By Stu Sjouwerman
Information security practices protect people and business assets from threats, including cybercriminals. The three key principles of confidentiality, integrity, and availability are commonly referred to as the CIA triad. Here’s a quick look at each of these principles:
- Confidentiality: When properly achieved, confidentiality prevents unauthorized access to restricted data in an organization. An organization can enforce confidentiality by implementing access controls, such as authentication, and encryption.
- Integrity: An organization needs to validate that data, while in transit or at rest, has not been modified from its original state. Digital signatures and encryption help maintain data integrity.
- Availability: Data and access to data must be highly available and resistant to single points of failure. Data backups, redundant disks, and multiple net- work connections help ensure availability.
IT professionals can use many different methods to implement the CIA triad. Each organization must evaluate methods to select what’s best for its environment.
Regular Security Policy Audits, Updates, and Remediation
As computing environments change, security measures must change, too. In a busy environment, updating security controls and documentation can be put on the backburner unintentionally. Regular security auditing is one way to get everything back on track.
An organization can work with internal departments or hire external companies that specialize in security auditing to perform the audits. It should schedule audits according to industry mandates, or at least annually. Both management and IT personnel should review the results of each audit.
Thorough audits point to security lapses, holes, and other weaknesses that can leave an SME vulnerable to attackers. An organization should fix any problems uncovered during an audit—to the extent that its budget allows. The organization may need to spring for technology updates, or it might be able to get away with just changing how employees use the existing assets.
After completing audits, an organization should review its security policies. It should update anything that’s out of date or obsolete. Some SMEs must comply with federal or state regulations, so keeping security policies up to date may help avoid penalties as well as security breaches.
Using Security Technology
The main purpose of security technology is to protect an entity against attackers and cybercriminals. Cybercrime offers monetary benefits, and frequent attacks against a network and its data are therefore common. The right mix of security technologies and methods can reduce your exposure.
Client-Side and Server-Side Security Considerations
Say that a user decides her locally installed firewall software is a nuisance, so she disables it. Because her computer is connected to the company network, which is protected by a network firewall, she believes nothing can go wrong with her system. Has she made an incorrect presumption? Does her action present a problem to other users and systems on the network? The short answer to both questions is yes.
One insecure computer in an environment may not seem like a big deal. But imagine if that computer became infected with a virus or a Trojan and then connected to the network. There is now the potential for a larger-scale security breach.
All clients (which may be workstations or mobile devices) and servers must be well protected. Antivirus software is needed with this strategy, as are firewalls and popup blockers. However, antivirus catches less and less these days. As another measure, lock down workstations and servers by disabling unnecessary services and protocols. If an attacker launches an attack using a service or protocol that isn’t installed, the system is protected.
Tightly controlled authentication services, server-specific rights and permissions like those associated with NTFS or Windows Active Directory are also key. Administration of these components can often be centrally controlled, especially in larger SMEs; smaller organizations may prefer local system administration.
Stu Sjouwerman, founder and CEO of KnowBe4. KnowBe4 hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, Sjouwerman teamed with Kevin Mitnick, the world’s most famous hacker, to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses. @KnowBe4