As security breaches increase and become more and more sophisticated over time, it is essential for every enterprise to develop complex security policies and guidelines that pertain to cybersecurity defense.
Sophistication is the key here; as the attacks become more sophisticated, so must the defense.
It must combine technology, strategy, and governance to ensure the security and integrity of both the business and the data.
Many companies either don’t bother or draw up rudimentary plans that do little to protect their business against the very real threats that they face every day and still more are running on systems that are outdated, leaving them wide open to malicious attacks.
In recent years, there has been a massive rise in security breaches, in particular, high-profile ones.
The lessons we must all learn from these are that we should all be examining our security policies, the infrastructure we have in place and our procedures with the aim of developing and taking on the most rigorous monitoring and protection system possible.
This is a checklist for every enterprise to follow to ensure full security:
- Take a good look at your current IT security policy and make sure your security strategy is fully in line with your business goals
- Put into a practice a security program that covers the entire enterprise and integrate it with your existing processes
- Adopt Security-as-a-service to ensure business demands are met and that regulatory, security and privacy requirements are addressed
- Come up with a comprehensive sourcing strategy for all of your required security services and determine which can be safely outsourced to a third-party managed security solution provider
- Fully understand the nature of the existing security threats within your business and the entire industry. Do the same with emerging threats
- Have a plan in place to assess the latest innovations in security as they become available and work out if and where they can put to use in your enterprise.
- Continually measure how effective your security policy is and keep it evolving to meet emerging threats and your security needs.
As an absolute basic, the following security controls should be in place in every enterprise:
- Encryption – endpoint devices are often connected to networks that are not protected and, as such, encryption should be in place to secure data in storage and in transit.The minimum encryption for data in transit should be 256-bit TLS, allowing users to access corporate data securely without having to use a VPN. For data in storage, the minimum encryption should be 256-bit AES.
- Access Control – Access should be secure and easy for the IT systems administrators to manage. Any web-based access to the control panel and the client should be through HTTPS so that authentication of both the web server and website are ensured and communication between client and server should be encrypted.
User access should be through single sign-on, allowing users secure access and backup should be in place. Because less than 50% of users will enable a password on their mobile devices, the backup solution should let administrators dictate that PIN numbers should be used on mobile devices to access the mobile app for backup.
- Cloud Security – There are loads of cloud solutions out there and the one that you choose should include sufficient protection for enterprise data.It should be compliant with the international standards, such as SSAE 16.
These are external audits that cover every aspect of infrastructure, control, and operations of the cloud, including physical security, facilities, network infrastructure, firewalls, storage, network configuration, etc.
A cloud backup solution should allow for each separate customer’s data to be segregated and have its own unique encryption key, which should also be encrypted to stop it from being compromised.
- Private Cloud Security – for the deployment of private cloud, a solution should be chosen that protects the network from intrusion. It does this by letting you block inbound firewall ports from any inbound connection that may be insecure.
- Data Loss Prevention – more than 30% of data breaches happen through stolen and lost devices. Data on laptops, tablets, and smartphones from leaks and breaches using a backup solution that includes the capability for data loss prevention.
These should encrypt files that are on devices using encryption technology built into the operating system.IT admin should be able to configure the folders and the files that are to be backed up to make sure that sensitive data is fully protected without having to resort to FDE – full disk encryption.
These solutions should also include remote wipe capabilities and geo-location. Admin should be able to locate a device at any given moment and initiate complete remote decommissioning on any stolen or lost device.