Nine Security Best Practices You Should Enforce
-
Implement Inbound E-mail Authentication Checks
All businesses should implement Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance to maximize protection against these threats to customers and employees. These actions allow ISPs and internal networks to detect and block fraudulent e-mail. -
Upgrade to Extended Validation SSL
Upgrade to EVSSL for all commerce and banking applications. This gives users more confidence that the site owner is really who he says he is. -
Review All Password Management Policies
Take stock of your password management policies, including enabling support of two-factor authentication. Every 90 days, change passwords on all business clients and servers. -
Be Strict About Passwords
Passwords should contain long passphrases including a combination of upper and lowercase alphabetic characters, symbols, and numbers. Do not permit dictionary words. -
Protect Data and Disks With Encryption
Encrypt all sensitive data, including e-mail lists, using hashed passwords. The OTA guide includes a detailed appendix with encryption resources for a range of devices. -
Encrypt Communication With Wireless Devices
Communication with wireless devices, such as routers, point-of-sale terminals and credit card devices, should be encrypted. Keep guest network access on separate servers and access devices with strong encryption, such as WPA 2 or IPSec VPN. -
Harden Client Devices
Protect client devices by default disabling shared folders and protecting multilayered firewalls, including both PC-based personal and WAN-based hardware firewalls. -
Automate Patch Management
Enable automatic patch management for operating systems, mobile apps, web applications and add-ons. -
Implement a Mobile Device Plan and Policy
Your mobile device management program should include taking inventory of all employee personal devices used in the workplace. Install mandatory remote device wiping tools and procedures in case a device gets lost or stolen.
Eighty-nine percent of security breaches and data loss incidents could have been prevented last year, according to the Online Trust Alliance's (OTA's) "2014 Data and Breach Protection Readiness Guide." In the interest of helping enterprises protect themselves, their data and their customers, the OTA has been publishing guidelines since 2009. "Viewing breaches as a 'technical issue' is a recipe for failure," the report said. "Instead, [businesses] need to recognize that every department within an organization needs to play a part in readiness planning." This year's guide includes a discussion of a breach's impact on a business, contractual obligations to customers, how cybercriminals target unsuspecting organizations, and the resulting business disruption and loss. The report also includes information on data governance and loss prevention, incident response planning, and international security considerations. For a copy of the guide, click here.