An Overview of Essential Security Measures for Competitive Organizations
IN THIS ARTICLE
Considering information is the most valuable asset of any organization, information security is one of the most important areas for every business and individual. Looking at the big picture, approximately 86% of all websites had a serious vulnerability in 2015.1 Given this statistic, security measures such as passwords, data protection, firewalls, antivirus, OS and mobile encryption, network monitoring and education are imperative aspects to consider protecting the organizations most important assets.
This paper focuses on the organizational level as well as the importance of each individual in an organization. With the rapidly advancing technology around us, we identify key security concerns and measures an organization must be aware of as well as steps to minimize overall risk of data and information loss. Implementation of those security measures is key for any organization that is looking to advance and gain an edge over their competition.
In today’s world whether an organization has a small network managed and controlled by a small team of individuals or has multiple large databases and mainframes managed by a large team of professionals, information technology is always present in the structure of an organization. As large corporations seek to maximize the shareholder’s wealth and gain an edge in increasingly competitive niche markets, more top-level managers and executives, seek the competencies and potential benefits that a strong information security structure provides. In today’s world of innovation and advancements in technology, information technology is transitioning from being an afterthought to a “must have” requirement in nearly every aspect of the organizations.
As previously mentioned, information is one of the most important assets of any organization. With that in mind, organizations must ensure the integrity, confidentiality and high availability of their data. Due to the large volume of competition in the world, there are constant information security threats that endanger the well-being of an organization. In order to have manageability, confidentiality of information, and security; organizations are implementing a variety of measures to protect themselves against potential attacks and information loss.
This paper will examine different security measures that organizations must implement in order to protect its most valuable asset – information. In this paper, we make a case for what companies and organizations must do in order to stay secure and protected against threads by implementing the following security measures1.
Security Measures Overview
In order for organizations to maintain a high level of information integrity and minimize risk, it is highly recommended that an organization implement security measures. Technical and organizational security measures are almost an everyday requirement in order to minimize risk while maintaining confidentiality, manageability and scalability of the organization. Security measures such as policies and regulations allow an organization to maintain, implement, administer and audit its security. If there are any threats or attacks to the organization, the measures help mitigate any risks as well as quickly implement countermeasures.
It is imperative that organizations have strong security measures in place because not having them could be the difference between an organization staying in business for a long period of time and filing for bankruptcy.
Introduction to Passwords
For organizations to maintain a high level of information integrity and minimize risk; one of the most commonly implemented security measures in all aspects of information technology is protecting information of all kinds using passwords. Password protection is used for almost everything; ranging from emails, servers, blogs, personal accounts, and essentially anything, we access. According to Webopedia, a password is “a secret series of characters that enables a user to access a file, computer or program” . Simply, passwords are created to ensure security and protect integrity of whatever you are accessing; ranging from emails, bank accounts, databases, etc.
Password Protocols and Policies
As hackers’ intrusion skills improve, more advances in designing better security and authentication protocols are made. Security systems are created to require additional password complexity, more frequent password changes, restrict simple passwords, as well as inability to re-use a password that has been used before. In the National Football League for example, all Information Technology departments and teams are regularly audited in order to prevent leakage of important passwords. Since the teams collect a lot of information such as credit card numbers and addresses from their customers whenever they purchase game tickets or merchandise, the teams need to ensure their customers’ identity is secure. The league audits all systems that store that information and looks for vulnerabilities.
“80% of security incidents were due to the use of weak administrative passwords”
With passwords being so easy to anticipate2 , systems are being altered to require users to create passwords that are much more difficult to guess. In order to prevent users from constantly guessing a password until it is correctly guessed, there are policies set to lock accounts out after a specific number of failed attempts. According to the 2013 Trustwave Global Security Report, which analyzed over 300 breaches over 18 countries; stated that “80% of security incidents were due to the use of weak administrative passwords” .
The use of weak passwords or use of default credentials continues to be one of the primary weaknesses of organizations. This is a large vulnerability, which is often exploited by hackers. Hackers can easily crack non-complex passwords by coding a program that looks through different words in the dictionary and combines the words with a sequence of numbers. If an organization does not have a policy in place, which locks out a users’ account after a number of failed tries to enter the password, the organization could be easily exploited.
