19 Cybersecurity Recommendations from Brandon Global for 2019
Top 19 cyber security tips for businesses in 2019
Ensure your organization has an information security policy and that it is easy to understand and sets the managements and organizations position on all things IT security. This information security policy should reflect the management decisions on how data will be stored , accessed and secured within the organization. Once complete and updated at least yearly this should be shared with internal staff and external suppliers that contribute to information security in the organization.
Implement a cyber security awareness programme for employees to include secure browsing, phishing and social engineering. It is important that this is done on an on-going basis and is regularly tested. Regular testing builds awareness and engagement. In addition to this the finance staff should be made aware of finance specific social engineering scams such as change of accounts for payments and fake invoices.
Ensure that there is a process in place to keep all machines up to date in terms of security patching. This should include operating systems and also third-party software such as Adobe and Java. In general, all machines and software including mobiles should be kept up to date.
Encrypt sensitive information, at rest and in transit. Put a process in place for securely transferring data in and out of the organization. All mobile devices and devices that store data should be fully encrypted. Also, only known company encrypted USB keys should be allowed to be accessed on the corporate devices.
Keep Firewall’s up to date and enable security functionality such as content filtering and reporting. Firewalls have access to subscription services and will have the ability to detect non-normal activity on your network. Ensure that these services are turned on and that you can receive reports scheduled or on demand.
Limit the traffic out of the network just to known service ports. These should be limited to just a few for secure web browsing and known services. Also implement dns filtering to block known malicious websites. From the outside in, limit the incoming service to the minimum required to carry out business operations.
On the user level restrict access to webmail, content sharing and file sharing sites. These sites can bypass security scanning that has been put in place and can also lead to data leakage. This can be put in place for users both inside and outside the office.
Retire legacy systems before they come end of life or out of mainstream support. Windows 7 reaches its End of Life phase on January 14, 2020, Microsoft will stop releasing updates and patches for the operating system at that point. Plan now to have these replaced/upgraded prior to Jan 2020. Also, on January 14, 2020, Microsoft will be officially ending its support for Windows Server 2008 R2 editions
Ensure mobile devices are authorized, encrypted and are pin protected. This functionality is now available within Office 365 and similar cloud platforms.
Make sure all-important information is part of a backup schedule and test restores are carried out quarterly including full yearly disaster recovery test. A comprehensive backup schedule should contain full server image level backups that are stored on-site and offsite. Your business requirements will determine the frequency of the backups. The schedule for offsite will determine your disaster recovery point.
Control physical access to comms rooms and data storage areas. All access to comms rooms should be restricted, under access control and monitored by CCTV where possible. Any guest access to comms rooms should be monitored and supervised. The comms room should be neat and tidy and have all equipment labelled. It should also be possible to walk around cabinets and for engineers to access all equipment without the risk of interrupting services due to space and access issues. All equipment should be powered from a UPS for power protection and the UPS on a dedicated electrical circuit. Server and storage equipment with dual power supplies should be on two separate UPS units from two independent dedicated circuits. UPS software should be configured to gracefully shut down server workloads in the event of power loss. The use of extension leads, and cords should be prohibited in the comms room and rackmount power distribution units used instead and powered from the UPS.
Separate network for Guest Wifi & Secure Corporate Wi-Fi. Most current firewalls and switches will allow for physical separation of corporate and guest wi-fi by segmenting guests onto a separate network and only allowing domain joined machines on-to the corporate network once authenticated.
Limit employee access to just the data and information required to do their job function. This can be done utilizing groups. If possible segment data per department and limit access based on user departmental groups.
Enable Two Factor consisting of password and authentication token for remote access and also for access to email from mobile devices. This will add an additional layer of security and also prevent an issue if a user is phished for their username and password. Authenticators can be used on mobile devices once the device is secured.
Ensure data in the cloud is part of the backup schedule. Sometimes data is migrated to the cloud and is then forgotten about. Data in the cloud also needs to be part of the backup schedule.
Utilize security products that give a detailed level of reporting for Anti-Spam , Anti-Virus and Anti Malware. By running reports weekly, you will notice any issues on the network and also begin to build up an understanding of what is normal activity for your organization.
Maintain an asset register of devices in use in your organization. Schedule the replacement of these devices based on age and function. This register can also be used to forecast the upcoming IT budget spend on asset replacement. Securely recycle the retired machines and keep certificates for secure disk erasure or destruction. Ensure aged assets like switches and UPS devices are replaced on a schedule. Some of these devices can be easily forgotten about until they cause an issue. As part of asset register management, the warrant and support on critical systems should be tracked and all critical equipment such as servers , firewalls and software should be kept under support allowing the hardware and software be kept up to date.
Carry out a scheduled physical review of the comms rooms to check temperature controls, error notifications on hardware or any unauthorized changes or additions.
Review Reports for Backup, Security updates, remote access, Internet activity and AV/Malware Security Software weekly. These reports should align with number of users and assets in use.
Brandon Global has years of experience in cyber security advice and solutions. Contact us to learn more about our services.