Organizing for the New Year
It’s a new year! While pondering resolutions and personal goals, take a moment to think about improving your workplace’s information security, too. That’s right, information security–not just cyber security, although the latter is supposed to help the former. Is there at least one thing that might provide some peace of mind regarding your critical tools or sensitive information? Here are some ideas!
Require multi-factor authentication
To thwart phishing attempts or at least make phishing a lot more difficult, consider requiring an additional login code when users access the network or a very important third-party app. Users may push back as it IS another step, but it’s one of the best ways to secure access to information. If users accidentally fall for a phishing scheme and provide their credentials to an attacker, access to the network or app is still protected by the additional login code.
When vendors don’t have a second login step solution, you may still be able to implement multifactor authentication if there’s another layer of access involved. For example, access is restricted to a work network (where they’ve already been authenticated to the WiFi).
Restrict outgoing files
Can you restrict file types/sizes leaving your network? A Data Loss Prevention (DLP) tool can help prevent attempts at insider theft of information, or get ahead of a malicious actor who has gained access to the network.
Separate BYOD wireless access
Sometimes, individuals connect personal devices to the work wireless network to avoid using their data plan. Introducing these unknown, possibly unpatched, possibly compromised, devices to YOUR network could be just the opening an attacker needs to probe your network for soft spots. Have you considered creating a separate wireless network for employees’ personal devices?
Close down unnecessary ports
Malware may be introduced through USB connected devices and company information may be downloaded, intentionally or unintentionally, through data ports. If USB ports are forbidden by use policy, try adding a technical control to disable these ports or, at minimum, create a record when accessed.
Alert on suspicious login attempts
Does your account management tool of choice send alerts when a “suspicious” login occurs? These are logins that may take place on unrecognized devices or in geographic locations that don’t make sense. Enable these alerts so your help desk can investigate unauthorized logins and begin to remediate the situation.
Place access controls on highly sensitive information
If highly sensitive information is available to more than those with the need-to-know, consider additional access controls. One way to do this is to create a subgroup of users and assign access rights only to this subgroup.
Get users on board
No matter which tools or techniques you choose to implement to improve your workplace’s information security, make sure you can justify the business impact and appeal to your user base, especially if it will add new steps to their workflow. It also doesn’t hurt to solicit feedback so their concerns are addressed–continuing user trust in the IT department.
We hope you get a secure start to the New Year!