Is your IT security team cutting corners? Hopefully not, but it’s not uncommon for IT security teams to ignore certain protocols and standards to get jobs done. In some situations, IT security isn’t even called in until a project is nearly complete, which happens frequently in software development.
There are specific security standards for cloud computing, data storage, networking, and more. These standards have been meticulously created to provide best practices that standardize security. However, project deadlines and pressure from clients can influence security teams to push these standards aside.
The rush to get projects completed is bad news for security. However, there’s one particular element, often-skipped, that renders even the most secure projects unsecure: a non-existent IT security policy.
If your organization doesn’t have an IT security policy, you’re at high risk
Does your company have a written IT security policy that governs how employees and contractors may access the company network, online accounts, and otherwise conduct business regardless of their location? If not, you need this kind of policy ASAP. Without one, your company is at high risk.
Q: When is a secure network not a secure network?
A: When an unauthorized party obtains valid login credentials or an authorized party fails to follow secure protocols
A secure piece of software or network is only as secure as the habits of people with access. You could secure your company’s network like Fort Knox and your cyber fortress will be easily breached the moment a cybercriminal obtains a valid username and password. This can happen in a number of ways.
Having a strong IT security policy for your company can prevent many potentially threatening situations. For example, implementing and enforcing the following requirements will greatly increase the strength of your security posture:
- Ban BYOD policies. By not allowing employees to use their own devices for work, you’re cutting off a host of potential threats. It’s worth considering providing work-only laptops to employees that have a built-in GPS and installed software that track how the device is used.
- Require third-party software developers to incorporate DevSecOps into their development cycles. DevSecOps includes security in the development process from the beginning and throughout the entire project. Too many pieces of software are launched with security being an afterthought, and end up having a high number of vulnerabilities.
- Prohibit the use of public unsecured Wi-Fi. While your employees can use a VPN to encrypt their traffic on a public network, it’s not worth the risk. VPNs aren’t as secure as believed, and what happens when an employee forgets to sign into the VPN?
What if the internet goes down, but they’re still connected to a compromised local network? What if they log into a fake network and end up downloading a keystroke logger? It’s safer to ban the use of public Wi-Fi entirely.
- Prohibit sharing login credentials. Login credentials should never be shared. Say you terminate an employee at 10:00 am Monday morning and you lock them out of their company accounts. The minute they leave the office, they might call a co-worker asking to use their login information.
If the team doesn’t know that person has been terminated, someone might share their login credentials thinking they’re helping. In reality, that terminated employee might wipe out the company’s website.
Without IT security audits, your network is open to attack
Another important aspect of having a strong IT security policy is conducting regular audits. Make sure your security team conducts regular audits to review documented procedures and to assess how those procedures are working in the real world.
Cyberthreats are constantly rising
There seems to be no end to the increase in number and frequency of cyberattacks. We’ve all gotten used to hearing about millions and billions of records being stolen. It’s almost expected at this point.
For perspective, in 2005, there were 157 reported data breaches in the United States. In 2020, there were 1,001 reported data breaches in the U.S. Actual numbers are higher since many incidents go unreported.
A more recent cyberattack just made headlines when a ransomware attack took Channel 9 offline in Sydney, Australia. If you search for news articles about data breaches and cyberattacks, you’ll find more incidents than you can read about. Don’t let your organization be next on the news.
To strengthen your security posture, hire a certified security professional
At the very least, hire a certified security professional to oversee all IT security operations and to create and enforce your IT security policy. It’s the only way you’ll know you’ve done enough to keep your company’s data secure.