One of the main challenges of implementing a reliable cyber security is a sheer volume of things you need to deal with. Companies need to juggle their financial resources, personnel, compliance requirements and their own risks – all while attempting to shape a protection that would prove enough to safeguard their sensitive data from any potential threats.
To be able to do all of this, one of the key element is the ability to formulate a proper cohesive information security strategy. A strategy that would involve a clear and sensible checklist that needs to be completed.
There are many examples of such cyber security checklists available online, but in our opinion, they are too general and too formulaic to be useful as is. Each company needs to use existing compliance requirements and best cyber security practices to generate their own cyber security checklist that will be useful for them.
In this two-part cyber security planning guide, we will try to give you some suggestions on how to do your own cyber security controls checklist. In the first part we will go over the general principles behind creating your own checklist and cover the most basic steps that you want to take. In the second part we will go into further detail on how you can protect your company from both insider and outsider threats.
So, without further ado, let’s start.
Three tenets of cyber security checklists
When implementing cyber security, it is not enough to know what to do, you also need to understand how to do it. You need to know what approach to take so as to draw the maximum value from the measures you’re putting down.
Among many IT security guidelines we can formulate three main tenets, that are important to keep in mind when both formulating a checklist and implementing it, as they are what allows you to select effective measures and implement them in an effective way.
These three tenets are:
Consistency. Each cyber security measure should be consistently implemented across the board, if you want it to be effective. For example, if you use two-factor authentication, make sure that everybody is using it, including administrators and upper management. When implementing security policies, the worst thing you can do is to start making exceptions for privilege users. This not only makes it much harder to enforce the measure, but also can completely nullify any positive effect of the measure in certain situations.
Holism. Cyber security needs to be approached as a whole. There is no point in creating a very robust and tightly secured perimeter, when your data is poorly protected from insider threats, and vice versa. Make sure that you’re implementing a balanced layered defense and doing it in a way that will allow you to protect your data from any threat that it faces and don’t underestimate any of them.
Risk-based approach. When formulating and implementing security strategy, the most important thing to consider is the current risks that company faces. It is necessary to take a risk-based approach and conduct a thorough risk-assessment to determine current security vulnerabilities and threats that your data faces, and decide on the best way to cover them. While it may seem very easy to simply take a compliance checklist and go through it crossing one item at a time, very rarely this constitutes a reliable protection. Apart from the fact that compliance requirements are always changing, you need to make sure that any measures you take are consistent with security needs of your company.
By following these three tenets mentioned above you will not only be able to formulate a proper checklist, but also to implement all the planned measures in the most effective way possible.
Formulating your cyber security checklist
When implementing successful cyber security there is a whole plethora of things to consider. We created a list of relevant steps that you may want to incorporate into your own checklist in order to make sure that your company has all the necessary precautions in place.
Physical data security
- Physically secure data – probably the most basic measure to protect your sensitive information is to make sure that physical access to this information is restricted. Make sure that your servers are inaccessible not only to visitors of your office (or random people for that matter), but also to your own employees with insufficient clearance. If you’re using IaaS or simply renting infrastructure from a datacenter, then this is not really your concern, but if you’re owning and hosting your own physical servers, then it is necessary to make sure that they are sufficiently protected.
- Physically secure network access points. However, protecting servers is not enough. You must also make sure that access points for your inner corporate network are secure. This includes not only obvious things like employee workstations, but even things like company Wi-Fi and Ethernet outlet. If you’re allowing guests to use your company Wi-Fi, make sure that they have no access to your inner network and make sure that your router and other devices have unique non-default passwords. Any access point is vulnerable, and thus its security needs to be taken seriously.
- Conduct employee background checks. Your own employees can pose the greatest threat to security of your company data. It is important to take potential insider threats into account and take measures to combat them. The first and most obvious thing you can do is thorough background checks. Checking background information on your employees does not require a lot of effort. This may be something as simple as googling their name and calling their previous workplace to confirm the information they’re given to you. Such a simple background check will not protect you from insider threats 100%, but it will allow you to filter out the most obvious offenders.
