Security & Privacy Best Practices
Cybersecurity is a growing concern for organizations, regardless of size. While you can never fully take away the risk of an attack or breach, with some planning, due diligence, and regular review, you can take helpful steps to protect your entity in this important area.
Operations & Human Resources:
Educate Your Employees. Data breaches are often caused by employees – navigating to sites infected with malware, downloading infected attachments, and/or accessing Wi-Fi from an unsecure location. Educate your employees on your policies and why they are in place. Encourage them to frequently change passwords, and offer guidelines on creating secure passwords. As mobile devices become more and more prevalent, it is essential to also consider smartphones and tablets in your business cybersecurity plan. You will need to develop policies and controls around protecting data on employee devices (such as mandating a security lock) and also talk to employees about protecting any company data they may have on their phones or tablets.
Checking Account and Financial Statements. Review your checking account and financial statements for suspicious amounts or vendors. By keeping a regular pulse on the financial state of your business, you will be more likely to recognize fraudulent activity. These documents should be reviewed on a monthly basis.
Segregation of Duties. Regularly review your company’s segregation of duties for any gaps, especially if there has been staff turnover in the accounting department. This issue is best dealt with as soon as an employee leaves, but you may find it helpful to set a regular review schedule to ensure that proper separation is maintained.
Technology Controls. When reviewing gaps from employee turnover, don’t forget technology controls. Companies often forget to change access codes and passwords when an employee leaves, leaving their technology at risk. A regular review of policies and access levels will help to prevent security breaches.
Access Security - disabling network access, disabling e-mail access, and deleting contact information from all company directories.
Data Security - recovering all data from the desktop hard drive and notifying vendors so that this individual cannot place orders or incur obligations on behalf of the company.
Company Policies and Educational Processes:
Each year, companies should review their anti-fraud and whistleblower policies to ensure they are still effective for the company’s current size and that they are serving their intended purpose. While these are general risk areas that affect every company, it is essential to understand your business’ specific risks, which will depend on your size, structure and industry. Involve your Board of Directors, Audit Committee, or Certified Public Accountant as appropriate. Larger organizations may want to engage a Certified Fraud Examiner to help it review and develop the appropriate controls. A small time investment upfront may just pay off by preventing costly occupational fraud.
Internal Controls and Policies. Just like you have internal controls for your financial processes, you need controls and policies around your IT assets, as well. Ensure that passwords are changed and access is removed for terminated employees as soon as possible, and limit employee access to sensitive data.
Develop and communicate clear policies for employees regarding what devices they can use, what types of programs/applications they can download, and how to securely access Wi-Fi when needed. Without clear, communicated policies around your company’s IT, even the strongest controls will not do much to significantly decrease your organization’s vulnerability.
Implement a mobile device management program, requiring authentication to unlock a device, locking out a device after five failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
Permit only authorized wireless devices to connect to your network, including point of sale terminals and credit card devices, and encrypt communications with wireless devices such as routers and printers. Keep all "guest" network access on separate servers and access devices with strong encryption such as WPA2 with AES encryption or use of an IPSec VPN.
DATA Breach Prevention:
Computers & ServersContinuously monitor in real-time the security of your organization’s infrastructure including collecting and analyzing all network traffic in real time, and analyzing centralized logs (including firewall, IDS/IPS, VPN and AV) using log management tools, as well as reviewing network statistics. Identify anomalous activity, investigate, and revise your view of anomalous activity accordingly.
Deploy web application firewalls to detect/prevent common web attacks, such as cross-site scripting, SQL injection and directory traversal attacks. Review and mitigate the top 10 list of web application security risks identified by the Open Web Application Security Project (OWASP). If relying on third-party hosting services, require deployment of firewalls.
Harden client devices by deploying multilayered firewall protections (both client and WAN-based hardware firewalls), using up-to-date anti-virus software, disabling by default locally shared folders and removing default accounts. Enable automatic patch management for operating systems, applications (including mobile and web apps) and add-ons. All ports should be blocked to incoming traffic by default. Disable auto-running of removable media (e.g. USB drives, external drives, etc.). Whole disk encryption should be deployed on all laptops, mobile devices and systems hosting sensitive data.
