Many IT managers suffer through sleepless nights concerned about network security. New threats are being created daily and new policies like BYOD make companies more vulnerable to attack. To protect against attacks in 2014, organizations need to follow several key practices.
One simple concept is to follow fundamental security principles. According to TechTarget’s Nick Duda, the typical post-attack analysis of a security breach shows that long-held security practices were not being used. Most incidents could have been avoided by doing simple tasks like installing the latest patches and anti-malware updates. The ability to see and comprehensively track all devices connected to the network is critical.
A look at breaches within the U.S. Department of Energy (DOE) is a textbook example of Duda’s observations. Since 2011, DOE has been hacked three times. An audit found that the agency did not observe standard security practices, including the use of the complete Social Security numbers of employees within the system.
Security practices by cloud providers will be another important matter for IT management to examine. The popularity of this technology suggests that it is not going to fade away any time soon. While many IT tasks will be outsourced to the cloud provider, it does not mean that companies should not worry about security. Discussing security practices with cloud providers and holding them accountable for protecting data must be done.
Mobile devices accessing an enterprise network need to follow a well thought out policy that does not inhibit employees from being productive, yet protects information assets. Such policies prohibit “jail-broken” (i.e., “hacked”) devices and require that the latest patches and anti-malware updates are installed.
Educating the workforce on a regular basis is another effective way to avoid breaches. Many attacks come not from sophisticated attacks, but from social engineering that tricks employees and other gatekeepers into bypassing security protocol. One common approach happens in call centers where a caller impersonates a customer and creates a false crisis, inducing a representative into sharing sensitive information without asking for passwords or other security questions.
The follow-up to education is to review and evaluate how well the workforce observes security practices and take corrective action when needed.
Obviously this is far from being an exhaustive list of how to address the many different types of attacks that enterprise networks face on a regular basis. At the very least, an organization needs to follow these concepts and avoid complacency when it comes to security. “Stay on top of it” should be the mission statement of any organization or department that wants to limit the risk of a breach.
Edited by Rory J. Thompson