1. Define a security policy
This is the document which governs all data security within the company. Some tips? It shouldn't be too lengthy (no employee is likely to engage fully with a fifty page document); it should not demand the impossible; and it should show that you value your employees. (A further recommendation: have an executive or the HR department deliver it, rather than IT support.)
2. Make use of security technologies
These are the basis for the security of the company's data/information. A network that does not have antivirus protection, firewalling or antispam will be exposed to too many risks for other controls to cover adequately. According to data presented in the ESET Security Report Latin America, 38% of enterprises in the region were infected with malware last year.
3. Educate your users
Moreover, educate all your users. Technically adept users or the IT Department are often not included in security training, as if it were proven that they are less vulnerable to threats. According to ThreatSense.Net statistics, 45% of the threats detected in the region last year made use of social engineering, which against which technical but security-unrelated expertise may offer no defence at all.
4. Take control of physical access to information
Information security is not a problem that should be considered only in terms of "virtual" information, but should also consider the physical media where it is stored. Where are the servers? Who has access to them? Without a doubt, physical access is crucial. Printed data should also be considered in this respect. For example, physical access to offices where confidential information is held (Management, accountants etc.) or where there is access to printers (someone could take "accidentally" see or steal confidential information).
5. Maintain your software
Software vulnerabilities are the gateway to many attacks against the organization. According to the report on the state of malware in Latin America, 41% of USB devices are infected and 17% of the malware used exploitation of vulnerabilities. Keeping the operating system and other applications up to date with the latest security patches is a vital security measure.
6. Don't just rely on IT to defend your systems
One of the most common security errors is to fail to understand that security is not purely a technological problem. There should also be a team whose sole purpose is to manage information security, and this should be given full consideration rather than ignored in favour of issues such as usability and convenience. Security is not the only business need, but it is important.
7. Don't give ordinary users administrative rights
If users don't have administrative rights they don't need, the impact of an intrusion into the system will be limited. Once again, we should emphasise the importance of implementing this control for the entire company: members of the IT department and senior management should also have limited privileges for day-to-day computer usage, using administrator accounts only where the job in hand requires them.
8. Think before you sacrifice security to save money
Security should be designed to protect business information and, therefore, the business. When investing in security, take into account the value of the information that is to be protected, the likelihood of a breach, and the likely consequences of such a breach.
9. Don't finish a security project
That may seem a strange thing to say, but it isn't, because you shouldn't start a project either. Security must be seen as a continuum, not a process with a fixed start and end point. It is true that small implementations of security controls may need to be implemented as projects, but general protection of information protection should not be perceived as a project, but as a continuous process and ongoing business requirement.
10. Don't underestimate the importance of information security
Our last and possibly most important point is to urge you to understand the importance of well-protected busines information. One of the worst mistakes that an executive can make is to thinking that a control should not be implemented because "I don't think I happen". Many companies, especially small and medium-sized enterprises, may not recover from a severe information breach.
No comments:
Post a Comment