10 security best practice guidelines for businesses

10 security best practice guidelines for businesses

Summary: Businesses need extreme security measures to combat extreme threats. Here are 10 best practices that provide defense against the majority of all security threats.

SHARE:

Corporate security consumes a huge chunk of time, money, and human resources. It's no wonder that companies like Symantec exist. Symantec produces some of the security industry's best software, but its contribution doesn't stop there. As I wrote yesterday in "Don't you just love mobile apps? So do malicious code writers", Symanctec also produces an annual Internet Security Threat Report. In these reports, Symantec highlights security threats and trends and then tells you how to fix and prevent them. They also offer some best practices of their own. My list of the 10 best practices is based loosely on their 14 or so security recommendations. I do, however, deviate from their list on items that are either too obvious or just don't work in practical terms.

This list is not entirely focused on mobile security, but is general to corporate security.

Here's my list of 10 security best practice guidelines for businesses (in no particular order).

  1. Encrypt your data: Stored data, filesystems, and across-the-wire transfers all need to be encrypted. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.

  2. Use digital certificates to sign all of your sites: Save your certificates to hardware devices such as routers or load balancers and not on the web server as is traditionally done. Obtain your certificates from one of the trusted authorities.

  3. Implement DLP and auditing: Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data into and out of your network.

  4. Implement a removable media policy: Restrict the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media. These devices facilitate security breaches coming into or leaving your network.

  5. Secure websites against MITM and malware infections: Use SSL, scan your website daily for malware, set the Secure flag for all session cookies, use SSL certificates with Extended Validation.

  6. Use a spam filter on email servers: Use a time-tested spam filter such as SpamAssassin to remove unwanted email from entering your users' inboxes and junk folders. Teach your users how to identify junk mail even if it's from a trusted source.

  7. Use a comprehensive endpoint security solution: Symantec suggests using a multi-layered product (theirs, of course) to prevent malware infections on user devices. Antivirus software alone is not enough. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection.

  8. Network-based security hardware and software: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches.

  9. Maintain security patches: Some antivirus programs update on what seems like a daily basis. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches. If you turn off automatic updating, set up a regular scan and remediate plan for your systems.

  10. Educate your users: As I wrote in The second most important BYOD security defense: user awareness, "it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email".

Just so you know, I'm not leaving out things like physical security, which is one of those obvious — or should be obvious — security measures. Other such "obvious" measures are to use security-screened software, use software that has been regression tested with your operating system, use VPNs, use strong passwords, and so on.

Businesses can't afford to take chances with security. Doing so is costly. How costly? The average is $429,000* loss for large companies due to mobile computing "mishaps". Perhaps your company can afford these half-a-million-dollar mishaps, but few can. It's best to stay on top of security with a multilayered, multi-tiered approach. Vigilance is key and so is awareness.

In a few weeks, I'll introduce you to a way to alleviate a huge chunk of your security worries with a single solution. Stay tuned for that earth-shattering product information. Before that, tomorrow I'll offer up a list of 10 best practice guidelines that you can do as a consumer to prevent security mishaps. They will make you more aware and better prepared for your next encounter with internet malware.

*The latest infographics: Mobile Business Statistics For 2012, Forbes Magazine.

Related stories

Topics: Security, Malware, Mobility, Operating Systems

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • GASP

    Nothing about The Cloud or BYOD or the latest buzzword of the month?

    *GASP*

    More articles like this, please.
    CobraA1
  • Don't overlook Multi-Function Printers (MFPs)

    Sound advice, Ken. Numbers 7 and 10 are particularly important from our perspective because too often IT professionals and employees overlook multifunction printers as a possible hacker target even though they are just a susceptible as other networked devices in the office. In fact, a recent Xerox-McAfee survey shows more than half (54 percent) of employees say computers pose the biggest security threat to their company’s network compared to other IT devices, while only 6 percent say it is MFPs. This is the type of mentality that has to change and education plays a huge role in that. To learn more please visit Xerox.com/security.

    -Doug Tallinger, WW Platform Planning Manager, Controller, Client and Partners, Xerox
    dtall22
  • Data security

    This March 2014 has more to offer you on protecting your data

    Join the Cloud & Smarter infrastructure event at Johannesburg (http://ibm.co/1coWWVp) and Security Intelligence event at Cape Town (http://ibm.co/1ggA1dT) that will cover vast discussions on how to develop and protect your IT infrastructure.

    The digital data explosion and corporate control to fewer access points make IT security a strong boardroom discussion.

    Protect your data today. Register now!
    Ramya Pillai