Protect Your Company’s Data – Layer Your Security!

The strongest defence a company can have is a layered one. Every company should have levels of data protection policies in place.

Attempts to breach a company’s IT defences are made at all levels of the IT chain –  from the hardware components to the software they use, on the operating

systems of different machines to the end user using the data.  Protecting your company’s data needs the same approach – look at every component of your data and protect it at each and every level.

Network components

Starting with the Network used in your organisation – ensure your routers and switches firmware are up to date and that you only have ports open that are absolutely necessary to the operation of your company – keep as much as you can closed and protected. Be aware of the differences in systems – some have intrusion detection and protection systems whereas other only have intrusion monitoring systems.

• Set a strong firewall policy allowing access and open ports only for specific traffic.
• Use separate Wi-Fi network segments for guests and external users of the company’s network
• Use separate network segment for your CCTV systems
• Where possible encourage the use of secure trusted VPN’s if staff are logging in remotely
• Ensure network printers\faxes have firmware updates done where possible and disable any component you are not using e.g. fax

IT Equipment – desktop computers, laptops, mobile devices

• Keep the firmware of the computing equipment up to date – this can usually be done by going to the support web page of the equipment’s manufacturer and putting in your computers serial number. They will show\supply the recommended firmware updates for your equipment. Your IT department can assist on which ones to install.
• Keep the operating systems on all computing equipment up to date with the security and upgrade patches supplied by the producers.
• Keep any software applications patched securely.
• Install a good anti-virus and anti-malware application on the computers. Keep this updated daily. Preform automatic scans of data at regular intervals to help protect against intrusion attempts or unwanted software additions.
• Encrypt the data on the equipment where possible and in particular if the equipment is portable and going off company premises.
• Have a mobile device policy in place whereby data can be remotely wiped off the device if it is lost or stolen.
• Make sure you do regular backups of all data on these devices.

Website

• Ensure the company’s website is patched and on the latest platform and operating software available from your provider.
• Keep your SSL cert up to date.
• Data protection commissioners also have requirements they want organisations to adhere to for example last year they changed the cookie policy requirements that organisations need to adhere to on their website. There can be penalties for breach of these.

Company’s People and data they use

A company’s firewall only prevents access from outside attacks – if an internal user clicks an email link containing malware or a trojan horse virus then the damage is done internally.

Every company should have data protection policies in place:

• Enforce Multi-Factor Authentication (MFA) for all staff accounts – this is where a user needs a password and one other piece of user specific data e.g. authenticator code from mobile phone or fingerprint to access a company account. Passwords alone no longer provide sufficient protection, MFA gives an additional level of security.
• Use a reliable Password Manager – Make employees aware that having one password on different accounts is a no-no! Provide them with a secure Password Manager Application that will keep track of passwords for users and stops the need for writing them down on paper, having just one password on all accounts, having weak passwords etc.
• Encrypted computing equipment is a must if it is going off company premises or should be done if the data is of sensitive or valuable nature.
• Enforce a policy whereby personal devices are not inserted into company computing equipment.
• Companies should ensure they have separate Wi-Fi network segments for guests and external users of the company’s network that does not interact with the network the staff use. The IT department needs to preform regular checks of network ports access and wifi traffic and make sure firewalls and security system software are adequate and up to date.
• Operating systems and software on all computing devices has to be kept up-to-date and antivirus and anti-malware software on all devices needs to preform regular scans so as to detect any unauthorised files or applications. Staff should be aware of how to do the basics on their own computers and what to be alert for in results that are returned from scans.
• Staff need to be aware of new threats and kept informed of who to contact if they are worried about possible attempts on their computer equipment.
• Companies should have their IT department preform regular checks of audit logs e.g. MS 365 subscriptions allow companies to limit access to company data only from specified trusted domains or ip addresses, also audits of logs show if non-owners of accounts have accessed email accounts and if unauthorised email rules etc have been set up without approval.
• Companies should have tried and tested backup and restore procedures in place. Don’t lose hope data can be recovered in a lot of cases!

IT department needs to preform regular checks of network traffic, computing devices, and email traffic and software or service accounts security. Hardware, firmware, software and operating systems need to be kept up to date.  Passwords and account activity need to be checked frequently.  Staff need to be aware of new threats and kept informed of who to contact if they are worried about possible attempts on their computer equipment.

We in Eonvia are happy to assist you in setting up data protection policies, backup procedures, and preforming audits of your company logs and computing equipment to ensure you are in the best position possible to limit your company’s data vulnerability.