1. Staff are your weakest link
Regardless of firewalls, anti-virus and spam-filtering software protecting your business assets they can all be compromised by staff not trained in basic security practices.
Your business should have a well defined security policy that includes a staff section including rules such as:
1) Not following any instruction to visit websites and/or install software unless the instructions have come from a trusted source via a trusted channel. It is far to common reading articles such as this one about staff blindly following instructions from anyone using a little social engineering.
2) Not clicking on any email attachment that is not part of their business role or looks even remotely suspicious. Staff should also be warned that visiting social sites not related to their business is also dangerous. “Waterhole” attacks are now showing up and all businesses must be aware of how they work.
3) Never write down passwords on paper or stored on the computer in plain text that can be associated with sensitive accounts.
2. Implement a disaster and maintenance plan
Defining a security policy and implementing security controls is great but when disaster does strike your business will need to execute a disaster plan.
To reduce the exposure of a disaster such as the amount of time the systems are down your business also needs a maintenance plan to make sure all systems are up-to-date with patches. Download this free eBook that can help you create both.
3. Strong passwords and no defaults
It’s vital that all your passwords are strong. There is no excuse about passwords being too hard to remember! Use a password vault that stores passwords safely on computers so you don’t have to remember.
For example below is what I consider to be a standard password.
Maybe not when you find that weak passwords allowed a hacker to breach your security.
Additionally – in the security policy state that any new software or hardware introduced into the business environment must have default passwords changed before it’s connected within the environment.
Hackers love default passwords since most are documented in public manuals.
4. Who has access?
At some stage a business will need to engage third parties to work within the business environment. Everything from access codes for websites to the code for the front door can be given out.
It is imperative that all third parties are given their own access codes that have been created solely for them. Do not give out any existing access codes and certainly not the “god” accounts just to make life easy. Make sure that there is a well-maintained list of current access codes allocated and to whom.
When the third party has finished work the access code(s) given must be deactivated.
I have audited a few businesses where either they cannot tell me who still has access to their business or what access account they were actually given! I have located many times FTP accounts given out years ago that are still active!
5. Trust No One
Whether by intention or mistake people can, and will, harm your business.
Hackers intentionally want to harm your business, your staff and the third party providers you engage may not intentionally but will do so through lack of training or incompetence.
Ultimately it is the responsibility of the business owner to make sure that a well-defined and well-referenced security policy is in place.
Having a policy that places everyone (staff, third parties, clients and the public) as “untrusted” is a good start. Then each group must only be allocated the access they need not be given full access by default.