Introduce a Password Policy
In an organization a strong password policy is the front line of defense. A whopping 81% of all hacks occurring today happen due to weak passwords. It is the system administrator’s duty to makes sure that proper rules and policies are in place. Such as Password History policy, Minimum Password Length policy, Passwords Complexity Requirements policy etc.
Start using a Password Manager
However it will be hard to memorize all these passwords for all the different accounts and services, which makes users more likely to write down passwords and making them available for others to steal. The best solution is to introduce a password management software to your employees where they can maintain, update and store all their passwords.
Even if you follow all these practices attackers will still find ways to steal your passwords unless you follow best practices and make users aware of the security concerns.
- Use two factor authentications as an extra layer of security
- Never enter your credentials after clicking on a pop-up advertisement.
- Never enter your credentials after clicking on links inside emails. Always open the browser and go to the website which you want to visit and then only enter your credentials.
- Remember that banks and responsible companies will never ask your login credentials by emails. If you’re not sure call the bank or the system admin and confirm it. For this do not use details inside the same email use a different source to get contact details.
- Use the on-screen keyboard provided by bank portals for extra security.
- Never enter your credentials in websites that does not support HTTPS.
- Never enter your credentials when you’re using public WIFI.
- Do not use your password in devices that you can’t trust. Ex: Internet café
Security Patches and updates are Critical
Priority one and one of the easiest ways for criminals to abuse your system are unpatched computers. Most employees tend to skip updating their systems in fear of the increased downtime or system crashes. But in doing so, they leave their system open for attacks and even worse consequences than a little downtime from patching. Software patches and updates must be reviewed and updated as soon as they are available. Make awareness about the importance of security updates.
Backup your critical data
Always keep a backup of your critical data. You can use a cloud base solution if needed and if possible, do both on site and off-site backup. And an even more critical part of backup is making sure it works, implement testing and restore schedules.
Encrypt any data that leaves the company ex: USB Sticks
Start using a good online collaboration tool
In most of the security incidents email services are getting compromised so use a good online collaboration tool for communication rather than using emails.
Least Privilege Concept can reduce the damage
Use the lease privilege concept for security. As an example, do not use your admin privileged account for day today activities etc. If you are an admin always use a least privilege account with normal user capabilities to do your day today activities. As an example, a receptionist might not need an admin privileged account for their day today activities. If a security breach happens this concept will make the damage very less.
Use a reliable End Point Protection software
Make sure all the employee systems are installed with an endpoint protection software and make sure they are monitored and updated regularly. This will save you lot of money and time as if something goes wrong you can detect it quickly and apply fixes.
You should encrypt all work-related devices of your employees like mobile phones and laptops so that you don’t lose any business-critical data. Also, you can enable theft protection for devices in order to locate and remote wipe if possible.
Securing Work environment
If your employees are working from home which is very common after the recent pandemic, they must make sure their home office is secure. Changing the default router credentials into strong credentials is a good first step. You can get the help of the password manager to generate a strong password and save it securely.
Make sure the router firmware updates are installed, it will reduce the threat landscape. The encryption should be set to WPA2 or WPA3 and switching off WPS is recommended.
Introducing a VPN solution for your employees is a good security best practice. Advice employees to not to use any free VPN solutions. Implement your own company VPN and make sure your employees actually use it, especially whenever visiting customers or travelling.
Apart from these advices make sure that users never leave their workstation unattended and correctly lock it when leaving their station.
Separate your work account from your personal account so no information “spill over” into the other. Or in any way get compromised and can be used to get access into sensitive company information.
As human is the weakest link in security, awareness is the key. Share information about security threats and countermeasures among your employees. Awareness sessions are a good solution. Circulate security related podcasts and updates among employees.
Get ready for a security incident. You should have a security incident response plan in place. You can always contact a managed security service provider (MSSP) who provides security operation solutions to mitigate all these risks.
In a SOC a team of professionals with expertise in information technology and information security will be monitoring and improving the organizations security posture while preventing, detecting, analyzing and responding to the information security incidents.