2016 has seen waves of large scale security attacks and breaches so far, and it is only expected to get worse. Before bringing Cyber Security Awareness Month 2016 to a close, companies should consider adopting several additional security measures and policies to safeguard against vulnerabilities and attacks. Through best-practice security measures such as preventative action against open vulnerabilities, a network will become less of a target for attack.
Sometimes, it’s good to think outside the box, and if your work allows, you can take your computers offline. Use a stand-alone terminal or set of terminals not connected to the network to perform financial transactions. Only connect these systems to the internet for patching and then take them off the network once patching is complete. Better yet, patch your software offline if you can, via DVD or CD-ROM drives.
Block certain sites
This isn’t too different from parental controls for employees, and can help make your organization’s network airtight. Employees usually do not need access to social media sites, blogs, instant messenger, free software sites, P2P file sharing, and other sites that are non-business related and pose risks for company data. By allowing only sites suitable for work related material, you can reduce the risk of spyware and malware from entering the network.
Monitor the network regularly
Review accounts periodically to enhance the ability to detect illegal and unauthorized account activity. The sooner the activity is detected, the sooner preventative measures can be taken to minimize loss of data and network integrity. Employees should be notified immediately if suspicious activity is detected and network connections should be unplugged to remove the system from the network.
Educate the workforce
Cyber security is always changing and criminal activity online is on the rise. Employees should be educated periodically throughout the year to be aware of their online activity online and at home. Distribute company policy on cyber security and internet usage. The more awareness that circulates around the office, the more vigilant the workforce can be. The security policy should include requirements for password complexity, spam and phishing attempts, backups of work related files, and speaking up if they see suspicious activity on the network.
Part of the security policy should have a section on backing up data on a regular basis. Backups can protect data in the event of a ransomware attack, network outage or server crash that can devastate a network. Backups ensure files can be retrieved if necessary.
Use secure connections
Data always has vulnerabilities when a network is connected to the internet. Remote connectivity should be used along with secure file transfer options. VPNs should be used when employees take their work laptops home and connect to the company network. A VPN can protect against attacks when connected to the network via a secure network connection.
Change passwords more often
As mentioned above, complex passwords should be used, however; employees should change their password at least every ninety days. Many companies do not enforce the length of time employees must change their password. By changing a password every ninety days, attackers have less time to crack a password before a new one comes in.
Relying too much on Firewalls and IDS
Firewalls and Intrusion Detection Systems (IDS) are only part of security. Security must be layered in order to slow down attackers that could cause damage to the network and company. Access control lists are a great way to add a layer of network security as well as rotation of duties and physical control to the network through a password and common access card. Firewall rules need to be updated to tighten down security on the network. While important, firewalls are one of the weaker forms of network security as they are ineffective against social engineering attacks and unpatched software.
Keep mobile devices in mind
Company security policies need to be updated at least once a year. Include a policy on mobile device security as many employees may use their own device to connect to the network. As part of the mobile policy, employees should not use company email for personal use and vice versa. Business owners cannot control how vigilant their employees are with their personal systems, however; they can prevent them from using personal networks for company related work.
Scalable security policy
More and more, companies are going global, and your company security policy needs to scale as your company does. If any employees travel overseas, ensure they use a VPN to connect to the network. Once employees return from a trip, the company laptop should be scanned for viruses, malware, spyware, etc. before reconnecting to the network.