12 Security Tips To Keep Your Organization Protected Is your organization part of the 64 percent looking to revamp their security infrastructure? Ensuring your organization is secure can be overwhelming, which is why we’ve taken the liberty to provide our top 12 areas of focus to help you minimize data security threats. CREATE A SECURITY CULTURE Even with the most advanced technologies in place, untrained employees can leave an organization vulnerable to malicious attacks. Creating a culture around data security can help prevent breaches. To start, make security awareness training a mandatory event for employees. This training should not only show employees the different kinds of cyber and social engineering attacks, but also show them how to thwart attacks. Provide concrete examples of actual threats, and set up a test/false attack to identify employee behaviors and then provide additional training, if needed. Once employees know how to stop these strikes before they even happen, the risk of a cyberattack decreases, and will validate the criticality of your organization’s data. IMPLEMENT A CYBERSECURITY POLICY When was the last time your company reviewed its cybersecurity policy? Do you even have one? In a NetEnrich study of more than 150 IT professionals, 40 percent said their company had been a victim of cyberattacks, and 43 percent said they could’ve been prevented with a better company-wide cybersecurity policy. If you don’t have one in place, a good cybersecurity policy should cover these five things: How to detect scams, such as phishing and other social engineering tactics. Guidelines on password management. Guidelines on proper internet usage. The standards for installing software updates and patches. Standards on how to keep sensitive data safe. It’s not enough to just have a policy. The CEB reported that 90 percent of employees violate their organization’s cybersecurity policy, and that’s mostly because they don’t know the policy. Communicate and do multiple trainings to explain the expectations with data security, so that your employees are well-equipped and on the lookout for potential attacks. USE A VPN OR UNIFIED THREAT MANAGEMENT Using a Virtual Private Network (VPN) allows you to have a secure connection wherever you are, whether at home, a coffee shop, or in the airport. A VPN encrypts your connection, making anyone else on the same Wi-Fi network unable to intercept your traffic. A quality, business-grade firewall will have VPN capabilities. In addition, there are many hosted services that offer VPNs. Going one step further is Unified Threat Management. This is a more comprehensive approach, where multiple security functions work within a single platform. A firewall is part of Unified Threat Management, but it also includes: network intrusion detection/prevention, anti-virus, gateway anti-spam, VPN, content filtering, load balancing, data loss prevention, and reporting. BUSINESS CONTINUITY AND DISASTER RECOVERY How you handle an outage, recover from it, and prevent it from happening again are crucial factors for your organization. Infrascale reports that one hour of downtime can cost small businesses $8,000 and large companies $700,000 on average. These are big numbers, and it can be alarming to think this could happen to your organization at any time. If your business depends on system uptime and availability to serve clients and drive sales, then just running a daily backup may no longer be enough. Many organizations are seeking redundant internet connections and automated failover solutions, should an outage occur within their primary systems or network. Having a business continuity plan and the associated technology can significantly protect your bottom line. IMPLEMENT ESSENTIAL TECHNOLOGY SERVICES Services such as anti-virus, firewall protection, network monitoring, and wireless security are layers of defense to give you state-of-the-art protection. Having a network that is protected behind a firewall and an elaborate network system is becoming a necessity, and can be the difference between being hacked and being safe. Most organizations have a firewall, but not all of them are using their firewall to its full potential. A firewall is the foundation to protecting your network from unauthorized access. A business-class firewall can perform additional services like blocking dangerous or unproductive websites, running in-depth reports showing which websites your employees are visiting, bandwidth consumption, and other information that can impact productivity. Many organizations see the benefit to a managed security service because it provides more time for internal resources to focus on core business functions and initiatives, and allows them to run everything through a single vendor. With a managed service provider constantly monitoring and updating your network, your organization will improve efficiency and productivity. ENCRYPT YOUR DATA To ensure maximum protection, it’s best practice to encrypt your data while in transit and at rest. Encryption renders information unreadable when accessed without proper authorization. Having a process in place that ensures sensitive devices are encrypted and that files and emails are being properly sent is imperative. MANAGE YOUR MOBILE DEVICES An important place to protect when it comes to passwords and your organization’s security is your employees’ mobile devices. At a basic level, the goal of mobile device management is to protect the data on employee devices. This reduces the risk of a mobile device being compromised, and can help secure your data, should it become compromised. Most mobile device management systems allow you to manage the users’ devices, establish a user policy, and wipe or reset the device in certain cases. Today, more and more organizations are adopting a Bring Your Own Device (BYOD) mentality, where the employee uses their own tablets, smartphones, and laptops. While this can save the organization money, it also comes with its own set of challenges. One big issue