Written by Ana Canteli on 22 October 2021
Cybersecurity should be the fundamental objective of any organization. But either because small companies think it is not significant enough or large companies believe they can tackle cyber crises themselves, both types of entities may overlook many indicators of information security risk, including insider threats.
A cyber crisis is any event that seriously threatens the security - and therefore the survival of the entity - and must be addressed in the shortest possible time, with limited information. As you can imagine, such a situation far from ideal requires responses at an operational, technical, organizational, and strategic level.
To guide organizations in cybersecurity matters, the ISO 27000 family is used to implement, maintain, and administer an information security management system.
The standards that are part of ISO 27000 are the following:
27001: Specifications for the creation of an information security system
27002: Code of Good Practice for Information Security Management
27003: Provide a 27001 implementation guide
27004: Describes the measurement and management criteria to achieve continuous improvement and effectiveness of information security systems
27005: Provide general criteria for performing security risk analysis and management
To make them easier to understand, here is a list of good cybersecurity practices:
Do periodic backups: it seems obvious, but either due to technical problems, lack of storage space, or because this step is not correctly implemented in its security best practices, the organization may neglect the backup procedure. Such a protocol must have defined, what information should be backed up, where the backup copies have to be stored - the entity may deem appropriate, save the backup copies in another place, to protect itself from data breaches or natural disasters (flooding, fire)-
Keep the software up to date: most providers offer updates included in the service for three main reasons: fix bugs, add new functionalities and update security measures.
Keep hardware up to date: Older computers and servers may not support the latest security updates. On the other hand, older computers can slow down the response to cyberattacks.
Develop software safely: when entities have sufficient technical capacity, they can create connectors with third-party applications and even develop their programs. In any case, it is recommended that these projects be carried out safely, that is, that cybersecurity needs to be taken into account in the development, testing, and production phases.
Password management: the password policy should prevent users from using the same passwords for different platforms, which also can be excessively simple. The number of accesses that each user has should be documented. Establish a minimum security policy when creating a password - number of characters, mandatory capital letters, symbols, figures - that these expire from time to time and that the system saves the latter to avoid their reuse. Other possibilities, such as double authentication, contribute to increasing security by verifying the user's identity.
Access control to critical applications and restricted areas: the information security management system must allow auditing any user's activity. However, for obvious reasons, users with high-privilege credentials need to be especially watched. It is necessary to control the number of people and accesses and revoke them when necessary.
Manage the organization's assets: it is essential to list and take charge of the maintenance of the organization's devices, especially when ownership is not synonymous with possession, since many members of the entity work outside the offices. This objective is materialized in compliance with various cybersecurity best practices, from keeping the software and hardware up to date, the password policy, or reminding users to turn off the equipment at the end of each day to avoid the misuse of the organization's resources.
Using encrypted means: having an SSL certificate installed and HTTPS enabled on the website from which users work allows encryption of file-sharing sent between the user's browser and the company's server. Of course, it is also necessary to check and update the Wi-Fi router password and avoid using public or free Wi-Fi since communications or file sharing may not be secure. The Bluetooth can also be a means of hacking the system and, therefore, of data breaches. If Bluetooth is not being used, it is best to leave it off.
Use VPN to protect remote access: When an employee accesses the work computer from another location, we must ensure that a VPN firewall protects the access. It encrypts the connection and saves the file-sharing, even from the internet provider.
Use antivirus and anti-malware: from the moment we connect to the internet, total protection against malicious software is impossible. However, we can substantially reduce vulnerabilities by installing antivirus and at least one anti-malware on the device.
Avoid opening suspicious emails: If you do not know the sender or the subject is doubtful, it is best to send that email to the trash without opening it since the user risks a case of phishing. Phishing is a set of techniques that deceive a victim by gaining her trust by posing as a trusted person or organization, manipulating her, and making her perform actions that she should not carry out. These emails can include links or attachments that infect the devices.
Analyze external storage devices: they are as prone to attack by viruses and other types of malware as any other internal storage medium. It is advisable to scan them before using them.
Include responsibility in cybersecurity in the organization chart: it is necessary to carry out segregation of functions to delimit correctly and according to the organizational scheme of HR, the responsibilities, duties, and rights of each member of the organization on everything related to cybersecurity best practices and how to proceed in case of attack (data breach or insider threat). Ideally, a person in charge of cybersecurity, with access to senior management, who has the necessary means to develop information security policies and promotes the code of good practice within the organization would be appointed.
Training employees: it is the key so that the cybersecurity best practices are applied in the organization and that its members are trained, focused, motivated, and organized to use the information security system of the organization consistently. This approach can also affect both at the training level and from the point of view of the exhibition area, the entity's relationships with third parties (suppliers, clients, public administrations, interest groups).
Invest in cyber risk prevention: Unless company devices are offline and physically protected from unwanted access, there is no complete security for data breaches or insider threats regarding company-owned media or information. Therefore, it is advisable to invest a tiny budget in security updates when they are available than to face the consequences of a security breach.
Document and proceed with all cybersecurity practices: from incident management to monitoring critical services, knowing who is responsible, going through the cyclical analysis of the available means to protect the information security, or the protocol access control. It is advisable to specify all the information related to the governance of information security.
In everything that has been described above, document management software has a significant role to play. Practically all the information of an organization is stored in a multitude of document formats, which are diligently administered through a document management system, parameterized according to the entity's needs. If you are interested in knowing how OpenKM can contribute to implementing a solid information security policy, you can contact us through the form.