People are the number one direct target for hackers — primarily because they make it really easy and it’s the path of least resistance for a hacker. Unfortunately, they also tend to be the most difficult impediment when it comes to enforcing critical security polices. It’s one thing to implement policies and procedures, but the training, adoption and long term enforcement are frequently a challenge because it requires widespread behavioral changes with concerted efforts to be mindful of new security policies. To put it mildly, it is a steep uphill battle. But, as with most challenges, choose your battles wisely because you just simply won’t win them all. Below are the top five most critical security policies worth fighting to enforce.
Require a Password Manager
The average person simply cannot remember enough strong and unique passwords for all the sites that require a login. Most people compensate by creating weak passwords, using the same password for multiple sites, or storing passwords in a document. Stolen, reused, and weak passwords remain a leading cause of security breaches. A password manager will automatically generate passwords using the best available cryptography and will keep you safer than anything you could do on your own.
Require Multi-Factor Authentication (MFA)
Traditional username and password protocols are too easily hacked or accessed by impostors. It takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online sites. If a username and password pair is recycled, it’s extremely likely it will unlock other accounts. And, to make it even easier, there is already at least one known collection of 1.4 billion plain-text passwords circulating online. Since passwords are no longer good enough to protect your data, the additional security layer through MFA is imperative.
Require Employees to Use a Virtual Private Network (VPN) on ANY Public or Unsecured Network
Public and unsecured networks are easily hacked because they are not password protected and lack basic security measures. When users connect to unsecured WiFi, there is high risk of exposing personal or sensitive data as it passes through the network’s unencrypted connections, which makes intercepting and stealing data quick and easy. If you have to be online and view or send business information — always use a trusted VPN to create an encrypted tunnel and secure your sessions.
Establish Layered Security Permissions for Different Levels of Access
People with access to multiple internal systems are targeted in phishing attacks because they often have privileged access to critical systems that could allow an attacker to access an administrator machine. Empower the security team or network administrator to create different authorization levels. For instance, registered users may be able to access a few pages that pertain to them but not the larger network or more sensitive information. This may not stop the serious hackers but will at least create a higher bar of entry.
Implement DNS and Full-Path URL Filtering Technologies
In addition to your anti-virus, spam filters, and other network protections—DNS and full path URL filtering technologies are wholly managed security features designed to keep you and the rest of your company safe from all manner of online threats. Further, as the threat landscape evolves and single-use URLs become more prevalent in phishing and malicious attacks, an in-line detection solution may be the only method to enable maximum user protection through zero-second detection.
Today’s Tip: If you aren’t actively enforcing the most critical security policies you have in place, you are throwing away your investments and putting your organization at risk of a data breach.