Will Your IT Security Keep You Well Protected?
We live in a world of technology. We use it in every aspect of our work and our life. And while we are not all IT experts, it is important to know how to protect yourself, your church, your school or your nonprofit. So Beacon has put together some information you can use to understand how to protect yourself and what questions you need to ask your IT professional to ensure that protection.
One of the most crucial safety measures is to create a team that has a clearly defined leader who is responsible for enforcing security policies. In addition, all employees should be made aware of precisely how critical it is to maintain information security and learn how to strengthen that security.
At Beacon, we recommend to our clients that they meet with an IT specialist to make sure that IT Security Policies have been properly put into place. In discussing things, it’s important to ask questions and have your process explained so that you have a rough idea of how things might work. A few important actions you can take for effective IT Security include:
- Firewall protection. Firewalls filter Internet traffic that can access the network and also manage outbound Internet traffic. This prevents unauthorized access of the network and also controls which websites can be accessed from the network. They can also be configured in such a way that specifically filters traffic according to certain defined factors. In essence, firewalls are a first line of defense against potential external threats.
- Antivirus protection. It’s important to install antivirus software on all computers and servers on a network and to run frequent updates on virus definitions. This will protect computers and equipment against threats that might have penetrated the firewall or have been introduced through some other means.
- Password security. Create passwords to protect wireless networks that are complex and are changed at least every 90 days. This is crucial for individual users as well as for the entire wireless network. Employees should be well educated in the importance of these passwords and ensuring that systems are properly shut down, as well as maintaining the security of these passwords and encrypting data that is being transmitted or stored electronically.
- Wireless networks. Use of non-secure Wi-Fi networks should be prohibited, as these networks create a significant point of vulnerability for any sensitive data being viewed or transmitted.
- Data encryption. Email messages and drives should be encrypted using the Advanced Encryption Standard. This will ensure that data is properly secured in the event that the device on which it is stored has been stolen or tampered with.
- OS and software updates. Security updates and patches should be installed immediately onto all network computers and laptops. Updates and patches identify security vulnerabilities and repair errors, which will greatly reduce the risk of a breach.
- Unified Threat Management tools. A UTM encompasses multiple tools used to prevent a multitude of common security threats and typically includes such features as a firewall, antivirus protection, anti-spam capabilities, and content filtering. A UTM is also greatly beneficial in that it is simple to manage and install.
- Data backup. Incremental data backups should be conducted on a regular basis, and all backup files should be stored in a location alternate to the original files. Full data backups should be performed periodically, as well; and document backup recovery procedures should be implemented. In the event of a cyber incident, access to the original, uncorrupted files created by a backup become invaluable. Backup files should be stored in a safe, secure location that is away from the original files. Should complete system failure occur, backup servers should be available to ensure that business can proceed without interruption.
- Data retention. Electronic files that are covered by the retention policy should be classified and given clearly defined timelines for storage. Old files should be destroyed periodically using clear procedures to ensure that sensitive and classified information is not compromised.
- Vendor/contractor management. The security practices of the vendors and contractors holding data should be reviewed, and contracts should be negotiated to establish terms of liability in the event of a breach. Though using off-site storage data can often be necessary, these third parties are also at risk of a breach, which could further endanger you to being held liable if your information has been compromised. By establishing a contract, you can clearly define them as the liable party if such circumstances should arise.
- Human resource management. Train employees and enforce end-user computer policies for them to follow. Limit employee access to data and systems, as well, and monitor employees when they are on the network. Further, establish rules for the use of mobile and personal electronic devices; and when an employee leaves the company, conduct exit interviews. By taking such steps directly with your employees, you are ensuring that security procedures are well defined from day one and that they know the penalties involved in putting security at risk. When an employee leaves, disable their accounts, recover company data files, and change all passwords for shared accounts.
- Log files. Log files are beneficial in determining when a cybercriminal had access to your network and what they might have seen or done in the event of a breach. Log files should be kept on all servers and routinely checked to ensure that data is properly being recorded.