There has been no shortage of companies getting their name dragged through the news after a security breach allows sensitive information into hackers’ hands. In most cases, cyber attackers use well known methods for gaining unauthorized access to IT systems. Following a few simple IT best practices can keep your company out of security crisis mode.
1. Patch Proactively
Most software that an organization relies upon that is exposed to network access is regularly updated by the vendor with security patches. While most desktop software updates itself these days, software running on servers typically requires manual or automated installation initiated by an administrator. Once a security vulnerability is known in the wild, hackers add it to their list of strategies to try when attempting to penetrate a network. If your system is left unpatched, you’re exposed. Ensure there are processes in place to proactively patch all network exposed software and firmware at least monthly, and more rapidly for serious security risks. Consider all types of server software in your patching process, including operating systems, database servers and content management systems.
2. Perform Regular Vulnerability Testing
Vulnerability testing includes a series of automated tests that look for security vulnerabilities in network-exposed systems and software. Hackers use scanning tools to find vulnerabilities on your network, and one way to keep them out is by running the same types of tools yourself. While these tools won’t fix the problems, they will make you aware of them so that you can fix them before they are exploited. Any system that is in active or iterative development should be regularly tested.
3. Require Multi-factor Authentication
Typical authentication requires just a username and password, or what the user knows. Multi-factor Authentication (MFA) adds another “factor”, such as what the user has. Any system that could spell disaster for your organization if breached should require MFA. This includes server logins, network logins, bank logins, email logins, etc. Most MFA relies on a smartphone app or keyfob device that gives the user a time-sensitive 6 digit number that they must enter in addition to their username and password. Other systems use a text message, email or phone call. While getting a large user population up and running with MFA can be a bear, it is well worth the trouble in added security.
4. Employee Training
Next to network scanning and penetration, the other major strategy hackers use to infiltrate your systems is “social engineering”. This encompasses a number of tactics designed to take advantage of employee trust to gain unauthorized access to systems. Such tactics include phishing emails that look like they’re from an official source but fool the user into entering their credentials into a hacker-controlled website, phone calls to gatekeepers such as IT help desks requesting a password reset, or emails that appear to be from a manager instructing a subordinate to perform some action. Regularly train your staff on the various tactics used, how to identify them and get them thinking critically about requests for access.
5. Regularly Test Backups
Many security breaches lead to dissemination of valuable data, but others are designed to destroy data. Such attacks may encrypt your data, making it unusable without a purchased key. Others may be simply malicious and seek to destroy your data for no apparent reason. In such cases, you are only as exposed as your backups are untested. IT systems change frequently, so backups should be tested regularly. Important systems should have a defined restore-time goal that is tested at least monthly.
Finally, you don’t have to be an IT manager to ask whether these basic best practices are in place within your company. End-to-end security requires an all-in attitude from all areas of the organization.