Jan 25, 201812:08 PMOpen Mic
Send us your blog for consideration!
Information security: Fundamentals first, then improve on the basics
(page 1 of 2)
“What can be done to improve security?” is among the most common questions I hear in conversations with corporate executives and information technology managers, and I’ve developed some key ideas in answer to that question. Two key phases — fundamentals first and improve on the basics — provide an outline for action as business leaders at companies of any size prepare to grapple with one of the most important demands in business today.
Organizations should first ensure they have achieved a “90% level” of security accomplishment before they dive too deep into the myriad “advanced security” products and solutions offered in the marketplace. Focus on these three areas first:
- Identify critical data. Doing so will shape your entire approach to security. Understand what your most important data is, what systems it resides in, and how those systems are accessed. You need to know all these things to know how to best protect it.
- Strengthen authentication. User identities are the literal keys to access your resources. Weak passwords and shared accounts are a very real security risk that should be addressed early. Leverage solutions that provide good password policies, self-service password reset, and multifactor authentication.
- Implement patching. Often overlooked is the importance of applying security updates in a timely manner. Attackers can take advantage of new vulnerabilities quicker than ever, so it is critical to deploy fixes just as quickly to close the window of opportunity. Use patch management solutions.
Improve on the basics
Once the core fundamentals of security are in place, you can begin to develop good practices to further mature your security posture.
- Evangelize security. Incorporate messaging about security awareness and best practices in your regular internal communications, which could include the company intranet, posters in the break room, or just weekly staff meetings. Avoid clichés and fearmongering, but provide advice on what to look for and what to do when something “isn’t right.” Consider engaging marketing and outside agencies for assistance.
- Encrypt data. Prevent unauthorized users from reading or changing company data by leveraging encryption both in transit (e.g., using secured transfer protocols such as “https” rather than “http”) and at rest (e.g., using tools such as BitLocker, which is included with Windows 10 Pro). A good encryption solution should be transparent to authorized users, improving security without burdening them with cumbersome processes.
- Leverage automation. Very often routine tasks are performed manually “because that’s how it’s always been done.” But these routine tasks consume human attention and are prone to mistakes, shortcuts, or unexpected changes over time. This makes it difficult to measure success, performance, and compliance with anticipated results. Automation saves time, improves consistency, and reduces the need for overprivileged access — all of which directly improve security.
- Monitor systems. Take a proactive approach to detect risks before they become disasters. Attackers are generally attempting to steal data, not disable systems. It will be far too late if the strategy is to wait for a service to fail before investigating any problems. Aggregate alerts and warnings into a centralized IT service management system that can assign and track progress on investigation and remediation.