When it comes to security risks and errors, businesses often fall victim to assumptions and oversights. The reality is that the protection of information and applications is always evolving and, as criminals find new ways to exploit weaknesses, it's tough to stay one step ahead.
Instead of businesses positioning themselves as "easy targets" by loosely managing data and information, it's best to have policies and processes in place with which to secure networks by creating a culture of security. In addition to sound and thorough policies, here are five suggested practices to put in place to help manage and secure your confidential data:
Patching your servers and PCs with automated security updates is a critical security control that is all too easy to overlook as it often happens in the background and without the user's knowledge.
- The risk of not having patching in place: Many cybercriminals will look for unpatched vulnerabilities to exploit and gain access to systems. This is often the method used to infect users who visit a website with malicious code embedded in an ad.
- Patching solution: Use an automated patching tool or service to ensure security updates for operating systems and common applications are updated on a regular basis.
Backup of your data has taken on more importance than ever with new threats like ransomware. Be sure your backups are running and secured offsite.
- The risk of having an inadequate backup solution in place: Not only do you need to protect data from a hardware failure, loss, or natural disaster but, you also need to protect it from a cyberattack which could encrypt that data. Your options are to restore from a good backup, or pay the ransom which is now escalating into extortion.
- Backup and recovery solution: Use a business class backup (not a USB drive, for example) and regularly check to ensure the backup is working. Also be sure that backups are stored offsite in an encrypted format to minimize risk of a data breach due to lost or stolen backup media.
Unsupported Operating System (OS)
In the past two years, Microsoft has discontinued support for two widely-used operating systems: Windows XP for desktop PC’s and Windows 2003 for servers. As of January of 2020, Windows 7 will no longer be supported - this is an important date to remember and plan accordingly for.
- The risk of keeping an outdated OS in place: Microsoft is no longer providing updates for Windows XP or 2003 (and Windows 7 as of 2020) which means that new vulnerabilities will be found by criminals in these operating systems. Even with patching in place, there will be no updates to apply which places your system at the mercy of potential attackers. It is also highly likely that any security audit of your network will not pass.
- In 2017, one of the largest malware attacks crippled organizations who were still running Windows XP - utilizing a system with an unsupported OS is a risk you don't want to take.
- Supported OS solution: Upgrade to a currently supported OS like Windows 8.1 or 10 for desktop PCs. Alternatively, evaluate if your Windows servers' current function could be better achieved with a cloud solution like Office 365 before upgrading to Windows Server 2008 or 2012.
Firewalls are another critical IT asset that are oftentimes forgotten because they are hidden in a computer room or closet. Despite the fact that they continue to work seamlessly, regularly evaluate what you have and whether it's up to standard.
- The risk of maintaining old firewalls: Most firewalls have two components: hardware and software licensing. If you have had a firewall for more than five years, ask yourself if the hardware is still supported by the manufacturer and if the licensing is current. If not, you and your network are open to unnecessary risk.
- Firewall solution: Part of annual IT planning should be understanding the age and licensing requirements of critical network components like your firewall. If you don’t know how to manage, check with your firewall vendor. A lot has changed in the past five years and it might be time to obtain a more capable and current firewall.
There is a growing requirement to encrypt emails containing sensitive personal and identifiable information (PII) as well as personal health information (PHI) from state laws to federal regulations like HIPAA.
- The risks of unencrypted email: A common data breach occurs when an email containing PII is accidentally sent unencrypted or to the wrong party. An additional risk is being out of compliance with state laws related to securing consumer information.
- Email encryption solution: If you regularly work with PII or PHI, you need to implement an email encryption solution. The best approach is to have a solution in place which will scan for PII, thereby forcing encryption.
Reading through the best practices above provides you with five good reasons to determine whether you are placing your organization at risk or not. Still unclear whether your network is at risk? Evaluate whether it's time to conduct a network security assessment.
For questions, email firstname.lastname@example.org, or call 888.624.6737.
Mark Benton is the Director of Product Management for Systems Engineering. He brings over 30 years of experience working with and managing technology.