[BreachExchange] Practical Policies That Help Increase Corporate Security

[Destry Winant]

https://hackercombat.com/practical-policies-that-help-increase-corporate-security/

Companies today have largely accepted that technology is here to stay,
and not embracing it is not in the table. The white flag has been
raised, even for the strict IT team and the policies, they impose on
workers using the company-supplied PC workstations, phones, and other
IT equipment. The BYOD phenomenon further exacerbates this massive
change, as employees are willingly using their personal computing
devices in their jobs. It is inevitable, even without a formal
acceptance of the employer, BYOD in a non-written and non-official
form is being implemented across the board, across different
industries. With employees comes some form of Bring Your Own Devices.

The years before the year of the smartphone, year 2006 and prior were
heavily influenced by heavy user account control. Internet filtering
was a common state of policy for a company that had any semblance for
a need of having Internet connection for their employees. With the
emerging technology of smartphones and tablets, everyone can choose
for themselves the personal capability to connect to the internet with
their mobile devices, there goes the effectiveness of filtering
non-work related sites in the workplace.

This new-found “freedom of navigation” for the common employee of a
company opens up a major security nightmare for anyone working in an
IT team, regardless if they are internally employed by the company or
a 3rd party contractor tasked to handle IT services, maintenance, and
upgrades. IT downtime for a common employee means a very relaxed time,
while waiting for the systems to come online again. This is exactly
the opposite of an IT staff member, as IT downtime means working on
the weekends, holidays or beyond the normal shift, just to restore the
normal IT services.

The key to risk management is knowing the typical behavior of the
company’s internal users of IT devices. This is through an acceptable
level of policies, one of which is device encryption first before it
is granted access to a company service like the corporate wifi and app
access like OWA (Outlook Web App). Companies need to realize that
money is not its lifeblood, but rather a byproduct of a job well done
for its customers. The real lifeblood of any company is its asset,
which a large chunk of it is the human capital.

Mutual trust between employees and those that regulate maintains and
upgrades the IT system will make a lot of difference when it comes to
the standpoint of cybersecurity. Companies should start with
encryption, no encryption, no access. This will increase the privacy
and security of data, especially if those laptops, smartphones, and
tablets storing customer information got lost – data stored in them
will never be readable by other people.

A combination of customer education and penetration testing are also
the top two considerations for any company who wants to survive
today’s world. Trust + encryption + regular updates for software,
operating system and firmware versions (for routers/switches). There
should be healthy exercise of restraint for end-users, as to whether
we like it or not, employees are the frontliners in the standpoint of
corporate security.