All IT managers likely believe their company’s information security could be improved, but budget issues often get in the way. However, here are some affordable steps companies can take now.
While there a lot of complex — and expensive — technologies companies can deploy to block as many IT security threats as possible, there are also plenty of minor changes that can be made that will pay big dividends.
Here are some of the low- or no-cost steps companies can take to address the most common threats:
1. Improve security awareness training
Many of the security incidents companies deal with are blamed at least in part on end users. A lot of data breaches originate when criminals steal credentials or infect networks with malware via phishing scams or web-based attacks targeting the company’s employees.
That’s why making sure users are aware of those threats and know how to avoid them is a key part of most organizations’ security strategy.
Not all experts recommend training users for better security. In fact, some say that security awareness training is a waste of time and does very little to actually improve security.
But others such as Dark Reading‘s John H. Sawyer say the problem isn’t the concept of training itself, but rather how most companies conduct it.
One way to improve IT security training: Keep IT out of it.
Since data security is an IT issue, it seems that IT staff should be responsible for conducting the training. But that has a couple of problems:
- Most IT staffers don’t have experience with training or education, and
- IT departments often have the clout necessary to demand employees’ attention.
Of course, IT should be involved in shaping the content of that training. But the message will probably be more effective if employees hear it from their supervisor or someone else with authority over them.
2. Segment the network
Another way many organizations are keeping those security threats from spreading from users’ machines to the entire IT infrastructure: segmenting the network to keep breaches contained.
As opposed to just applying the same controls to the whole perimeter, segmenting the network allows companies to take different precautions for their most sensitive servers and information.
At the very least, many experts recommend keeping users’ Internet facing machines seperate and using host-based firewalls to control the traffic from that segment to the rest of the network.
3. Patch all applications
While there are some IT security attacks that exploit zero-day vulnerabilities, many are using attacks that have since been patched by vendors. Often, those attacks are successful because companies fail to keep their software up to date.
Take the popular — and dangerous — Java platform, for example. Despite the scope and importance of that and previous updates, many businesses are still running outdated versions of Java, according to a recent report from Websense Security Lab.
Among the more than one billion endpoints monitored by Websense for its business customers, just 7% of the machines were running the latest version of Java. Moreover, 75% were running a version more than six months old and half were at least a year behind.
4. Improve communication
Another important step organizations must take: Know where the most likely threats are and communicate that information throughout the organization.
Doing that will help make sure the company is allocating its security resources to the right places. However, a lot of companies aren’t doing that. For example, among the executives surveyed in a recent PwC study:
- 22% didn’t know how their losses related to cyber crime over the past 12 months compared to previous years
- 21% weren’t sure which types of cyber security threats posed the greatest risks for their organization, and
- 17% were unable to list all of the cyber crimes that affected their business over the past 12 months.
Improving communication about threats and what actions can help stop them will help get the whole company on board with improving security.