Arm your organization with an effective cybersecurity posture

An Information Security Policy is a crucial layer of security defense


Published:

Cybersecurity is a hot topic these days. If we’re not being bombarded with news of government cyber-espionage, we’re getting constant updates on the latest and greatest data breaches in the private sector. There’s no escaping it – it’s real, it’s happening and, unfortunately, there’s no single “silver bullet” that’s going to stop the hackers from trying to access your company’s network.

If your business stores Personally Identifiable Information (PII) on your network – which is likely – it’s crucial to have a “layered approach” to network security. By way of example, let’s discuss a few of those layers:

Email Encryption: Given the free-flow exchange of information in business these days, there are times when email encryption is not only desirable – it’s required. The reality is that unencrypted emails appear as “clear text” on the internet – available for the perusal of any prying eyes that are interested.  Utilizing email encryption not only secures your message and data but helps compliance with regulatory and state privacy laws.

‚ÄčSpam Filtering: Cybercriminals utilize email to deliver targeted phishing (or “spear-phishing”) attacks intended to deceive your employees into sharing login credentials, or alternately to deploy malware or ransomware to your network. By utilizing a cloud-delivered spam filter, many of these deceptive emails are captured and quarantined in the cloud before ever reaching your email server.

User Training: A crucial (and often overlooked) layer of security is end-user training. Many times, your employees are the weakest link when it comes to organizational IT security. Regular and repeated security awareness training provides education and simulated phishing attacks, then measures your teams’ response – helping to specifically identify those employees who need more training to prevent unwanted outcomes.

Patching: Ensuring that your network receives critical security patches on a regular and timely basis is a crucial layer in a multi-layered defense approach against cyberattacks. A recent real-life example, known as “WannaCry,” struck computer networks all over the world. Organizations compromised by the attack were impacted because their workstations were improperly patched or neglected completely. For this attack to be successful, three defense breakdowns occurred:

  1. The phishing email had to outsmart the spam filter (1st layer).
  2. The end-user had to be fooled into clicking on the link in the email (2nd layer).
  3. The workstation needed to be unpatched (3rd layer).

Clearly, around the globe, there were many organizations that fell victim to WannaCry.  However, there were many others who were protected – maybe because their spam filter stopped the incoming emails, maybe because their users were trained to spot the signs of a phishing attack, or maybe because their workstations were patched properly.  In any case, WannaCry was a textbook example of how and why “layers” of security are effective (or ineffective, if not implemented).

There are many other layers of security worth discussing – anti-virus, event-correlation, encrypted off-site backups, just to name a few – but there’s one layer in particular that is often neglected.

The “p” word

You guessed it: policy. The very word conjures up images of thick, dusty binders, long-neglected and irrelevant. 

An Information Security Policy is a crucial layer of security defense. It’s the foundation; where your organization lays out the standards for protecting data, establishes job-relevant security levels within your organization and sets the company path for compliance. In short, it answers the question: how does your company protect your customer and employee data from prying eyes?

A subset of the Information Security Policy is the Acceptable Use Agreement (AUA). If the Information Security Policy outlines the company’s requirements, the AUA details the employee’s requirements. It’s up to your company to set rules for your employees, and then to enforce them – up to and including termination in some cases. That might seem severe – but your business’ reputation is at risk every day, and employee compliance is a crucial layer of security.

Maintaining a layered approach to security is the best way to secure your network and data. Your Information Security Policy is one crucial layer – the one that establishes physical, technical and administrative security standards for your organization. If those standards seem too dusty, it might be time to take a fresh look. 

Adam Victor, director of professional services for Systems Engineering, has over 25 years of experience with network security, application development and IT leadership challenges. He can be reached at 603-226-0300 or through syseng.com.

Edit ModuleShow Tags
Edit ModuleShow Tags