If you want an effective cybersecurity program for your company then adhering to the basic principles of cybersecurity and focusing on processes is what will pay dividends. So what are some of the basics?
Does your business know which assets it needs to protect? Do you have an inventory of your servers, workstations, printers, network devices, smartphones, and portable media (e.g., USB thumb drives)? Do you have an inventory of the software installed on your servers and workstations? If the answer is no to the above questions then that is an area your business should focus on. Now, if you are a somewhat larger company with 50 or more employees then an inventory management tool like Dell KACE may be in order because it makes inventory management easy. It also has other capabilities such as IT ticketing and system patching.
Adherence to the Principle of Least Functionality
The principle of least functionality is critical to having a successful cybersecurity program. Uninstall any non-business essential applications on your systems, close unused ports and services and make sure that only authorized users can make changes to your systems. This will reduce your attack surface.
Adherence to the Principle of Least Privilege
Only provide users access to the information and functions needed for them to carry out their job duties. You would be surprised how many companies allow all their users to have admin rights on their local machines. Just revoking admin rights on a Windows machine mitigates 94% of vulnerabilities. Access controls Limiting what information and systems users have access can help reduce the damage a hacker can do with a compromised user account. Make sure you audit all your user accounts to see what systems and resources they have access to then adjust their access to align with the user’s job responsibilities. If you have a lot of users to review and have a Windows AD environment then a tool like ADManager Plus can be useful.
Separation of Duties
Make sure that critical tasks are separated among employees to prevent an employee from bringing down your business processes. This is especially important for your IT team. Don’t let one admin hold all the keys to the kingdom. Review your processes and procedures and determine how you can separate duties.
Don’t allow your systems to be modified without prior approval. Make changes during dedicated change windows. Ensure that changes are tested before they are deployed to your production environment. Make sure to assess any security or operational risks associated with a change before making it.
Defaults Generally Aren’t Secure
Password protecting, encrypting hard drives, patching, and running anti-virus on your systems doesn’t make them completely secure. Use DISA security technical implementation guides (STIGS) to harden them. These guides remediate a large number of vulnerabilities and are available for everything from Linux servers to Cisco switches. They are also availble for applications such as Google Chrome, the MS Office Suite, and Adobe Acrobat.
Document any changes made to your IT systems, make sure to have an easy to understand IT security policy, have an acceptable use policy, and document your security initiatives in a system security plan. Make plans for remediating any security vulnerabilities you may have. Regularly review your security controls to confirm that they are working as intended.
Train your users and system admins on the latest security threats. Don’t rely on powerpoint slides to achieve your security awareness goals. Get creative by using phishing exercises and require employees to pass tests to verify their knowledge of security best practices and policies.
Get Third Party Services Under Control
Do you know which cloud services and other third party services your company is using? You might assume that your company is only using Microsoft OneDrive for cloud storage just to find out that a business unit is using DropBox or personal Google Drives. You may have assumed that your company only had five on-premise services just to discover that a business unit has several servers in AWS. You can discover and take control of the third party services used by your organization by conducting interviews with executives and end users. You don’t have to get fancy. Users shouldn’t be ashamed to tell IT about a tool they are using. Just make sure to administer the tool or provide an alternative.
Incident Response and Recovery
Do you have a gameplan for handling common security incidents such as malware infections or phishing emails sent to your users? If not then you need to document how your team should react to these security incidents. You also need to be capable of recovering your systems. Make sure that you have backups of important systems and information. Don’t rely on just one staff member to know how to conduct backups. Use cross training to ensure that multiple IT team members are capable of recovering systems.
The above isn’t an exhaustive list of cybersecurity basics every company should be doing but it is a pretty good list that covers some of the major areas I see companies struggling with in the field.