1. Establish An Acceptable Use PolicyDuring assessments, I often find that organizations, especially those with a dozen or so employees, lack basic rules on Acceptable Use. It is almost as if they expect users to know what the rules are and what responsible behavior means when using company-owned devices and data without formally explaining it to them. It is important that your Acceptable Use policy be extensive, direct, clear, and communicated to staff so that there is no room for misinterpretation. While we want users to have flexibility with how they use the tools available to them, they need to be aware of what pitfalls to avoid. Simply defining Acceptable Use rules leads to better outcomes, and users begin to feel they have a responsibility in protecting the organization’s technology assets. Having users bought into company policy about usage reduces security risks dramatically.
2. Have A Structured Approach to MaintenanceIf you have technology assets of any volume, then a comprehensive plan to proactively support and maintain the system is necessary. Even in 2017, there are still organizations with significant amounts of sensitive data, major investments in servers, and sophisticated network equipment that approach management and support reactively, or not at all. It’s almost as if support is a cost they wish to avoid. However, organizations that are not performing any kind of proactive management will often have high severity vulnerabilities. A security incident due to this lack of management costs them much more money and stress than an actively managed system, which has far fewer risks of a major incident occurring. Many companies that experience downtime and failures from ransomware often could have avoided the incident if the vulnerability had been patched out through proactive managed support.
3. Provide Regular Security Awareness Training To StaffWhile having an Acceptable Use Policy is essential, it is also a good exercise to provide some kind of basic education to end users about Security Awareness. The goal here isn’t to create a team of network security experts on your staff but rather to give staff some information to identify what incidents they could experience, how to report to management, current trends and how it applies to the organization, and so on. We want people to avoid incidents but to also minimize the damage from potential incidents by recognizing them and responding accordingly.
4. Perform Regular Vulnerability/Risk AssessmentsEven well-maintained systems have flaws. There are so many potential vulnerabilities, both on the PC/Server level as well as from the outside, that it is virtually impossible to patch them all proactively. New vulnerabilities are discovered regularly, and even diligent maintenance could lead to an important patch being missed due to a variety of reasons. Regular vulnerability/risk assessments should be in place, so that security issues can be fixed and adjustments can be made.
5. Make Security/Risk Management A Part of the Discussion During TransitionsIn the rush to execute a new change, like replacing an end-of-life server or implementing a new application, some organizations fail to make security a part of the discussion. I recommend focusing on the workflow first. What is it about this particular change to technology that enhances or supports the current workflow? Once that is identified, the next step is to not necessarily change the way people work but to put security tools and policies around that workflow to improve risk management. In order to achieve that, we need to determine what sensitive data this new system handles and how we want to mitigate the risks associated with it before making big picture changes.
ConclusionWhile this is not an exclusive list of ideas and practices to minimize security risks, my hope is that this provides you with a line of thinking that you can apply not just to the security risk ‘du jour’ but also to other risks that haven’t necessarily been realized yet by your organization and the ever-changing landscape of security.