Brushing our teeth and washing our hands – these are both tenets of good personal hygiene. They’re basic activities we need to do daily to protect ourselves and maintain good health. Similarly, every organization needs to address the basics of security hygiene to protect their data from the host of security threats that exist today.
In this article, I’m going to share with you the seven basic principles or seven security hygiene tools your organization must master to protect your data and build a strong IT security foundation, as well as the three management principles that will help to ensure business executives are communicating effectively with technical staff.
The Security Landscape Has Changed
IT security is no longer all about the firewall. Twenty years ago, it was common for people to work in an office and use a company computer. When they went home, they left the office behind.
Today, those walls around the office have disintegrated. I’d argue that the concept of an office and a company computer has disappeared. We’re seeing less and less corporate traffic transiting the corporation’s walls.
What has created this shift? The trend is the move to the cloud. People are taking advantage of more mobility and flexible working environments, giving them the ability to access corporate applications through the cloud from any location. As a result, the corporate firewall isn’t able to “see” as much corporate data and less of this data is stored within corporate walls.
Overall, today’s businesses are faced with an increasingly challenging IT security environment: passwords are obsolete with hundreds of millions of passwords exposed on the Internet, less and less traffic flows through corporate firewalls, and the number of security solutions increases year over year.
We can expect these trends to accelerate and it is fundamentally changing how organizations must address IT security.
Your Number One Defence: Good Security Policy
At its core, IT security is a risk management practice. Your security is only as strong as your weakest link. Too often, an organization’s technology site gets ahead of the business and the business suffers.
In my experience, organizations that have had the most success in building a solid IT security foundation have implemented strong, and often effectively simple, security policy by focusing on the company’s data: where is it, who needs it, and how to protect it.
These three steps help define effective security policy:
- Governance: Roles & responsibilities of ownership, implementation, staffing and operation of security tools are clearly allocated.
- Data Classification and Inventory: Determine what organizational data is important and ensure that where it is located is understood.
- Policies: Policies that set business priorities and principles are defined. This could even be a hand-written, half-page of paper – but it is a critical first step. You need to look at your data and your risks and then determine which policies help to mitigate and protect it.
According to Gartner, by 2020, 99% of vulnerabilities exploited by hackers will have been known to security and IT professionals for at least one year. That’s a scary statistic.
However, it reinforces the importance of using policy and governance to ensure that a balanced approach is taken to protect your most critical asset – your data – rather than be distracted by shiny, new security products.
The Seven Security Hygiene Tools to Master
Good security hygiene starts by having the following seven critical elements clearly defined, understood and agreed upon by stakeholders within the organization. These tools can be applied to both physical and logical infrastructure.
- Configuration and Patching: Software will always have some bugs, and patches are something we have to live with. Patches and configuration “best practice” updates come out frequently and we need to make sure software is patched and configured. Today, it’s not enough to just rely on the vendor for patch updates. It’s imperative to have a robust patch management system in place. A policy that ensures both manual and automated patching is scheduled on a regular basis. Operational procedures should be used to ensure policy is being implemented.
- Authentication: Passwords are becoming obsolete. In many cases, passwords have been exposed and password databases hacked into. Passwords are tough for people to use, which means they often get reused, increasing their exposure. The best approach a company can take is to implement multi-factor authentication where possible. If it’s not possible (like with a lot of legacy applications), a password manager should be used. It should be noted that text-messages have been proven to be a distressingly weak form of authentication and not appropriate for many businesses.
- Tested Backups: Bad things happen. Laptops, phones and servers get stolen, malware and ransomware happen, and sometimes we lose all access to our systems. One of the best ways to protect our data is with backups, so the business can keep running. But, if you never check the recovery process, you could be in some trouble. Testing should take place every 12-18 months to ensure backups and processes are working. This will ensure business continuity. The 3-2-1 backup strategy is an effective starting point: three independent copies on two different media with one offsite. One copy should be unalterable to prevent ransomware attackers deleting the backups.
- Protection: With less traffic transiting the corporate firewalls, protection needs to extend beyond the organization to wherever the data resides. The tools deployed to protect a company’s data need to align with the policies and business objectives that have been defined. Some organizations will have data that will require additional layers of protection as compared to others, depending on the policies identified.
- Monitoring: All systems need to be monitored. The ability to detect security concerns and breaches is important to maintaining good hygiene. Organizations can use SIEM (security information event management) to provide real-time analysis of security alerts and have a centralized location to see the health of a business from a security perspective.
- Encryption: All critical data should be encrypted to protect from theft and ensure privacy. In many cases, devices will come with some level of encryption already in place. However, in some instances, additional encryption may be required. With the shift to Cloud and applications running on shared systems, some companies will need to encrypt key data even in RAM. Critical data should be identified and defined in your security policy, this may be credit card information, intellectual property or a customer database.
- Training: Ultimately, our people are the gatekeepers of our data, and understanding the basics of data policies will always be important. Today, the biggest risk in any organization is people using email. Training and educating people about what to look for and how to protect themselves from email and social attacks is critical.
It’s likely that the biggest improvements to your company’s security posture rest in shifting to a culture of good security hygiene that covers the basics above. It’s a simple approach, but an effective approach to ensure that an organization is continuously protected.
I’d love to hear your feedback and thoughts. For many companies, implementing these practices can be challenging. Most of us need to reach out to an extended team for success. If you’d like to discuss this framework further, feel free to reach out to me directly.