Are you concerned about security? Worried that your company isn’t keeping up? The basic elements businesses used to employ to secure their systems and data, even three years ago, have changed. Review these four “new” network security basics below and see if you have kept pace.
1. Passwords and Logins
Thinking has evolved and continues to evolve on this topic. It’s not enough to simply have a complex password, it must be one that is unique among all of the passwords that you use.
Have the number of passwords that you have collected quadrupled the past few years? How do you keep track of all of them now that they are all different and constantly changing? You need to ditch the Post-It notes under your keyboard and put that Excel spreadsheet in the trash and look at a password vault application (or password manager). A password vault securely generates, stores, and manages your passwords (among other cool, time and sanity-saving functions). The LastPass Enterprise system that CoreTech recommends and supports gives you access to all of your passwords and security credentials wherever you are an on whatever device you are using.
Along with complex passwords, two-factor authentication or 2FA (also called multi-factor authentication), has quickly become a necessity. The extra step to gain access to your network, device, line of business software, or web portal may seem inconvenient, yet it is just the protection needed to keep hackers out. While some online apps have their own, built-in 2FA options, systems like the one CoreTech uses from DUO Security allows you to protect multiple systems and will even secure your LastPass Enterprise password vault.
2. Layered security
You likely use software for antivirus protection and email scanning. And you probably have a firewall securing your Internet traffic. While those solutions may have been enough years ago, they are now only the foundational elements of an updated layered security design.
Consider utilizing additional software and services which will scan and secure the traffic differently than your current systems. Where before you could get by with one type of software, now it takes several. Traditional pattern-based systems should be supplemented by packages that analyze behaviors and leverage big-data analytics for next-gen security.
In addition, be certain your firewall is improving and adding features over time as opposed to remaining stagnant. Are your firewall settings checked to restrict user access to categories of websites, thus reducing the number of higher risk website that are even accessible? If not, then you will definitely want to address these settings. Periodic reviews of your firewall configuration are needed to ensure that you are utilizing all the features that are available and that your policies follow current best practices.
Also, don’t lose sight of the WiFi security at your office. You will want to have the proper security controls in place, including passwords and deploying a separate segment for guest and employee devices. It is important that devices that you do not manage are not given access to your internal network, thereby compromising the integrity and security of your system.
3. Remote access
If you allow staff remote access to your systems, it’s time to evaluate how that access is granted. If your users require remote access to their work PC’s on a casual basis use a secure remote access application like Splashtop. For frequent remote access use a Virtual Private Network (VPN) or Remote Desktop Service (RDS) Gateway. For larger groups of remote users we recommend the RDS Gateway as the best security option. With any remote access method, deploying 2FA is a necessity!
The use of phones and tablets for work increases convenience and productivity, but it also adds more risk. Whether you provide devices to your staff or you subscribe to a BYOD (bring your own device) policy, you need to seriously consider a mobile device management system.
4. End-user training
There is no way to get around it, end user training and knowledge is key to avoid phishing, spear phishing, malware, and ransomware attacks. IT is able to stop a high percentage of malicious emails and attacks from getting through your network, however for those emails that are crafted to get through, your staff need to have the knowledge to identify and avoid these attacks.
There are several ways to accomplish training, and all are recommended to work through to protect your business:
Internal training
Consider bringing in CoreTech staff for a lunch and learn or to host a webinar for staff training that includes Q & A. Take a look at our offering on this landing page: In-house training: Security for Business Users
Specific in-house testing
Test staff knowledge and find out who in your organization may need additional training recognizing phishing emails. These knowledge tests supply fake phishing emails that are tied back to a reporting system, so that you know who in your user base needs additional training.
Online learning
There are some great online tools and webinars to help your staff learn more about what to watch out for. This goes beyond phishing emails, to spear phishing, malware, ransomware, texts, phone calls, and beyond. There are a number of different ways hackers are trying to steal your money and mess up your network—it’s good to be aware of all of them.
CoreTech maintains tools to assist you with all of the training above. In addition, if your business needs assistance implementing any of the security controls discussed, please contact us today.