Best Practices - Protecting yourself

In Brief

Most companies have important or vital data (relating to manufacturing, customer base, invoicing, accounts, etc.) as well as essential or distinctive work tools that need to be protected against any unwanted disclosure (loss of confidentiality, falsification (loss of integrity) and even destruction (loss of availability).

Company managers usually only realise the true value of their assets after a serious incident occurs. It is then often too late to take curative or protective measures.

Incidents and Impacts

There are many reasons why it is important to protect your computer.

Many incidents are very difficult to detect. How can you find out that someone has stolen your passwords and has been reading the communication you have had with your suppliers, clients or employees via email? How do you know no-one is directly spying on your computer or using your documents server or your web server to host illegal files? Many incidents remain undetected and most impacts are vastly underestimated.

Choosing the Right Strategy

It is very important to introduce preventive and protective measures as early as possible. The way forward may differ between a ‘gradual’ or a ‘general’ strategy. It can be more or less methodological, going from the introduction of best practices and specific measures, all the way up to the deployment of a full ISMS. The company should choose the solution that suits it best – a solution that is ready and able to be implemented.

Quick Wins

Regardless of the strategy chosen, it is always of benefit to identify ‘quick wins’ (such as update management, encrypted wifi networks, password management, etc.) that can be set up rapidly to increase your cyber protection. These measures can guarantee immediate results and are often suitable to resolve certain urgent issues or to persuade the management of the importance of security issues.

The best way to protect a company consists of opting for continuous improvement, taking into consideration the company’s real security needs. This strategy is more time-consuming than a more general one, but at the end of the day, it will be better suited to the company’s actual needs, and will, therefore, be more effective and less expensive, but certainly longer to implement (See article protecting your company).

Risk Analysis

To be able to protect important and vital data and assets, first, they must all be identified through at least a rudimentary risk analysis.

To do this, the data and assets that are essential to the company should be identified, along with the threats and the probability that such threats may arise. The scope of human and technical vulnerabilities and quantification of the potential impacts should also be identified. This exercise can be more or less formal in nature and can be supported by a specific method or tool.

Protecting Data

Data protection is the next practical step. Once classified, consideration should be given on how to protect data through backups, during transportation or even during transmission. Measures for the secure destruction of data should also be set up.

Protecting Machines

To protect essential working tools, implement preventive and protective measures for your computers, laptops, file server/s, mail server/s and web server/s. Implement ‘incident response’ type measures.

Protecting the Network

You should also consider protecting your network, whether it is a fixed or Wi-Fi network. Implement the necessary measures.

Awareness and Training

Make sure you raise awareness and train all your employees about IT security. The adoption of proper behavioural practices by all staff is an extremely important measure. This often entails deploying greater efforts at organisational and behavioural level and also at technical level, to increase your data security most effectively.

Tell your staff about the risks linked to the use of social networks as well as the risks associated with ‘social engineering’. Teach them how to behave appropriately when on business trips.

Physical Security

Finally, do not lose sight of the physical security of your company. Many threats can exploit physical vulnerabilities, be them human, natural or environmental threats.

General Strategy

Alongside the gradual strategy to improve its level of security, a company also has the option of following ‘best practices’ or setting out more common security measures. The general strategy is quicker to implement than the gradual strategy, and it requires less expertise within the company. However, it does not necessarily take into account the real needs of the company.

Best Practices

Some best practice guides are available on the CASES website:

• e-banking and e-commerce
• email
• malicious software (malware)
• business trips

Draw up a charter for users.

Common Methods

This checklist has been drawn up by analysing the most common threats and by proposing organisational, technical or behavioural security measures to reduce existing vulnerabilities.

• Threats to infrastructure
  • Fire
  • Service interruption
  • Denial of service/distributed service
  • Disrupted transmission of wireless communications
  • Wireless network tapping
  • Interception of communications
  • Network unavailability
  • Power cut
  • Discontinuity of service providers
  • Infiltrating the premises
• Threats to hardware
  • Hardware damaged during transport
  • Failure of IT or communications equipment
  • Unusable backups
  • Addition or removal of hardware
  • Device recovery
  • Aggravated theft
• Threats to software
  • Unsuitable software environment
  • Use of unapproved software
  • Unavailability of administrators
• Legal aspects
  • Unauthorised processing of personal data – Employee monitoring
  • Invalid or non-existent licence
  • Lack of traceability of operations
  • Regulatory requirements
• Threats to people
  • Manipulation of people
  • Human error: prevention measures
  • Misuse of IT resources
  • Staff absences
  • The administrator
  • Spam / Phishing
  • Use of limited access by a third party