[This is a free translation of a blog by my colleague at ESET Latin America, Sebastián Bortnik. As ever, mistakes in translation and interpretation are down to me. Would this be a bad time to mention the AVIEN Malware Defense Guide for the Enterprise? ;-) DH]
Considering security in the enterprise is no easy task: it's a complex and ongoing process involving various technological, management and educational controls. However, ESET firmly believes that all businesses need to be prepared to meet this challenge. How better to start than to come to grips with the principles that should govern information protection? To this end, we have developed this material, which we shared a few weeks ago with Colombian business executives, and now make available to the general public. So here are what we consider to be the 10 commandments of corporate security.
1. Define a security policy
This is the document which governs all data security within the company. Some tips? It shouldn't be too lengthy (no employee is likely to engage fully with a fifty page document); it should not demand the impossible; and it should show that you value your employees. (A further recommendation: have an executive or the HR department deliver it, rather than IT support.)
2. Make use of security technologies
These are the basis for the security of the company's data/information. A network that does not have antivirus protection, firewalling or antispam will be exposed to too many risks for other controls to cover adequately. According to data presented in the ESET Security Report Latin America, 38% of enterprises in the region were infected with malware last year.
3. Educate your users
Moreover, educate all your users. Technically adept users or the IT Department are often not included in security training, as if it were proven that they are less vulnerable to threats. According to ThreatSense.Net statistics, 45% of the threats detected in the region last year made use of social engineering, which against which technical but security-unrelated expertise may offer no defence at all.
4. Take control of physical access to information
Information security is not a problem that should be considered only in terms of "virtual" information, but should also consider the physical media where it is stored. Where are the servers? Who has access to them? Without a doubt, physical access is crucial. Printed data should also be considered in this respect. For example, physical access to offices where confidential information is held (Management, accountants etc.) or where there is access to printers (someone could take "accidentally" see or steal confidential information).
5. Maintain your software
Software vulnerabilities are the gateway to many attacks against the organization. According to the report on the state of malware in Latin America, 41% of USB devices are infected and 17% of the malware used exploitation of vulnerabilities. Keeping the operating system and other applications up to date with the latest security patches is a vital security measure.
6. Don't just rely on IT to defend your systems
One of the most common security errors is to fail to understand that security is not purely a technological problem. There should also be a team whose sole purpose is to manage information security, and this should be given full consideration rather than ignored in favour of issues such as usability and convenience. Security is not the only business need, but it is important.
7. Don't give ordinary users administrative rights
If users don't have administrative rights they don't need, the impact of an intrusion into the system will be limited. Once again, we should emphasise the importance of implementing this control for the entire company: members of the IT department and senior management should also have limited privileges for day-to-day computer usage, using administrator accounts only where the job in hand requires them.
8. Think before you sacrifice security to save money
Security should be designed to protect business information and, therefore, the business. When investing in security, take into account the value of the information that is to be protected, the likelihood of a breach, and the likely consequences of such a breach.
9. Don't finish a security project
That may seem a strange thing to say, but it isn't, because you shouldn't start a project either. Security must be seen as a continuum, not a process with a fixed start and end point. It is true that small implementations of security controls may need to be implemented as projects, but general protection of information protection should not be perceived as a project, but as a continuous process and ongoing business requirement.
10. Don't underestimate the importance of information security
Our last and possibly most important point is to urge you to understand the importance of well-protected busines information. One of the worst mistakes that an executive can make is to thinking that a control should not be implemented because "I don't think I happen". Many companies, especially small and medium-sized enterprises, may not recover from a severe information breach.
These are, in Sebastián's view, the ten commandments of enterprise security. What do you think? If you you would be inclined to add or remove something, leave a comment here and I'll pass it on. If not, it's time to get to work on taking care of your company.
Sebastián Bortnik and David Harley
Author David Harley, ESET