Corporate IT Security Starts With Simple Policies
Frequent readers of hackercombat.com should be fully aware by now that cybercriminals of all sizes mean serious business. The old days of script kiddies vandalizing a website or pulling off a publicity stunt for their 15-minute of fame online are a rare occurrence these days. Cybercriminals are enticed by the real plausibility of profiting from their operations, there is money from data stored in a database of any company. Cybercrime tends to increase intensity and sophistication, especially if the victim is an actual prime target. Spear phishing, deliberate virus infections, infiltration, and corporate/industrial espionage are regular campaigns, most especially if the cybercriminals are funded by a nation-state, as we sometimes report here in hackercombat.com
So what can a company do to mitigate the risks? To formulate mitigations without causing the ban of BYOD (Bring Your Own Device) which is highly productive for employees nor disabling the Internet connection for IoT (Internet-of-Things) devices. For any network administrator worth his salt will tell you, the more uniform the devices connected to the corporate network, the lesser the attack surface. Of course, it is no longer possible to ban personal smartphones in the workplace, given that leaders and the management team of companies use their personal devices for business use as well. IT team just have to find an alternative way to secure the enterprise network without enforcing cut-throat restrictions all over the place in the name of security.
There is no 100% security, and even us here at hackercombat.com can never claim that 100% security is achievable. In this article, we provide you a list of tips on how to increase corporate security without the company breaking the bank and easy to implement:
Define computers that do not require an Internet connection
Not all computers in the enterprise require an Internet connection, in fact, some computers that perform critical 24/7 task do not require a network connection. These machines run specific applications, produce a specific deliverable critical for the organization. There should be regular audit what are the computers that fall in this category, determine if they require connection or remain air-gapped for the rest of the cycle.
Build and keep an updated inventory
Having the updated inventory provides a good baseline in determining the best IT policy, what restrictions can be enforced which will be acceptable for everyone. With a good knowledge of the inventory, problematic equipment can easily be identified, quarantined and if necessary removed from the network (in case of malware infection).
Empower the leadership team with cybersecurity awareness
The leadership team, including the company’s board of directors and the rest of the staff members below them, should all be aware of cybersecurity risks. As the leadership team formulates corporate-level decisions, one wrong decision may cause a troubled brand and long term damaged customer confidence.
Be transparent with IT security policy
All policies that will be enforced need to be written, making it part of the employee’s handbook is even an advantage. The moment a newly hired employee steps into the organization, IT policies are made known. This prevents a gap between the employee and the employer when it comes to standard policies governing the office.
Keep software updated across the organization
This takes a lot of effort for the IT team to implement but must be done without any compromise. The company may allow a certain level of deferred updates in a small-scale for those that critically needs to finish a certain project or task, but that should not be an exemption for non-installation of software updates.
Use Open Source software as much as possible
Unlike the proprietary software, open source software is quickly patched with new updates as soon as a version with a fixed known issue is released. In the open source world, there is no need to wait for a “Patch Tuesday” in order to receive a fixed version of the buggy software. Patches are released as soon as the developers implemented the solution to the bug, security or feature-wise.