- Blog listing
- Your IT Security isn't your IT Budget
Your IT Security isn't your IT Budget
IT security isn’t something you can just buy in a store. It’s not a product or a person, it’s a process. There’s a lot you could be doing to improve your IT security without spending a fortune. Not having a budget can excuse you from hiring that security consultant who charges an arm and a leg, but training your users on IT security best practices and establishing an incident response plan only costs you time. In fact, there are so many ways you can improve your IT security without breaking your budget that we’d like to provide you with a list of our favourites.
1. Implement Strong Password Policies
If you have a documented security policy in place that specifies password length and complexity, why not enforce those requirements through Windows Group Policy. If you haven't yet defined such a policy it should, as a minimum, require that passwords be at least 8 characters long, and should also contain letters, numbers and symbols. Another good idea is to ensure that the password expiration time is set to 42 days at most, forcing your users’ passwords to be changed on a regular basis.
2. Update Your Existing Software
Windows updates, Apple updates, antimalware updates, Java updates… everything needs updates. You already have functional systems in place, why not take the time to test and ensure that every system is entirely up to date. Not only will this improve the security of your endpoints, it may also improve productivity. Sometimes patches are performance fixes which are dedicated to improving functionality; not every patch is because of a vulnerability.
3. Manage User Access
The way you approach user access on your network needs to be firmly rooted in the principle of least privilege. Each and every account on your network should have the least amount of privilege necessary for them to accomplish their daily tasks. This can take some time to establish, but with the judicious use of group policies and file access control you can automate most of the process.
4. Incident Response Plans
When you discover a breach in your network’s security, the first few steps you take can make a huge difference in how everything turns out. If you establish an action plan beforehand, your response will be predetermined, thus reducing the risk of things going awry. The best way to plan for this is to start with a strong guideline and build from there. One great resource is the SANS institute’s “Incident Handler’s Handbook”, which can guide you through the creation of your own incident response plan.
5. Growth Accommodation Plans
If your business is growing, then your needs are changing. It may be feasible for you to manually manage system updates for a business of 10 people, but what about when you hit 100 employees? If left to the last minute, your IT security may take a hit when your current methods become incapable of keeping up with the ever-increasing workload. Planning ahead by investing in scalable systems/infrastructure, and setting increasing security “goals” as your business grows will help keep you secure. Look to industry leaders larger than yourself, and ask what they have in place. From there, you can figure out what degree of security you need at any point to keep up with or surpass their security. You can then set goals to ensure that when your business reaches their size you will already have the security measures you will need in place.
6. End User Security Training
A good way to approach this is by using examples of IT security issues that have recently received media coverage. People remember large events, like when Sony was hacked, so you could work that into a lesson about using secure passwords for each independent site. For every interesting lead-in to a lesson, there still needs to be a foundational message for your users to learn. While those messages can seem limitless, I find that referring to a guide is useful when you’re trying to plan lessons. Information Security Today published an article in 2005 that serves as an effective guide to implementing any successful information security awareness program (link). The IT landscape may have changed significantly in the last decade, but the teaching methodologies presented are just as true now as they were then.
7. Staying Apprised of Security Threats
How can you secure your network to standards you’re unaware of? How can you defend yourself against threats that you don’t even know exist? Keeping your IT staff up to date on industry trends is a great way to do this. Not only does it improve your IT security, it also improves your awareness of IT security trends. One great way to do this with style is by setting up a Digg account and following a number of websites, blogs, and feeds that get current info on what’s happening in the world of IT security.