We live in risky times. Security incidents and data breaches are more common than ever and digital-minded companies usually bear the brunt of it.
Organizations are constantly at risk and can be compromised in no time by ransomware, cyberattacks, social engineering, and corporate espionage. But, in truth, the most common way companies are undermined and infiltrated is through the actions of individual members inside of the organization itself.
Having this in mind, it’s crucial for companies to have strong internet security policies and robust guidelines in place. A company's cybersecurity policy should be detailed and comprehensive. It should mandate clear steps and procedures, not just common-sense basics like:
- Lock your workstation before leaving your device unattended
- Use a screen protector when traveling
- Don’t leave sensitive documents on the desk
- Don’t share access to your device with anyone
It also shouldn’t read like this: “don’t take screenshots because of the security policy” or “security policy prevents use of cameras”. It should explain the why, not just the what.
In this article, we will outline some of the more important elements your company’s internet security policy should include, how to implement the changes, and why using these strategies is a good idea.
1. Password Policy
For each service that employees use within the company (or personal services, for that matter), each employee should use a unique password that has NEVER been used before. The following services can help your employees create, secure, and organize their passwords:
-HaveIbeenPwned: By subscribing to HaveIBeenPwned, employees will receive a notification if one of their accounts has been compromised in a company data breach.
-Password managers: A password manager can help employees secure and easily access multiple strong (hard-to-remember) passwords. Most can also generate ridiculously difficult passwords for them to use.
-Use of 2FA: In addition to using ironclad passwords, 2FA or two-factor authentication should (must) be enabled on all services that support the feature.
2. Software Policy
All software used by employees must be 100% up-to-date! This includes not just the operating system but all other software that is installed on employee devices. Unused software should be uninstalled and security updates must always be promptly installed.
Some software has a higher possibility of being attacked remotely. That’s why it’s particularly important you make updating the software listed below a high priority:
- Operating system (desktop and mobile)
- PDF viewer
- Microsoft Office
- Email clients
3. Need-to-know Access
Some employees have access to several privileged accounts and services used by the company. Not all of these employees may really need access either. Sensitive accounts need to be shared with as few people as possible within the company.
On top of limiting access, the overseer or manager should keep up-to-date access lists so that he or she always knows who has access to what account at any given moment.
Also, the appropriate manager should approve access to all the services accounts used by the employees. When an employee that had access to some services leaves the company, the manager is obliged to change the passwords and inform all concerned parties.
Furthermore, passwords for company accounts and services should be changed on a regular basis to avoid any incidents.
4. Browsing Recommendations
In order to prevent devices from being compromised while privately browsing, the browser your employees should use is Brave. However, they still have to make sure that all plugins are up to date, in particular Flash and Adobe, which are frequently found to have vulnerabilities.
How to maintain solid browser security? Make sure to use the 2 following extensions: HTTPSEveryWhere and uBlock Origin.
-HTTPSEverywhere attempts to close the gap between misconfigured HTTPS and browsers. Brave browser is automatically upgraded to HTTPSEverywhere!
-uBlock Origin is not a security extension specifically, but it helps block unwanted content. Plus, there have been incidents where ads were used to deliver malware.
Also, make sure your chosen company browser has WebRTC/Flash/Java disabled on in order to decrease the attack surface. Which is a fancy way to say that there are less avenues for viruses to access the browser.
5. Email Security
Make sure that your internet security policy includes a special section on email security. One of the points that this part should include is that employees should never open attachments from untrusted sources, especially if they are .zip or .exe.
In general, image files are typically safe as long as they are not SVG. If they download a Word or PDF document and upon opening it, it asks for them to approve something, or grant it some permission, employees should become suspicious. If they see this, they need to STOP immediately and get in contact with the IT department or security team.
Moreover, companies have to educate employees never to click links in untrusted emails. Sounds too obvious, right? Well, according to Verizon’s 2021 DBIR around 25% of all data breaches involve email phishing and 85% of data breaches involve some kind of human element.
Furthermore, if an email looks suspicious (email demanding urgent action, email requesting sensitive data, email with bad grammar and spelling mistakes, etc.) employees should check the headers to make sure the email comes from where it says it comes from. If that is not the case, they need to report it as phishing and delete it from their mailbox.
6. Document Security
Document security concerns the maintenance of all essential documents stored, filed, backed up, processed, delivered, and discarded. Because sensitive documents face major security threats, it is essential to develop a backup and storage plan for documents.
Using Google Drive, Dropbox or other unsafe services will only make your company more vulnerable. Instead, make sure to equip your employees with the safest tools where things can hardly go wrong.
Needless to say, the use of end-to-end encrypted storage services like Internxt should be on your priority list. Another useful thing would be to make sure that your employees are scanning their files before uploading them to the drive. They can easily do this by using a free online file virus scanner.
Also, employees should never open Microsoft Word files from untrusted sources because it can be dangerous. For PDFs, they should use Acrobat Reader DC on Windows and enable Protected View. This is a sandboxed mode that prevents malicious PDFs from launching arbitrary executable files. Don't forget to keep Acrobat Reader DC constantly updated.
Another thing to keep in mind is that, file extensions are frequently overlooked but if your employees are using Windows (this is also applicable to macOS) they need to always set Windows Explorer to display the file extensions:
Windows: Control Panel -> Appearance and Personalization -> Folder Options -> Advanced Settings
Mac: Finder -> Preferences -> Show all filename extensions
Why are file extensions important? Here’s an example: if a file is called Scam_Document.doc.exe, they will see the .exe and know it is an executable file and not actually a document. Without having the extensions visible, an employee may not spot the flaw.
7. Device Security
Antivirus software effectiveness is very hit or miss but still your company security policy should still include the use of trusted antivirus software (which could be either free or paid) on all computers.
Secondly, you must keep in mind that computers can and do get stolen. Therefore, it is advisable that all devices used to access company infrastructure have some sort of full disk encryption enabled.
For Windows, there is VeraCrypt and Bitlocker. For Linux, there is LUKS, and for macOS X Filevault. This should be required for employees in possession of sensitive credentials or documents associated with the company. iOS and Android also can, and should, be encrypted.
Many efficient mobile device management solutions offer Kiosk lockdown that ensures that employees do not access anything else on their work phones other than work-related apps.
Finally, employees should not plug untrusted USB devices into computers. In addition, they shouldn’t plug their USB device into an untrusted USB socket. In fact, employees should never use USB devices to transfer data.
It’s time to create your company security policy!
Managing a company’s overall online security is a responsibility that falls on both us as individuals and the business as a whole. Without proper online security habits, it’s far easier to fall victim to cybercrime, which can easily cost your company millions in damages.
Though a good security policy may take time, investment, and effort to bring online. The benefits far outweigh the risks.
If you think your company can’t afford digital safety and security tools, think again! In truth, the only thing your company can’t afford is to NOT take care of its online security.