When cyber anarchy takes over
In the absence of uniformly set rules, we tend to rely on what has worked well in the past. This is exactly how situations arise such as team members sharing sensitive information through an inappropriate repository, or multiple people from a team using common login credentials. Cyber anarchy, the common denominator in these situations, is also problematic in terms of new team members who are readily trained by others in the wrong habits. What can be done about this?
Start with an audit that will reveal the truth
Before you start creating security rules, do an internal audit. As scary as it sounds, in real life it can be an enjoyable afternoon with the whole team trying to answer a question: "How are things working here?" If you really get everyone together, you'll get a comprehensive picture of security in your organization. Try to establish an atmosphere of trust from the start. Any mischief can be fixed, but if team members keep it to themselves, it will continue to happen, just without management's knowledge. And what should actually be addressed with the team members? Here are some guiding questions for inspiration:
What hardware and operating system(s) do you use? Who is their owner?
What software do you use? Does the organization have licenses for the programs? In what quantity? Do those who actually need the license to do their job have it?
What data do you work with and how? Do you have shared (cloud) storage? Are there rules for accessing and using the storage? How is important data backed up?
How and with what tools do you communicate with clients, partners or colleagues?
How do team members take care of their passwords? Do they use any other security methods? How do they manage their passwords?
Have team members encountered a situation they did not know how to handle? Do they know who to contact in this case? Who is the contact person?
The more questions like these you map out, the better and more accurate your security rules will be. Don't be discouraged by the fact that the team members are initially clueless. Explain, give examples and motivate. The information gained can also be used to optimize work processes.
Selected areas to address in the security rules
You can start working with the useful information you take away from the audit under the following areas which should not be overlooked in any safety recommendations.
1. Protecting devices and networks from unauthorized access
In this area you can focus on two levels. The first is the physical prevention of access to devices (and networks). The rules might look something like this: .
Adequately secure your device against unauthorized access (password, PIN, biometric methods).
Log out of your device every time you leave.
The second level is to prevent unauthorized virtual access. This may include installing malware. You can discuss these rules:
Use only programs installed/recommended by the organization.
Do not interfere with firewall settings.
Use the organization's installed/recommended antivirus program.
Perform regular updates to the operating system, programs and applications on all devices.
2. Account security
Once you have identified all the information and communication systems and services you use, the question is who will have access to these accounts and with what permissions. It is advisable to distinguish at least between privileged (administrator) and regular (user) accounts. In the rules you can focus on this:
Use your unique login credentials.
For privileged (administrator) accounts, the following password requirements apply: the minimum password length is 17 characters, and the password must contain the following elements: upper- and lower-case letters, numbers, and special characters. The maximum password validity period is 12 months.
For regular (user) accounts, the following password requirements apply: the minimum password length is 12 characters, the password must contain upper- and lower-case letters, numbers and special characters. The maximum password validity period is 18 months.
Implement two-factor authentication for all privileged accounts and recommend its use for all regular accounts.
Use the organization's designated application for two-factor authentication.
Take care of your passwords, do not share them with anyone, and protect them from unauthorized access.
Use organization-specified password management software.
3. Data protection
The purpose of this section of the security recommendations is to protect data against unauthorized modification, deletion or unauthorized disclosure. It is important to motivate team members to use the organization's designated storage location where regular backups of data take place. For example, the rules might look like this:
Use the organization's designated storage for data storage purposes.
If there is no possibility to share data via this repository, use the organization's recommended service.
Do not share sensitive data via open communication tools such as WhatsApp, Skype, Messenger.
Recommend avoiding the use of USB drives within the organization. If data needs to be shared via this route, it needs to be further secured (e.g. password the data document or password the USB drive).
4. Non-standard situations and how to respond to them
While preventive measures are carefully addressed by many organizations, often what is neglected is the preparation for non-standard situations, and recommended behavior when they occur. This may be partly due to the statistic that over 40% of employees do not report a safety incident. Let's fix that. The following rules may be helpful:
Report the suspicious communication urgently to the designated team member responsible for such activities. Do not disseminate the suspicious communication further, and do not respond to it.
If you suspect malicious systems on your device, report it immediately to the designated team member. The responsible person will provide further information.
The person responsible will provide further information. If you suspect unauthorized access to your account, please notify the designated team member immediately. The person responsible will provide further information.
Conclusion
The aim of this article was not to give an exhaustive overview of all security rules, but primarily to show you how you can get started. Compiling these rules brings benefits in several ways. In addition to protecting against cyber threats, it also increases the professionalism of the team and improves work processes, which is reflected in the interaction with clients or partner organizations.
Background illustration by: vegefox.com
This piece was published in partnership with VIA Association