Additionally, the report concluded that individuals are still writing passwords down on paper and this poses a large risk. As this paper, floats around the office or home, unauthorized users can use this to access information. There have been many cases as well where, information such as passwords has been easily stolen and sold to outsiders.
Password Security Education
In order to minimize vulnerabilities associated with passwords, organizations and individuals must take responsibility. Primarily, educating members of the organization regarding basic security practices as well as best password practices. Employees are typically the target of all attacks because they use simple or the same exact passwords for everything . Hackers and individuals target employees in attempt to steal their passwords via phishing attacks multiple other different techniques. Investing in educating the employees about security awareness is extremely important.
Many organizations are implementing policies and regulations that require individuals to attend quarterly workshops where best practices training are provided. Organizations are implementing additional tracking measures that monitor all aspects of vital data; in which they can pinpoint to an individual if needed.
Standardization of Policies and Security Measures
For organization nowadays, it is essential to standardize security implementations across all platforms and devices. This allows for easier manageability with a centralized access. According to NIST (National Institute of Standards and Technology), the following are recommended practices for setting a strong password: using at least 12 characters, using at least one upper case, two special characters as a combination of lower case . NIST recommends users not to select common phrases, a string of numbers or your user ID.
In addition, many security analysts suggest not using online password generators because if there was a intrusion on the server that stores all cookies from users who visited the online passwords generators, the users can be traced back and the generated “secure” passwords can be used to do damage to the organization’s security infrastructure.
If organization’s employees follow the suggested practices above and security policies are implemented where users are forced to periodically change their password, organizations’ security would increase as a whole and intruders will have a smaller chance of hacking in.
Data Protection and Disaster Recovery
Data Protection is essential to an organization in order to protect the most important assets of the organization. It is vital for an organization to be informed about data protection principles and best practices. An organization should set policies and procedures for data protection. In the event of a disaster, the data protection plan would explicitly define how an organization could act during these critical situations, involving incidents with high urgency. In this section, we will discuss some of the main drivers for the existence of data protection within an organization, some of the steps to take to mitigate risk and analyze key factors for data protection.
Policies and Regulations in Data Protection
In a world where technology is highly evolving with risk increasing daily, the main drivers for data protection implementation is compliance and responses to incidents. After a turbulent beginning with of the twenty first century, the government has placed specific requirements for data protection of organizations involved in highly regulated industries such as financial services, healthcare and pharmaceuticals. For example, the United States government to retain financial information for extended periods for audits and compliance mandates financial institutions. This is done to protect the stakeholders of the organization and ensure we do not have an ‘Enron’ like situation happen again. With highly regulated industries, there are specific requirements organizations have to follow. The following image displays a breakdown of the total amount of threats in the world towards financial institutions during the year of 2013.
Organizations must have policies in place for events involving their data. The way an organization would conduct themselves and the steps to carry out in a disaster would be detailed in the Data Protection Plan. According to findings my McAfee, 50 percent of organizations believe that senior management is inclined to invest into data protection is solely a result of some type of breach . Some of the reasons to fund data protection efforts include need to comply with regulation, a response to a recent data breach incident in the organization, sense of responsibility to protect the information asset, public efforts regarding security breaches and finally desire to protect the company’s good reputation. It is vital that a company seeks to be responsible and implement these measures as a sense of responsibility to protect their assets.
Once a risk is identified, part of the data protection plan should include sections with steps outlining on mitigating the risk. In order to mitigate risk, organizations should implement ongoing compliance monitoring, observations by key members of the organization, automated compliance monitoring tools, risk assessments’, controlled self-assessments’ and disaster recovery testing. Often, it is mandated by law that an organization implements disaster recovery testing on an annual or a quarterly basis.
Best Practices for Data Protection
Best practices for data protection include continuous network monitoring, strict network policies, guidelines in place, best practices training and testing. With an organizational effort to minimize risk, a company can strategically align itself to follow mandated regulations and protect its assets. In an effort to reduce data breach incidents, a company should not only implement one type of measure; it is recommended to implement several layers of protection in case one fails.
