1. Endpoint Security
Endpoint Security is a pretty broad term so let’s clarify.
Firewalls are essential both at the individual device level and the company office level. Windows, MacOS and Linux all come with Firewalls built in but you need to make sure they are configured properly and more importantly turned on! By default they are preconfigured with rules to help you stay safe. Many Anti-virus software that you install come with firewalls by default and do a better job of enforcing compliance than Operating Systems.
Office Perimeter Firewalls
The classic office firewall still definitely has its place despite the move to the cloud and should always be the first line of defence for any sized business. Decent hardware Firewalls from the big security vendors are not expensive for smaller use cases and should definitely be deployed before anything else in your office network. By default no rules / access should be allowed into or out of the office network unless specifically configured by your Network / Systems Administrator. If your firewall has Intrusion Detection Systems, even better – make sure your definitions and rules are updated regularly to protect against new threats.
Cloud Based Firewalls / Cloud Security Groups
Cloud based firewalls, sometimes called Security Groups by the big Cloud vendors (AWS, Azure) need to be configured with Least Privilege access. Only open the very minimum of network ports to access your infrastructure.
Email Spam Protection Controls
Your Office 365 and G-Suite Mail service come with basic Anti-Malware and Antivirus controls but should definitely be further hardened to limit malicious emails from getting through. A better solution is to use an Email Gateway Solution as G-Suite and Office 365 use basic Whitelisting / Blacklisting rules whereas some of the more advanced Email Gateway use machine learning, URL rewriting, etc to keep you safe.
Antivirus and Anti-Malware Software
You can get some fantastic Antivirus and Anti-Malware Software for free – Bitdefender Free Antivirus and Malwarebytes Free come to mind, so there is no excuse for not having these in place.
Both Windows AND MacOS require these products. Unfortunately gone are the days where Mac’s don’t get viruses – although rarer than Windows they are still essential to have.
2. STRONG AUTHENTICATION
Unbelievably, The most popular password worldwide for last year was 123456!
Passwords should be as long as possible – minimum 10 characters, surprisingly numbers, non-alpha numeric characters are that important.
Multi Factor Authentication
All your accounts, both work and personal should be secured by Multi Factor Authentication where possible. In 2019 this is essential to protect your data. SMS is inherently far less secure than Authenticators like Google and Microsoft Authenticator as SMS numbers can be ported by a determined enough hacker.
For work, MFA on Administrator Accounts is absolutely a must if you decide not to apply it to normal user accounts (which you should). A compromised Administrator account can create havoc and destroy businesses.
3. DATA PROTECTION
Mobile Device Management
Company Data no longer resides in the office network on your file share, it is accessible through the cloud on any device, anywhere. BYOD (Bring your own Device) adoption means company data is likely on your tablet, phone, toaster. No seriously, but you get what I mean.
As a consequence of this companies need to secure their data wherever it sits, on personal devices or company owned laptops. This is where MDM (Mobile Device Management) comes in. You can setup software and policies to enforce data protection and allow remote wiping secure company data. Office 365 and G-Suite already have built in MDM you can configure and of course there are hundreds of third party solutions.
Data should be encrypted in transit and at rest. For in transit encryption think VPN connections and HTTPS / SSL with strong encryption ciphers to access your data in the cloud and in the office network. Data at rest should be encrypted disks. Both Windows and MacOs now have this built in – Bitlocker and Filevault so it shouldn’t cost anything to implement it.
4. PATCH MANAGEMENT
It is essential to ensure that your servers, computers and devices are patched regularly to prevent against hacking of zero day exploits, and a good Patch Management system is essential to automate this process.
Good Patch Management systems don’t have to cost much any more and once installed and implemented are set and forget. A small price to pay for peace of mind.
5. LEAST PRIVILEGE
Least Privilege / RBAC (Role Based Access Controls) are a set of principals which dictate that a user who needs to complete a task much have the absolute minimum amount of permission required to complete that task. For Cloud services such as AWS / Azure or Office 365 / G-Suite this means only the least number of administrators possible.
The higher the number of administrators the higher the chance of getting hacked.
RBAC means that instead of creating single users or groups with certain permissions, create a role with the requisite permissions and apply it to that user. Therefore, if the user leaves or changes job, you can remove the role without affecting anyone else.
A good backup is essential to protect against attacks and loss of company data. It should be point in time and offsite so you can have some level of BCP (Business Continuity Planning) in case you have main site loss. There are a lot of excellent, reasonably priced cloud based backup solutions.
You should also have a backup of your configuration and a backup of all your documentation and processes of site as well to protect your intellectual property.
7. SUPPLY CHAIN SECURITY
Having the most secure environment in the world is useless if your suppliers have no controls and you have your or your customer data stored with them. Hold your suppliers accountable for your data as if it was on your own onsite servers. The big Cloud vendors have whole sections of their portals dedicated to all of regulations they are compliant to – PCI DSS, ISO 27001, HPIAA – the list goes on an on.
For smaller vendors, make them fill out an annual audit.
It should be pointed out that despite the regulations the big providers comply with, it is a Shared responsibility model – I.E. once you use the infrastructure you are responsible to ensure it is secure. Spinning up an AWS EC2 instance, putting a website on it without SSL / HTTPS, it is NOT PCI DSS compliant!
8. CYBER INSURANCE / CYBER AWARENESS TRAINING
Training your employees to properly assess potential hacking situations is vital. There are great solutions out there to help train your users.
Cyber Insurance is also becoming increasingly important but Awareness comes first because thoughtless employee actions can mean your insurance is voided and you don’t get paid out if a breach occurs.
References / Guides
With multiple certifications in Cyber Resillience, AWS and Azure, we can help you implement all of these best practices to ensure the safety and security of your business.
Managed IT Services
Why choose a managed service provider to do your IT?