Conduct regular penetration tests and vulnerability scans of your infrastructure in order to identify and mitigate vulnerabilities and thwart potential attack vectors. Regularly scan your cloud providers and look for potential vulnerability points and risks of data loss or theft. Deploy solutions to detect anomalous flows of data which will to help detect attackers staging data for exfiltration.
Implement Always On Secure Socket Layer (AOSSL) for all servers requiring log in authentication and data collection. AOSSL helps prevent sniffing data from being transmitted between client devices, wireless access points and intermediaries.
Regularly Update Security Programs. An out-of-date antivirus software is almost as ineffective as not having one at all. Don’t ignore those little pop-ups and reminders to download the latest update, and make sure your employees don’t, either.
Review server certificates for vulnerabilities and risks of your domains being hijacked. Attackers often use “Domain Validated” (DV) SSL certificates to impersonate e-commerce websites and defraud consumers. Sites are recommended to upgrade from DV certificates to “Organizationally Validated” (OV) or “Extended Validation” (EVSSL) SSL certificates. OV and EV SSL certificates are validated by the Certificate Authority to ensure the identity of the applicant. EV SSL certificates offer the highest level of authentication and verification of a website. EVSSL provides users a higher level of assurance that the site owner is who they purport to be, presenting the user a green trust indicator in a browser’s address bar.
Develop, test and continually refine a data breach response plan. Regularly review and improve the plan based upon changes in your organization’s information technology, data collection and security posture. Take the time after an incident to conduct a post-mortem and make improvements to your plan. Conduct regular tabletop exercises testing your plan and personnel.
Backup Your Data. Even with the right controls in place, your digital assets may still be compromised. It’s important to backup your financial, legal, and client information on a regular basis. Set backup processes to run automatically so that they are not subject to human error (i.e. – forgetfulness).
Be Knowledgeable About the Cloud. Cloud-based storage offers a variety of benefits, especially for smaller entities that do not have internal IT staff. However, you are still responsible for your data when it is stored in the cloud, so make sure you fully understand where cloud-based data is stored (in the US or offshore) and your provider’s liability to protect the data.
Enforce effective password management policies. Attacks against user credentials, including brute force, sniffing, host-based access and theft of password databases, remain very strong attack vectors warranting the use of effective password management controls. Best practices for password management include:
- Use multi-factor authentication (e.g. one-time PINs) for access to administratively privileged accounts. Administrative privileges should be unique accounts and monitored for anomalous activity and should be used only for administrative activities;
- Require users to have a unique password for external vendor systems and refrain from reusing the same password for internal system and personal website logins;
- Require strong passwords comprised of an 8-character minimum including a combination of alphanumeric characters, and force password changes every 90 days with limited reuse permitted;
- Deploy a log-in abuse detection system monitoring connections, login counts, cookies, machine IDs, and other related data;
- Avoid storing passwords unless absolutely necessary and only store passwords (and files) that are hashed with salt or are otherwise encrypted;
- Remove or disable all default accounts from all devices and conduct regular audits to ensure that inactive accounts can no longer access your infrastructure;
- Remove access immediately for any terminated employees or any third parties or vendors that no longer require access to your infrastructure.
Least privilege user access (LUA) is a core security strategy component, and all accounts should run with as few privileges and access levels as possible. LUA is widely recognized as an important design consideration in enhancing data security. It also provides protections against malicious behavior and system faults. For example, a user might have privileges to edit a specific document or email campaign, but lack permissions to download payroll data or access customer lists. Also, LUA controls help to minimize damages from exposed passwords or rogue employees.
Require email authentication on all inbound and outbound mail streams to help detect malicious and deceptive emails including spear phishing and spoofed email. All organizations should:
- Authenticate outbound mail with SPF and DKIM, including parked and delegated sub-domains;
- Adopt a DMARC reject or quarantine policy once you have validated that you are authenticating all outbound mail streams;
- Implement inbound email authentication check for SPF, DKIM, and DMARC;
- Encourage business partners to authenticate all email sent to your organization to help minimize the risk of receiving spear-phishing and spoofed emails;
- Require end-to-end email authentication using SPF and DKIM with a DMARC reject or quarantine policy for all mail streams managed or hosted by third parties.