surrounding BYOD—and personal technology as a whole—has to do with privacy and security. Whether it’s through apps, training, or just well-worded policies, you need to ensure that your employees aren’t sharing confidential information about your business or your customers. Likewise, you should have a plan in place that preserves employee privacy and doesn’t leave your company liable to charges that you’re using technology intrusively. You should also have a process around employee transitions, and what happens to the employee’s mobile device when they leave your organization. Does the phone get wiped, and does the employee know what to do with it when they leave? This goes hand-in-hand with mobile device management, and can benefit your organization in the long run (especially if an issue does occur). HAVE A DEFENSE IN DEPTH APPROACH To properly secure your network, construct a layered security approach through segmentation. Think of it like an onion: there are many layers that keep peeling back to eventually reveal the core. Your organization’s systems/servers should be restricted within their own network or layer, and access to each one should be defined by a strict whitelist, where only explicitly configured address objects and services should be allowed. This ensures that communication is only happening on secure channels. UNDERSTAND USER AGREEMENTS All data hosting services have user agreements that outline their terms and conditions. While these may be arduous to read, it’s important to understand the fine print. You need to be careful you are not consenting to allow the provider to directly access (or share) your business data and customer information. In doing so, you could expose sensitive information that isn’t meant to be shared. It’s also important to consider any legal or compliance regulations associated with using a third-party hosting service. To help you understand these agreements, consider downloading the printer-friendly version and take the time to read through it. If you find words or phrases that you don’t understand, look them up or get advice from an industry expert. It’s better to be safe than sorry. HAVE AN EFFECTIVE PASSWORD POLICY For businesses, passwords are everything. If just one employee is careless with their password, it could have devastating consequences to your organization. To stop this from happening, organizations must enforce complex password requirements. Tips for creating an effective password include: Password best practices, such as a minimum length of eight characters, no password hints, and a common password ban list. Require a unique passphrase with special characters, so that it’s more difficult to crack. Set up a policy limiting the number of consecutive incorrect access attempts. Consider using Two-Factor Authentication (2FA). ACTIVELY MONITOR YOUR SECURITY You can also manage your network activity to monitor for security threats. Security Information and Event Management (SIEM) is one effective strategy that delivers a centralized view of all network data. From that data, it can identify any threats and track them throughout your organization’s system. SIEM consolidates all logs and provides a clearer picture of what’s happening in your network. Fortunately, SIEM isn’t something that you have to handle on your own. Managed security service providers (MSSP), like Aureon, offer 24/7 security monitoring that’s affordable and effective. These services let you know right away when security incidents occur, and include log monitoring reports and network analytics, to help you see exactly what’s going on in your organization’s network. CREATE A DATA POLICY In today’s day and age, there are a variety of free or low-cost hosting services available for data storage. Many are designed for the consumer market and not suited for business use. Such services can pose security risks to an organization. To combat this, it’s important to have a data security policy in place, which all employees are aware of, fully understand their obligations, and follow. It is important for your employees to know what the risks and implications are, should a data breach occur. A data security policy should be used to define approved methods to securely transfer or share data and define restricted methods to help stop the use of unsupported or unsafe services and applications. Policies should be very specific on what is acceptable and not acceptable for all employees. They should include information about email policies, mobile devices, social networking, and internet usage. These policies should be documented, communicated (multiple times), enforced, and periodically reviewed and updated. As cybersecurity breaches continue to rise, organizations must revisit their IT and security infrastructure to make sure they are doing everything they can to prevent their organization from a breach. These security tips are great ways to start thinking about your organization’s security, and consider if there are any areas where you could make improvements or implement a new technology. Could any of these solutions make your organization more secure? Mike Wallen Mike Wallen is a Business Solutions Manager at Aureon Technology. Mike is enthusiastic and passionate about helping small to medium-sized businesses eliminate the hassle, waste, and headaches of all things technology in their business to create a worry-free environment. Mike has 15+ years of experience in IT, with a focus on healthcare, law firms, nonprofits/charity, and general small to medium-sized business. He believes in listening to his clients' needs first, then aligning those business needs with business processes and technology solutions. Mike considers himself a true business efficiency and technology architect. Aureon Technology provides end to end IT and communications solutions and has locations throughout the Midwest including Des Moines, Omaha, and Kansas City. Aureon strives to take care of your technology and back office needs so you can focus on what you do best.