“One does not simply secure the network”.
With continuously emerging cyber threats and stronger legislation protecting personal data, data security is a hot topic.
Whilst a lot of major targeted attacks are on large organisations, 58% of malware attack victims are SMBs. This is because small businesses are more likely to have vulnerabilities in their IT systems due to poor systems management and maintenance processes in place.
A lot of outsourced IT support providers fail to take a proactive approach with their small business clients, only focusing on their larger clients.This leads to businesses using out of date or obsolete systems which are not protected against the latest threats.
I have put together ten key steps (at a high level) that every internal/external IT team should be taking for businesses of all sizes and sectors.
Step 1: Information Asset Register
Put together an information asset register, detailing all data that your organisation processes. This is essential for the GDPR (General Data Protection Regulation) and will also help you asses the security of your data. This document should include:
-Where your information is stored
-Where your information came from
-Your legal grounds for processing it
-Your processing activities
-Who has access to your data
-How long your data will be retained for
Step 2: IT Security Audit
Carry out annual IT security audits, to assess controls that you have in place and document controls that the business ought to have in place. Use red/amber/green coding to represent the level of risk currently faced by the business in each area. Consider the ‘C.I.A’ triangle when carrying out your assessment. Controls should preserve information Confidentiality, Integrity and Availability. Your assessment should cover the following as a minimum:
-Server security
-Device security (including computers and mobile devices)
-Email security
-Data security (including cloud systems)
-Network security
-System redundancy
See this how-to for more detailed information: https://community.spiceworks.com/how_to/149753-how-to-perform-it-risk-assessment?source=learn
Step 3: Implement Controls
Implement controls to protect your data. Some of the key controls you should have in place:
-A dedicated hardware firewall with active security subscriptions
-Business grade anti-virus
-Complex passwords, which routinely expire
-Email security to scan inbound emails for malware and phishing attacks
-Encryption of all company data
-Isolated guest WiFi (if WiFi is provided to guests)
-Two factor authentication for cloud services where possible (e.g. Office 365, Dropbox, Xero)
-Mobile device management
Step 4: Access Control
-Ensure staff have only the minimum required level of access to data
-Implement an access control policy
-Keep an audit trail of access changes
-Use documentation, such as new employee checklist and leavers checklists to ensure access is correctly implemented and revoked when employees start at or leave your organisation
Step 5: System Maintenance
It is crucial to keep your systems up to date to ensure you are protected against the latest vulnerabilities.
-Windows updates should be rolled out on a weekly basis
-Software updates
-Firmware updates on network devices
Step 6: Backup
Ensure your data is regularly backed up securely off-site (encrypted).
Step 7: Documentation
This is an area that far too many IT teams/companies do not take seriously enough.
-Ensure your IT systems are fully documented
-Document system administration procedures
-Implement secure configuration standards/checklists for computers, servers and network devices
Step 8: Monitoring
-Monitor your systems to detect faults, outages and changes
-Review security logs on firewalls and servers
-Monitor anti-virus endpoints from a central location to review viruses or issues with endpoints updating
Step 9: Governance and Compliance
-Implement policies and procedures to govern your employees on data security
-Provide evidence that your employees are reading and understanding your policies
-Ensure your data processing activities are compliant with local data protection law, such as the GDPR. Failure to comply with the GDPR can result in fines of up to 4% of your global revenue or 20 million euros (whichever is higher)
Step 10: Training and Employee Awareness
-Train your employees on the most appropriate way to use your IT systems
-Ensure your employees are aware of common threats, such as email phishing scams
![\"fbf4beba6fb0f4a700923de641825c6a32a380333597d6c8db9c620449e062d7_audit.png\"](\"https://us1.discourse-cdn.com/spiceworks/optimized/4X/1/e/2/1e22fb6d97de7f8854fd311861ea20acf416fc86_2_432x500.png\")