In Part 1, I provided an overview of IT security essentials and best practices. In this post, I provide some additional details.
So after backups, antivirus and patching, what’s next?
Let’s consider how we can extend our protection of data and devices and see what else we may be missing. In broad strokes, let’s look at the following:
The Network
Have a good firewall that can manage what comes in and out of your network. Firewalls from Fortigate and Cisco, as well as other vendors, provide active scanning of traffic but also monitor web traffic and can categorize types of sites to help with limiting or preventing access to those sites. Firewalls also can detect malicious content being delivered from a compromised computer on your network. Is one at risk of being a bot? Not if you’re scanning and blocking outbound traffic. Our clients have explored using the firewall to scan and limit the types of attachments that can come into and out of the organization by email.
The Data
Know where it is stored. Is it encrypted if stored offsite? Is data stored in ad hoc solutions? Have an agreement in your organization about how and where files are kept and shared. Wherever it is stored, use simple file sharing and permissions-based security. If stored off-site, know the security features of that service. One last idea is implementing a Digital Rights Management tool on the network. This combines encryption with control over what applications and users can access the data. DRM (or called RMS by Microsoft) adds another layer of security with encryption to control and audit who has access to which documents. The drawback here is that it is the most heavy-handed and most challenging in a mixed (Mac, PC, mobile) environment and requires a lot of planning. Microsoft has more on RMS here.
The Devices
One simple thing to do is to require staff to stay updated with patches for their mobile devices and home computers. Some technologies can be used to enforce updates and automatic locks on mobile devices. These insulate the organization’s network from remote devices that are outside of daily management. Getting reports of the devices attempting to connect can help with this. Once connected, having an easy-to-use mobile device management (MDM) tool can be a helpful. Community IT doesn’t have a single recommendation for MDM, but can help you decide which MDM tool is right for your needs.
The Applications
Along with keeping devices such as computers and networking equipment up to date, make sure that all software programs are patched. For mobile devices as well as traditional computing devices, be sure that you know what programs are in use. We provide monitoring and management services to keep our clients aware of what programs are running and can help to keep them updated and provide reporting around this.
These are just some approaches to using technology to secure your IT resources. But I’ve saved arguably the best for last. These technologies are not going to be effective without a good discussion and sufficient planning.
Key Questions
It is helpful to start with a good understanding about what needs to be protected in your organization. To help you get started, here are some questions you can answer.
1. What does security mean for our organization?
2. Is it acceptable for staff to copy files copied to the “cloud” on an ad hoc basis?
3. Should people share passwords to any services? If so, how?
4. Is it acceptable for passwords to be written on sticky notes?
5. Who should have access to important passwords?
6. Are your IT resources physically secure?
These are some really basic questions, but your organization can also come up with ones that are more specific to your organization’s needs. The answers to these and other questions will help you determine where to invest your efforts in terms of IT security. It is helpful to get everyone on the same page and then lay out the priorities. You can start with some broad strokes, but it is good if you can also get into some specifics. You may (probably will) find that there are many low-cost or no-cost steps that you can take immediately. You can provide a guide to staff on acceptable use of organization resources.
How We Can Help
These are the steps that an organization can take to address security considerations. Starting with the foundation, and afterwards having a conversation about what IT security best practices are in your organization. Community IT can help translate your organizational goals into a specific technology plan with a budget, specific products or services and how it may impact your staff’s access to resources. We can also help in translating your business goals into an IT plan. An effective plan takes into account securing the IT resources in your organization.
In the comments section below please tell us what changes your organization has made in the last year to improve security.
o Have you updated your policies?
o Did you add a service or application?
Please let us know if there are specific security topics you would like us to focus on in future blog posts.