10 best practices to protect your company’s digital security
1. Engage and train users.
A user is a weak link in a company’s security if he or she hasn’t been educated about security issues or adequately trained in best practices. And overall IT system security is only as strong as its weakest link! Every user must know which data is considered sensitive and be familiar with the company’s security policy and related guidelines. For example, basic rules could include: never re-using a personal password at work; not connecting personal equipment to the company network; locking the session on one’s work station before stepping away from it; knowing the procedure to follow when suspecting a potential breach; etc. Companies can organize spot-training on specific issues — for example, an information session on phishing, on ransomware, on the risks associated with USB keys, etc.
2. Secure work stations.
Companies must develop a policy on which software can and can’t be installed on work stations. This could take the form of a list of applications and browser extensions, or application installations requiring authorization by the IT department. You may want to host authorized applications on your own server as a way to guarantee their authenticity. Furthermore, work stations must always be up-to-date and equipped with at least antivirus and antispam software, and a local firewall that is correctly set up. Volumes and partitions where user data are stored must be encrypted and regularly backed up on unconnected systems. Encrypting laptops, especially those that leave the premises, is vital because of the heightened risk of theft or loss.
3. Localize sensitive data.
All companies must manage their sensitive information, i.e. any data whose loss or theft could be damaging or even disastrous. Companies must know at all times where the data resides and on which physical equipment it is located, in order to define specific security measures. Data that resides on external systems (for example, on the cloud, on an IaaS, or on a PaaS) must be accorded special treatment due to their specific risks, and some thought must be given to the merit of externalizing this data in light of security issues. Identifying sensitive data also allows you to better control associated access rights.
4. Ensure tight management of user accounts.
Companies must constantly ensure a flawless management of user accounts, removing them as soon as employees leave the company and regularly reviewing accounts in order to ensure the appropriate level of rights. For example, you don’t want to grant more rights than is necessary; not everyone needs administrator rights. You’ll also want to ensure the proper configuration of access rights to sensitive data. Finally, in the interest of traceability, never allow generic multi-user accounts; you’re much safer banking on single-user accounts.
5. Provide clear guidelines for password creation.
Users must receive detailed guidelines on how to create robust passwords. The guidelines must strictly forbid the writing down of passwords on physical media (notepads, whiteboards, etc.) or non-encrypted digital media (“passwords.txt”, email, etc.). Users who must juggle several complex identifiers should use a password management system (KeePass, EnPass, 1Password, etc.).
6. Strengthen authentication procedures.
To boost the security of strategic accounts, use a two-step verification process. This involves authenticating a user with a password, plus another identifier such as a physical item in the user’s possession (a FIDO U2F USB key, an OpenPGP card, an RFID chip, a token, a single-use code sent via SMS, etc.), biometric data (fingerprints, voice recognition, iris scanning, etc.), or even a geographic location (the connecting device must be within a certain physical location).
7. Limit the devices authorized to connect to the company network.
Devices that can connect to the internal network must be under the company’s jurisdiction. Devices belonging to visitors or to employees are a vulnerability over which the company has no control. To accommodate these needs, you’re better off creating a specific Wi-Fi network entirely separate from the rest of the company infrastructure, while offering a decent level of security (WPA2, soon to be WPA3, AES CCMP, regular password changes). At the same time, you should control the use of external USB keys on company systems.
8. Encrypt all data transmitting over the Internet.
Any non-encrypted data circulating on the Internet is vulnerable: emails, exchanges with cloud platforms, SaaS, etc. All these communications must go through secure protocols (HTTPS, IMAPS, SMTPS, POP3S, SFTP, etc.) Remember that email always travels on networks in an unencrypted manner. Assume that any information sent by email can be intercepted and read by anyone, unless the contents are encrypted using OpenPGP, PGP, GPG or another encryption method. Also, if users need to connect remotely to company systems over the Internet (for example, itinerant employees, teleworkers), compel them to do so through a secure tunnel such as a VPN.
9. Partition the network.
You should isolate machines that offer services visible on the Internet (for example, Web hosting) from the rest of your company network (by creating “demilitarized zones”). Also, your network architecture should be partitioned to stop an attack on one machine from spreading to all other machines. For example, you can create separate zones for different systems with similar security needs, and implement traffic filtering between zones using a firewall.
10. Don’t forget physical security.
Access to server rooms must be restricted with passcards or similar systems. Of course, you should avoid unaccredited employees or external suppliers accessing these strategic rooms unescorted. Also, you should secure or deactivate network plugs in public spaces.