Tip #1: Focus on Security BasicsPeople are most willing to embrace security if the concepts and technology are quick, hassle-free, and easy-to-understand. That reasoning helps to explain why a focus on security basics can go a long way.
"By embracing the basics of security hygiene – two-factor authentication (2FA), password managers, and keeping devices and laptops updated – we’re teaching users that the security equivalent of simply washing your hands is simple, effective, and easy to do," explains Mike Hanley, Program Manager, R&D at Duo Security. "These basics are proven to defeat the most common attacks and prevent data breaches effectively…. While these methods don’t always get the limelight that threat-focused measures receive, they are cost-effective and simple, and they help to reduce the strain on security and IT resources."Cheryl Biswas, InfoSec I.T. Coordinator and Senior Writer at JIG Technologies, agrees that security, if recognized as an approachable process and ongoing commitment, can help safeguard against the dangers of what she calls Shadow IT and Shadow Data. "Things get plugged in that shouldn’t, whereas data gets handled and exposed that shouldn’t," Biswas clarifies. "To counter these occurrences, I would recommend that security personnel lay the following keystones in place and build around them:
- Passwords: These really are the keys to your kingdom. Have a good password policy in place, teach staff how and why to use it, and do routine checks to make sure that all your employees are on the same page.
- Patches: It is crucial that businesses of every size have a patch update program in place to ensure that all software and systems are updated regularly that emergency fixes can be implemented as need.
- Get a baseline in place: While you cannot expect to catch everything, if you know what your norm is, then you have an advantage when something deviates, and you can respond decisively. That’s security in action.
- Limit and enforce access: Not everyone needs access to everything, all the time. The fact is, the more exposure your data has, the more at risk it is. You can, and you must, put rules in place that allow most users access to only what they need. It’s good to request permission because that enforces a necessary system of checks and balances that underpin good security.
- Inventory and monitor: Know what you have, tag it, track it, and update what gets added or removed to the system. This will help ensure you know what your baseline is for monitoring purposes. Additionally, it will help you reign in control of your organization's BYOD culture, should one exist."
Tip #2: Invest in Employee Awareness TrainingWhen it comes to strengthening an organization's security posture, infosec personnel by themselves can only do so much, for they are not the only ones interacting with corporate networks.
"Employees make decisions every day that negatively affects their business’s security," explains Wolfgang Goerlich, Cyber Security Strategist at CBI. "As a result, we have known for a while that, to protect organizations, employees need online street smarts. However, the problem is that some in the industry treat employee awareness as a training concern or one-time activity. It is not. It is an ongoing cultural problem."With this in mind, it is important to break up employees' training into separate units that each address individual security topics. For example, as suggested by Adrian Sanabria, Senior Security Analyst at 451 Research, organizations should spend some time educating users on how to spot suspicious links and how they can use tools such as URLQuery.net to analyze potential threats. "Safe URL tips can be easily shared through a monthly internal newsletter," Sanabria observes. "We can complement these suggestions by publishing a list of free resources like URLQuery onto an internal intranet site for free use by employees. Sharing the links in this case doesn't go far enough; it's best to include instructions on using them properly."
Tip #3: Encourage the Senior Leadership to Embody Organizational SecurityTraining employees in good security practices goes only so far, however, a fact with which Tony Martin-Vegue, blogger and host of The Standard Deviant Security Podcast readily appreciates:
"Companies can put in substantial effort and expend valuable resources in strengthening their security posture, but the truth is they will fail if there is not a strong and consistent tone delivered from the top," Martin-Vegue explains. "It’s very important for an organization’s senior leadership to be fully supportive and an enthusiastic advocate of security goals and objectives."Executive leadership is integral for companies that opt to implement a "clean desk" policy, under which screens must be locked when unattended and laptops must be secured via cable locks. They essentially set the example in choosing to follow these secure behaviors; if they resist, employees do not have any clear incentive to comply, either. Business leaders who emphasize risk analysis can also contribute to a positive security culture at work: "Management that demands a rigorous and defensible risk analysis are able to make informed and sound decisions about security investments," states Martin-Vegue. "In the long run, this increases the security posture of the firm and has the nice byproduct of giving the security team a reputation of being credible. Gone are the days where saying 'This is High Risk!' is good enough to get budget approved. Demand quantitative analysis that demonstrates a solid return on security investment."