CASES.LU

Knowhow

Best Practices - Protecting yourself

In brief

Most companies have important or vital data (relating to manufacturing, customer base, invoicing, accounts, etc.) as well as essential or distinctive work tools that need to be protected against any unwanted disclosure (loss of confidentiality, falsification (loss of integrity) and even destruction (loss of availability).

Company managers usually only realise the true value of their assets after a serious incident occurs. It is then often too late to take curative or protective measures.

Incidents and impacts

There are many reasons why it is important to protect your computer.

Many incidents are very difficult to detect. How can you find out that someone has stolen your passwords and has been reading the communications you have had with your suppliers, clients or employees via email?  How do you know no-one is directly spying on your computer, or is using your documents server or your web server to host illegal files? Many incidents remain undetected and most impacts are vastly underestimated.

Choosing the right strategy

It is very important to introduce preventive and protective measures as early as possible. The way forward may differ between a “gradual” or a “general” strategy. It can be more or less methodological, going from the introduction of best practices and specific measures, all the way up to the deployment of a full ISMS. The company should choose the solution that suits it best – a solution that is ready and able to be implemented.

Quick wins

Regardless of the strategy chosen, it is always of benefit to identify “quick wins” (such as update management, encrypted wifi networks, password management, etc.) that can be set up rapidly. These guarantee immediate results and are often suitable to resolve certain urgent issues or to persuade the management of the importance of security issues.

The best way to protect a company consists of opting for continuous improvement, taking into consideration the company’s real security needs. This strategy is more time-consuming than a more general strategy, but at the end of the day, it will be better suited to the company’s actual needs, and will therefore be more effective and less expensive, but certainly longer to implement.(See article protecting your company)

Risk analysis

To be able to protect important and vital data and assets, they must first of all be identified through at least a rudimentary risk analysis.

To do this, the data and assets that are essential to the company should be identified, along with the threats and the probability that such threats may arise. Also to be identified are the scope of human and technical vulnerabilities and a quantification of the potential impacts. This exercise can be more or less formal in nature, and can be supported by a specific method or tool.

Protecting data

Data protection is the next practical step. Once classified, consideration should be given on how to protect data through backups, during transportation or even during transmission. Measures for the secure destruction of data should also be set up.

Protecting machines

To protect essential working tools, implement preventive and protective measures for your computers, laptops, file server, mail server and web server. Implement “incident response” type measures.

Protecting the network

You should also consider protecting your network, whether it is a fixed or wifi network. Implement the necessary measures.

Awareness and training

Make sure you raise awareness and train all your employees about IT security. The adoption of proper behavioural practices by all staff is an extremely important measure. This often entails deploying greater efforts at organisational and behavioural level and also at technical level, to increase your data security most effectively.

Tell your staff about the risks linked to the use of social networks as well as the risks associated with “social engineering”. Teach them how to behave appropriately when on business trips.

Physical security

Finally, do not lose sight of the physical security of your company. Many threats can exploit physical vulnerabilities, be they human, natural or environmental threats.

General strategy

Alongside the gradual strategy to improve its level of security, a company also has the option of following “best practices” or setting out more commonplace security measures. The general strategy is quicker to implement than the gradual strategy, and requires less expertise within the company. However, it does not necessarily take into account the real needs of the company.

Best practices

Some best practices guides are available on the CASES website:

Draw up a charter for users.

Common methods

These checklists have been drawn up by analysing the most common threats and by proposing organisational, technical or behavioural security measures in order to reduce existing vulnerabilities.

Table of Contents