any sensitive information to prevent it from being disclosed to unauthorised parties.
Major information security risks
While organisations are investing heavily in technology to ensure that they are protected against external cyber threats, their biggest security vulnerability is internal: their employees.
According to the Global Information Security Survey 2017-2018, 77 per cent of respondents consider a careless member of the staff as the most likely source of an attack. As long as employee negligence remains one of the biggest security threats, educating your personnel on the necessary information security practices and procedures is fundamental.
Viruses and Malicious Software
Viruses are one of the most destructive forms of malware widely spread through email attachments, infected websites, web ads or removable storage devices. Their scope encompasses numerous types of damage: from erasing data on your computer to hijacking or attacking other systems, sending spam, sharing illegal content, etc.
Apart from computer viruses, malicious software can be spread through a form of spyware (collects personal information and passes it on to third parties), adware (displays pop-up advertisements), fake security software, and browser hijacking software (changes the browser settings).
The damage from a successful cyberattack can be devastating. Huge financial losses (including regulatory and legal fines), an affected bottom line, loss of trusted customers, and network downtime are just a minor part of the negative effects an attack may bring. To avoid being victimised by hackers, companies must develop a set of comprehensive security measures and policies which we will discuss below in this article.
Zero Day Attacks/Exploits
A Zero Day Attack is a newly discovered form of attack which takes advantage of unpatched vulnerabilities that developers were unaware of or didn't have sufficient time to address. The term itself refers to the fact that hackers exploit the security flaw the same day it has been exposed.
To prevent this from happening, organisations operating with sensitive data should conduct regular penetration tests (at least once or twice per year) with the help of professional security analysts to reveal hidden vulnerabilities and test their system's resistance to hacking attempts.
Key steps towards better information security
The following steps are based on the best security practices dictated by the leading information security management standards such as ISO 27001.
1. Protect High Priority Assets
- Rank all information assets by importance and confidentiality - highly restricted, restricted, internal use, publicly available;
- Make sure all of your high priority assets are kept safe. These may include private databases, commercial information, source code, financial reports, etc. In some cases, the loss or modification of these assets may result in heavy regulatory fines.
- Ensure that your company's network, servers, and workstations are secure and protected;
2. Evaluate and Upgrade the Overall Security Level
- Attract a vendor to conduct a security assessment of your company's IT infrastructure;
- Conduct regular internal security audits at least once or twice per year (and external when necessary);
- Revise your information protection and technical security policies;
- Evaluate the potential security risks and create data mapping specifications;
3. Analyse end points
- Examine your third-party service providers (SaaS providers) - analyse who has access, what information is stored, whether all ports are protected, etc;
- Ensure that all devices are compliant with corporate requirements and the networks and servers which are bridged to clients’ devices are secure;
- Conduct internal security training sessions and audits to raise employee awareness;
4. Develop an incident response management system
You can never be 100 per cent sure that your security system is bulletproof since hackers are constantly improving their skills and developing new forms of attacks every single day. Therefore, you need to create system backups and develop an efficient security incident response plan.
This plan should include the following procedures:
- Define what is meant by an incident;
- Categorise the incidents and determine their scope and impact;
- Identify resources needed to respond to any of these incidents;
- Prepare incident management documentation and develop organisational and technical measures to mitigate the risks;
- Train the team for incident management procedures;
Must-have data security measures
Administrative controls are aimed at creating efficient guidelines and security standards for dealing with organisations’ sensitive information. Therefore companies need to define the scope, purpose, and key elements to develop a number of coherent security policies including:
- NDA policy
- Information protection policy
- Password policy
- Internet usage policy
- Corporate email policy
- System access policy
Technical controls are aimed at preventing overlap and restricting access to systems and confidential information. They encompass the following procedures:
- Implementation of access control mechanisms such as two-factor authentication;
- Network segmentation and segregation for private use on separate projects;
- Internet traffic monitoring via proxy servers;
- Centralised management of workstations using Microsoft Active Directory
Another important procedure is the implementation of the appropriate set of security defence systems to ensure the integrity and security of your data, programs, and operating systems. This set should include:
- Antivirus software - performs heuristic analysis to detect previously unknown computer viruses;
- Firewall - controls Internet traffic to protect your network;
- IPS and IDS (Intrusion Prevention and Intrusion Detection systems) - monitor your networks to detect any signs of violations or security threats and prevent the incidents from happening;
- Spam filters (email filters)
- DLP (Data Loss Prevention software) - allows large-scale companies to protect their data from unforeseen loss;
- SIEM (Security Incident and Event Management software) - provides real-time analysis of logs and events generated throughout the companies' IT environment;
Today information security is critical to the success of any organisation. Employee negligence and lack of necessary security controls may lead to huge financial losses and put your business reputation at stake. This is why companies need to constantly review and update their information protection policies and technical security measures as well as educate their personnel on incident response procedures. The above-mentioned practices and security controls will definitely help you shield your company and its sensitive data from intruders and facilitate the resumption of normal business operations at critical times.
Igor Tkach, CTO, Daxx
Image Credit: Wright Studio / Shutterstock