I am writing this blog article because I want to give whoever reads it a few easy-to-implement tips to secure their network against attack. You can implement some of these strategies yourself, if you are a do-it-yourselfer and feel confident in your abilities; or you can task your current IT provider for help with executing it. Most of these changes are not too expensive to implement in terms of hardware, software, or labor.
First, some strategy. The best sort of defense to have is one we refer to as defense-in-depth. In other words, there is no be all, end all solution to security. The best way to make the job of an attacker difficult is to make the potential attack more complicated.
Pay attention to physical security: Your big-ticket IT investments are probably sitting in the same room. Is there a lock on that door? Can someone walk off with your $10,000 server, your rack infrastructure, and your data backups? This is the heart and soul of your business, if your business is driven by communications and data. Lock it up! But pay attention to air flow and cooling. If that locked server room is going to heat up, you need to find a way to vent the warm air. So make sure to place adequate cooling in that room.
IT and employees: No one, except the principal of a business, should have access to everything. Put everyone on a need-to-know basis. Employees should only have access to what they need to have access to in order to do their jobs.
Secure the cloud: A big shortcoming of cloud is the question of “Who is liable?” A cloud service provider such as your data storage provider, email provider, web hosting, rack co-location, or any other provider will lease your organization a platform from which you can do something; but a cloud provider will usually limit their liability to the bare minimum. Read your contract. YOU, the consumer, are in charge of securing the environment. Configure all native security features, institute 2-factor authentication, use complicated passwords, do not leave anything to chance. If you have the leverage to do so, negotiate with your cloud provider for a better contract. If this is not a possibility, then be prepared to mitigate the risk.
Buy cyber liability insurance: The policy that probably came tied to your E&O policy is not sufficient. In a real breach situation, $50,000 of cyber liability may not even be a drop in the bucket. If you handle personally identifiable data or health information, sensitive data, or credit cards; you have to carry cyber-liability insurance. Your industry may not require it by law, but the survival of your business after a breach may hinge on whether you had this form of insurance.
Implement good password policies Use complicated passwords, change them frequently, and institute 2-factor authentication where possible. Enforce this throughout your organization
Pay for your antivirus/antimalware Using free antivirus or none at all and connecting to the internet is like going to the beach, jumping in the water, and hoping you don’t get wet. ‘Nuff said.