[BreachExchange] 7 Simple Business Security Tips From Her Majesty's Secret Service

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 6 19:24:39 EDT 2017


https://www.entrepreneur.com/article/287391


The British Secret Service isn’t quite so secret any more.

Spymasters in London are publishing regular advice about how to bolster
security defenses against hackers and insider data breaches.

Recently, the Queen opened a new National Cyber Security Center in London,
run by the Government Communications Headquarters (GCHQ).

Against the backdrop of international allegations of cyber-hacking and
cyber-meddling in recent elections, the new center will oversee British
efforts to prevent hackers from disrupting the national infrastructure,
from hospitals to the electricity grid.

The GCHQ also gives businesses security advice ranging from tips on
password policies to ways to ensure mobile workers don’t compromise
security while on the move. Here are (double-"O") seven lessons businesses
on both sides of the Atlantic can learn from Her Majesty’s Secret Service:

1. “Least privilege” protocol

Ensure that employees have only the system access they need to do their
jobs -- don't open up access to sensitive systems for employees at all
grades.

2. Control removable media

An external device plugged into a network is a main route for malware to
disrupt systems. Limit the use of external devices like USB memory sticks,
particularly those brought in from home by employees.

3. Secure the doors

Ensure that old systems, network devices and sites are removed and
decommissioned. Don’t allow hackers to access your network through a
forgotten entry point.

4. Start-to-finish process

Have a clear process in place for deciding what network privileges and
devices new employees can use, what happens when they change roles, and
what happens when they leave. Revoke access and recover company devices and
data as soon as workers depart. Note that this can be complex if they’ve
used personal devices in the workplace.

5. Define "tolerable risk."

What risk is your organization willing to take to get the job done? Can you
allow your staff to use their own devices or take data files and documents
home? It might help productivity, but you need to understand all the risks
involved: devices getting lost, stolen, hacked or contaminated with malware.

6. Train.

If your staff doesn’t know the risks and legal requirements around data
security, you’re inviting vulnerabilities. Explain the issues and train
best practices.

7. Observe and report.

Encourage staff to be vigilant and report suspicious activity such as
suspicious emails or unexpected changes to the systems they use.

The truth is that much of the threat around data security starts inside a
business rather than outside, with malicious, accidental or ill-considered
actions by employees allowing confidential information to be compromised.

The best defense is deploying data loss prevention (DLP) technology, which
prevents unauthorized saving, copying, printing or emailing of sensitive
files, to prevent accidental or criminal actions by insiders.

So, how does your organization stack up against these seven simple tips? Do
you follow the basic advice of Her Majesty’s Secret Service?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170606/ca6410cc/attachment.html>


More information about the BreachExchange mailing list