Adding multiple layers of protection is a great way to prevent intrusions and data breaches, but another way to protect the data is to develop and implement technology features that focus specifically on privileged users. Since hackers typically target the employees of a company first in an effort to breach the organization, it is imperative that privileged users such as the CEO of an organization have restricted access to important documentations and files, and encrypted outbound communications.
Another practice to protect data is to have automated security policies that would detect and notify users such as network administrators of end-user misuse of information. If for example the CEO of a company, who has the most secure outbound communication connection in the company in order to prevent phishing attacks, accidentally transmits information about trade secrets and upcoming products, the security policy in place would prevent the transmission from reaching its target.
Disaster Recovery Policies and Implementations
Disaster recovery policies are simply guidelines an organization shall have in place to meet mandated regulations set by governing agencies in case of a disaster.
Highly regulated industries such as financial services, pharmaceuticals, and banking are some of the top industries’ that are required to have disaster recovery plans in place.
A disaster recovery plan consists of guidelines, practices and detailed analysis of the organizations place in the event of a disaster. This shows how the organization is protected and what measures the organization needs to take in case of a disaster. For example, an organization may protect all of their data with offsite backups. In the event of a disaster, they would be able to recover the data to other systems with the data being offsite. They would demonstrate effectiveness by testing the policies.
It is vital that an organization protects its most important assets and continuously implement the latest policies. Organizations, who usually do not stay up to date on their most important policies such as data protection and disaster policies, typically are the ones who are often hacked by hackers.
When setting up the Information Technology security for an organization, firewalls are an essential part to keep the workplace secure. Without setting up a firewall, the workplace will be vulnerable to of hackers and viruses when using the internet. Setting up a firewall is usually the first step taken when making sure an organization’s network is secure and safe to use.
A firewall is a security device for an organization’s network that controls what and who is able to access the network at any given time . All traffic that flows into the organization’s network from an outside source must go through the firewall to make sure the information being that is being accessed is not in danger. The way the firewall determines whether something is a threat or not is based on the firewall policy that was setup by the information security department. The firewall will screen the request; check the domain name and IP address, and check to see if the information is coming from pre-determined acceptable location. If the firewall determines that the data coming through is not acceptable, the user can still override the firewall to allow the traffic to come through if they feel it is safe. The firewall policy can be updated to add locations that are deemed safe, and subtract locations that are unsecure. Firewalls also allow users to access the network from an outside location if they provide the correct credentials such as a username and password.
Firewalls can come in the form of both hardware and software. Hardware firewalls are installed as an external component between the organization’s computer network and the internet provider. These firewall devices are installed on routers to make it easy for the user, as routers are used frequently when multiple users need access. Software firewalls usually come installed on the operating system which runs the servers within an organizations or which runs on the computers that the users use, and they are useful in adding an extra layer of protection.
Next Generation Firewalls
As technology has improved over the years, the ability of malicious users to find ways around firewalls has also improved. As a result, there has been a need for firewalls to increase their capabilities, and this need has been met with next-generation firewalls. Viruses have found ways to bypass traditional firewalls that check ports such as http and https. These viruses would access the network by using other types of web applications that go undetected by firewalls. Next-generation firewalls combine the capabilities of the classic firewall with the ability to allow and block certain applications from accessing the network of an organization. These next-generation firewalls can detect what type of application is accessing the network, and monitor these applications to see how they act. For example, firewalls can now tell the difference between a basic website such as “yellowpages.com” and an application such as Skype. If the application is acting differently than it should be when compared to the baseline, these firewalls detect that there is a problem. Instead of monitoring IP addresses and ports like classic firewalls do, next-generation firewalls focus on specific applications, while still monitoring ports.
It all sounds great in theory, but what are some next-generation security features that make the next-generation firewalls better? While, there are many similarities between the old and the new firewalls, the next-gen firewalls include features like the Integrated Intrusion Prevention System (IPS), Data Loss Prevention (DLP), Dual-stack IPv4 and IPv6 Support and Integrated Secure Wireless Controller . Companies must have these features whenever they are looking to implement a new firewall because it will keep their network and organization more secure.
Without installing a firewall, your network will be susceptible to all types of threats traveling around the internet. Hackers would be able to access important information about your organization, and viruses and worms would cause damage to your organization’s IT network and hardware infrastructure.Continued on Next Page »