- Rise cyber threat awareness of employees. Make sure that your employees are fully aware of the threats to data security your company faces and of the danger a successful attack may pose. This will make it much easier to enforce any security regulations you decide to put in place and will lower the amount of security mistakes and negligence on part of employees, as they will be aware of the consequences of disregarding security.
- Educate employees on proper habits and best practices. It is also important to enlist the help of your own employees when it comes to computer security and make them take a pro-active role in defending company sensitive data. Educate employees on the dangers of phishing, social engineering and other techniques that can target them and teach them to adequately respond to such threats. You may also want to educate employees on the dangers of malicious insiders.
Firewall and outsider threat protection
- Configure and maintain firewall. Firewall is one of the most basic ways to protect your network, and it definitely should be used by every company. However, it is also important to properly configure your firewall and make sure that it does its job effectively. For example, you should limit both incoming and outgoing traffic, configure the necessary alerts and enable logging and history that can be used in case of an investigation.
- Configure anti-virus. Another basic cyber security measure that every company should do is to set up and properly configure an anti-virus software. In the ideal situation it can strengthen your protection from malware and hacking, but it can also sometimes produce false positives or skip dangerous software entirely. Thus, to avoid this as much as possible and maximize the effectiveness of your anti-virus, make sure to configure any necessary exceptions and always keep it up-to-date.
- Create web filters to filter traffic. Another way you can safeguard your data and keep your company out of trouble is by filtering web traffic, either on the firewall itself, or via other means, such as specialized software or system settings. If there is a policy in your company that prohibits the visit of certain websites during work hours (for example, social networks), it is best to filter them out altogether to avoid any misunderstandings with employees. It is also always a good idea to filter out questionable content, such as adult websites. Not only they can negatively impact climate in the office, they are also often serve as a source of dangerous malware.
- Maintain component protection. One of the most basic ways to provide network security is to protect the integrity of each of its components. It means that every device that constitutes your corporate network, such as all your routers, should be physically inaccessible, but also protected by a complex unique non-default password.
- Encrypt communications. All communications inside your network should be encrypted. It is also a good idea to encrypt all incoming and ongoing traffic as much as possible. Such encryptions will protect data from being intercepted by a man in the middle attack, or stolen by a perpetrator that is already inside your network.
- Monitor traffic. There are a lot of ways to keep tabs on your traffic, including built-in system features and specialized traffic monitoring solutions. Traffic monitoring allows to detect suspicious network activity, for example malware, that communicates your sensitive data to the outside. It can also prove very valuable in the event of an investigation.
- Maintain redundant connections for critical systems. Another important measure that is relates to general reliability of your system just as much as its security is to make sure that there are redundant connections for critical systems in place. This will allow you to keep your network up and running in case it is compromised and may serve as a way to circumvent certain types of attacks, such as denial of service attacks.
- Establish regular backup practice. Regular backups should be conduct by any company regardless of what data they have and how vulnerable they are to an attack. Backups not only allow to protect the system from certain attacks that are otherwise very hard to deal with (such as ransomware), but also serve as a way to restore the system after an insider attack or an accident. It is very important to make sure that your backups are always up to date.
- Store backups in a secure manner. Backups should be conducted and stored in a secure manner. It is best to assign several different people to collaborate on a backup process. This greatly diminishes risks due to malicious insiders (as people are less likely to conduct malicious actions or abuse their access when collaborating with other), and it also makes sure that the backup process is performed correctly. You also want to encrypt your backups and store them in an inaccessible location separately from your main network, thus ensuring that they will not be compromised in case of a breach.
Taking all threat seriously
The list of step and best practices above can serve as a great template in designing a basic all-around information security audit checklist. Most of these steps are aimed at creating a secure perimeter and safeguarding your data from malware, denial of service attacks, ransomware and other external breaches.
However, this are not the only threat your company faces. Attack from within the organization can be much more damaging and costly in the long run than any hack or a breach. Not all companies take insider threat protection seriously – and as a result, many of them undermine their own defenses by not putting proper protection in place.
In the next part we will look at three key steps you can take to properly safeguard you sensitive data from insider attacks and compromised accounts and how our own product, Ekran System, can help make your cyber security much more effective, whether you’re a large enterprise or a small business.
Read also about the small business cyber security practices to follow.