Why is IT security critical for organizations? One of the most valuable assets in an organization is their data, whether it’s in email, files, database, etc. How can you prevent others from accessing your data?
This is where IT security best practices come in. If your organization does not have a strategy or best practices in place for protecting your data, it can lead to many severe problems. It is best to be proactive when it comes to IT security. The time and money spent up front will prevent many headaches and issues in the future.
When directors and administrators ask IT professionals how to tighten up security at their organization, they are often thinking of quick and easy fixes like “changing passwords” and “locking the server room doors”. While these are both important (and will be covered later), it’s important to start the conversation by looking at the big picture. Good network security is, ultimately, a result of merging good IT governance and IT best practices.
In short, you can’t have a truly secure network without long-term planning and oversight. None of the little things are enough on their own without dedication and planning. In this article I will raise key issues and questions that will help you figure out where the gaps are and where you need to make improvements.
1. Who is responsible for your IT Security?
Security is not just about preventing attacks, but also preparing for natural and incidental failures. Machines break, users make mistakes. Network security entails more than just preventing hackers; it’s about keeping bad things from happening regardless of the cause. Security is constantly evolving and requires vigilance.
In order for your organization to keep its network secure, someone needs to be thinking broadly; continually reassessing your risks and changing technology. Yesterday’s solution might be fine for right now, but no solution is permanent. It must be someone’s job to think about Information technology broadly and technology more specifically. If no one is asking questions about your network, then it is not secure.
You must find someone with the knowledge to manage your resources, be it an outside firm, a full time IT staffer, or even your office manager. Not every organization needs (or can afford) dedicated IT staff, but no one can afford to neglect the network because they don’t understand it. Moreover, a frequent barrier to fixing IT and security is organizational or managerial inertia.
Having someone who is empowered to make decisions is vital to the security and stability of your network. At the least, someone on your staff must be trained in IT planning and implementation. There are a variety of resources available, particularly in the non-profit world. Just as someone must manage the company finances, IT is a responsibility that you cannot afford to neglect; make it an essential part of your annual budget. Someone must be in charge of making decisions and implementing them for your network.
Key questions:
- Whose job is it to secure our network?
- Is this person keeping up with the latest IT security trends?
- How are they planning and implementing IT security changes as needed?
2. Are your staff trained in IT security policies?
All the policies and tools in the world are useless if your employees do not understand and follow polices. Users must be taught good security practices and be reminded of them on a regular basis. If you can’t think of the last time you held IT training for your staff, it’s time to schedule one. Users are often forgetful and many grow complacent or develop bad habits. Reviews on email security, the use of social media, password policies and physical security should be held regularly and brought into the culture of the institution.
It helps to also think critically about how lapses in security can impact your organization’s mission. If your network is compromised, who is at risk? Is your data subject to government privacy polices (such as those that apply to patient records)? Do you handle credit card numbers? Show your employees that the risk is not abstract and that failures have real consequences. Here again, training should be a continual process, not something you do once and forget about it.
Network security needs to be top down and your employees are a critical part of the solution.
This is Part 1 of a blog series on IT Security Best Practices. Feel free to comment below to share your questions and ideas on the topic. Join us for the webinar on July 25 on IT Security Best Practices.