Q: What are a few vital IT Security controls that I should implement in my organization?
A: Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts your business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.
To best avoid exposing your critical business data to risks, start with implementing these important integrations:
- Up-to-date and Reputable Anti-Malware Software
- Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
- Install the Latest Operating System Updates
- Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.
- Clean Desk Policies
- Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.
- Off-site Data Redundancy
- Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.
- Change Management
- Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.
- Create and Update Policies and Procedures
- Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
- Seek Reputable Vendors
- Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
- Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
- Force password changes at a frequent basis.
- Force lock computers when idle for a certain time period.
- Implement two-factor authentication.
- Train Staff
- Train your staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may allow unsupervised visitors, are just a few common-sense reminders to train your team.
You can never be too secure but starting with the short list above is a great step in the right direction.