INFORMATION SECURITY PORTAL

BEST PRACTICE

THE BASIS FOR INFORMATION SECURITY


Use what is already available, tested and proven.


It is not always easy to define what is best practice regarding information security. However, there are some basics that I feel is important and that is a structured way of working. Use a framework to structure the information security work, I would recommend ISO27000. You don’t need to be certified, you only need to be working in accordance with the standard. This is to get a structured way of working with information security.

Based on the size of your company other frameworks are also available, e.g. MSB’s method for information security. This is a method based on the standard ISO/IEC 27001 Information security management system.


Regardless of framework and way of working there are some practices you should always use. It does not matter if you have a large or small company, you should have these practices in place. There is always the risk of being hacked, especially if you have data someone want, there is a high probability you might be hacked. But you don’t need to make it easy for the attacker, use the suggested basic measures!

You can

INCREASE PROTECTION OF YOUR DATA WITH SOME BASIC MEASURES

USE FIREWALL AND VPN

Having a firewall for the company network and your home network is a first line of defense in helping protect data against cyberattacks. Firewalls prevent unauthorized users from accessing your websites, mail services, and other sources of information that can be accessed from the web.


If you’re working remotely, you can help protect data by using a virtual private network, if your company has one. A VPN is essential when doing work outside of the office or on a business trip. Public Wi-Fi networks can be risky and make your data vulnerable to being intercepted.

It is always good to use a VPN when you connect to a public network, regardless if you work or not.

 

REGULAR TRAINING AND AWARENESS

Employees are essential to protecting the company from cyberattacks!

It essential that all employees accessing the network be trained on your company’s cyber security best practices and security policies.

Since the policies are evolving as cybercriminals become savvier, it’s essential to have regular updates on new protocols.

 

Even if you have the best cybersecurity policies in place, if your employees are not aware of them and following them, you are fighting a losing battle.

GOOD PASSWORD PRACTICES

A strong password is a good prevention against cyberattacks. Contrary to what many believes the important is not to use upper and lower-case letters, numbers and symbols. What is important is the length of the password, this to make it harder for brute force attacks. Based on password research, choose a phrase with four words according to the 4P principal: Private, Personal, Practical and Provoking.


Here are some password handling tips:

  • Use one password for one account
  • Never share credentials with each other
  • Change passwords after a set period of time, e.g. 90 days
  • Change all default passwords including e.g. IoT devices and printers
  • Use a Password Manager

REGULAR BACKUP AND RESTORE

Backing up data is one of the information security best practices that has gained increased relevance in recent years. With the advent of ransomware, having a full and current backup of all your data can be a lifesaver.

It could be due to hardware failure, virus infection, ransomware, or other causes you may find yourself in a situation where information stored on the device you use is not accessible. Be sure to regularly back up any data which is important to you personally or to your company.

 

Make sure that backups are stored in a separate secure location in case of fire or flood. To ensure that you will have the latest backup if you ever need it, check your backup regularly to ensure that it is functioning correctly (restore the data).

SECURE ERASURE OF OLD HARDWARE

When decommissioning old hardware, e.g. hard drives, it is important you permanently delete/destroy the data to ensure no data is available to help an attacker gain useful information.


To prevent access to data, there are three ways to wipe data: delete it using “secure delete” software, degauss it, or destroy the hard drive.

 

Deleting files without “secure delete” software just hides it from the operating system. It isn't really gone until that same space is overwritten by something else. This is exactly what a “secure delete” software does; it overwrites selected files ensuring that's they can never be un-deleted with file recovery software.

USE ANTIVIRUS/ANTI-MALWARE

Following IT security best practices means installing antivirus and anti-malware software on all computers and devices.

 

It is very important to keep the antivirus and anti-malware software up to date. Antivirus and anti-malware protections are frequently revised to target and respond to new cyberthreats.

 

Don’t forget to use antivirus and anti-malware on your personal devices also. It is extra important if personal devices allowed to be used at work.

 

SOFTWARE UPDATES/PATCHING

Always keep all your software updated with the latest patches! Update operating systems, programs, applications, web browsers and antivirus software regularly. Software can include bugs which allow someone to monitor or control the computer systems you use. In order to limit these vulnerabilities, make sure that you follow the instructions provided by software vendors to apply the latest updates.

 

If your company sends out instructions for security updates, install them right away. This also applies to personal devices you use at work. Installing updates promptly helps defend against the latest cyberthreats.

 

Delete or deactivate any software, programs, or applications that you're not using.

USE MULTIFACTOR INDENTIFICATION

Multi-factor authentication (MFA) still belongs among the cybersecurity best practices.


MFA helps you protect sensitive data by adding an extra layer of security, leaving malicious actors with reduced chance to log in as if they were you.

Even if a malicious actor had your password, they would still need your second and maybe third “factor” of authentication, such as a security token, your mobile phone, your fingerprint, or your voice.


Companies may also require multi-factor authentication when you try to access sensitive network or systems. This adds an additional layer of protection by asking you to take at least one extra step, e.g. login code sent to your mobile phone.

USE MINIMUM PRIVILEGES

One for the best practices is to only give people the access that they require to do their jobs!

 

Granting new employees all privileges by default allows them to access sensitive data even if they don’t necessarily need to. Such an approach increases the risk of insider threats and allows hackers to get access to sensitive data as soon as any of your employee accounts is compromised.

 

In other words, assign each new account the fewest privileges possible and escalate privileges if necessary. And when access to sensitive data is no longer needed, all corresponding privileges should be immediately revoked.

 

LEARN FROM OTHERS 


Regardless of what you are planning to do, almost always has someone else done it. Learn from their experience!

USE TEMPLATES


To help with how to write certain documents, e.g. guidelines and routines, I have developed templates regarding different areas. When possible I will continue to gradually develop more.

Copyright © 2019-2020 InformationSecurityPortal.se - All Rights Reserved