10 basic rules for solid IT protection
IT security is a multi-layered, overall concept comprising both technological measures for fighting off cyber dangers as well as organisational measures targeting personal security. The following ten rules aim at helping you protect your IT and your data – also privately.
Use complex passwords that contain at least eight characters including upper and lower case, special characters, etc. Change your passwords frequently. Small software tools such as KeePass can help you create and manage complex passwords as they store your various access data in an encrypted file. The passwords will then be filled in automatically when logging on to websites. Protect all of your applications by using different passwords!
2. Updates and patches
Always install security updates, in particular for operating systems, browsers, email programs and Office applications, immediately upon availability.
3. Administration of access rights
Set up a functional and effective management of access rights for data, for access to sensitive areas of your data centre and for the administration of guest users of your company network. Design the access rights in a restrictive manner on the basis of the job profiles of your employees, i.e. only allow access on data that is really required. Be extremely restrictive in granting universal rights. This also concerns developers and administrators. Limit the rights of these groups of users to few, transparently documented and verifiable roles. In the case of administrators, these access profiles can for example be split into collaborative roles of administrators for users, administrators for authorisation data, etc. Introduce the principle of dual control wherever certain constellations cannot be avoided.
Ensure that two factor authentication or more is implemented for access to company databases and the launching of applications. Include the mobile devices your employees are using. To this end, set up a central MDM (Mobile Device Management).
5. Firewalls and DMZ
Hide every PC with access to the Internet behind a firewall which can be set up either as a personal firewall on the workstation or as a central firewall on the network or DSL router.
The preferred option for large corporations with many IT systems is a DMZ (Demilitarised Zone). It can be used to insulate services of the computer network such as email or the world wide web with one or more firewalls from two or more networks such as WAN (Internet) or LAN (Intranet). This approach creates safety-checked access to the connected systems and makes it possible to use public services while protecting the internal network from unauthorised access.
6. Anti-virus software
Protect all of your computers with anti-virus software and anti-spam protection. Internet data (web, mail) should be fed centrally through a server and be checked there. As it is not always guaranteed that an individual supplier recognises all threats on an up-to-date basis, multi-level defence mechanisms from different suppliers can be integrated sequentially to improve the security of IT applications.
Update your anti-virus database daily or even more often than that!
7. Intrusion detection
Implement SIEM (Security Information Event Management) on all networked devices to identify anomalies. Use the “Security by design” rules. The products currently available on the market already offer wide assistance in scanning network traffic and identifying different types of malware as well as Zero Day Exploits through artificial intelligence and machine learning technologies.
8. Continuous encryption
Thorough data security requires genuine end-to-end encryption. This means that data must be protected effectively during transport, while in storage and while being processed. Data that has been encrypted with TLS (Transport Layer Security) for Internet transport can be recognised by the letter “s” (for “secure”) attached to “http”, resulting in “https”. VPNs (Virtual Private Networks) are equally used for transport encryption. SSH (Secure Shell) is used to establish a safe connection between the client and the server.
Content can be encrypted with technologies such as container encryption or system-wide hard disk encryption.
A special case: Email encryption
Email encryption is a special case. The technology market research organisation “The Radicati Group” estimates that in the year 2017, 269 billion emails are sent and received daily. While email is still the predominant application in business communication, only some 16% of German companies are encrypting it. However, the key-based and the signature-based PGP (Pretty Good Privacy) as well as the certificate-based S/MIME (Secure/Multi-Purpose Internet Mail Extension) provide two proven ways of encrypting email.
In case of doubt, never send highly sensitive business documents via email!
Data that is structured and turned into interpretable information is the most important asset of today’s businesses. A loss of data can therefore quickly turn into a substantial crisis. Backups and redundant data storage are therefore integral aspects of every IT security strategy. Hard drives or mobile external storage media may always become defective. For that reason it is essential to immediately back up data in a secure and physically separated location each time it is processed.
10. Danger awareness
Considering the massive threats inherent in today’s cyber space, each and every business is called upon to instil danger awareness in its employees through training on a continuing basis. Massive efforts in teaching how cyber criminals work and which hints to look out for are the best way of protecting company value against highly threatening phishing attacks that spy on passwords, PINs, TANs or credit card data, ransomware attacks via email, identity theft or CEO fraud..