10 security best practice guidelines for businesses

Businesses need extreme security measures to combat extreme threats. Here are 10 best practices that provide defense against the majority of all security threats.
Written by Ken Hess, Contributor

Corporate security consumes a huge chunk of time, money, and human resources. It's no wonder that companies like Symantec exist. Symantec produces some of the security industry's best software, but its contribution doesn't stop there. As I wrote yesterday in "Don't you just love mobile apps? So do malicious code writers", Symanctec also produces an annual Internet Security Threat Report. In these reports, Symantec highlights security threats and trends and then tells you how to fix and prevent them. They also offer some best practices of their own. My list of the 10 best practices is based loosely on their 14 or so security recommendations. I do, however, deviate from their list on items that are either too obvious or just don't work in practical terms.

This list is not entirely focused on mobile security, but is general to corporate security.

Here's my list of 10 security best practice guidelines for businesses (in no particular order).

  1. Encrypt your data: Stored data, filesystems, and across-the-wire transfers all need to be encrypted. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.

  2. Use digital certificates to sign all of your sites: Save your certificates to hardware devices such as routers or load balancers and not on the web server as is traditionally done. Obtain your certificates from one of the trusted authorities.

  3. Implement DLP and auditing: Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data into and out of your network.

  4. Implement a removable media policy: Restrict the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media. These devices facilitate security breaches coming into or leaving your network.

  5. Secure websites against MITM and malware infections: Use SSL, scan your website daily for malware, set the Secure flag for all session cookies, use SSL certificates with Extended Validation.

  6. Use a spam filter on email servers: Use a time-tested spam filter such as SpamAssassin to remove unwanted email from entering your users' inboxes and junk folders. Teach your users how to identify junk mail even if it's from a trusted source.

  7. Use a comprehensive endpoint security solution: Symantec suggests using a multi-layered product (theirs, of course) to prevent malware infections on user devices. Antivirus software alone is not enough. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection.

  8. Network-based security hardware and software: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches.

  9. Maintain security patches: Some antivirus programs update on what seems like a daily basis. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches. If you turn off automatic updating, set up a regular scan and remediate plan for your systems.

  10. Educate your users: As I wrote in The second most important BYOD security defense: user awareness, "it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email".

Just so you know, I'm not leaving out things like physical security, which is one of those obvious — or should be obvious — security measures. Other such "obvious" measures are to use security-screened software, use software that has been regression tested with your operating system, use VPNs, use strong passwords, and so on.

Businesses can't afford to take chances with security. Doing so is costly. How costly? The average is $429,000* loss for large companies due to mobile computing "mishaps". Perhaps your company can afford these half-a-million-dollar mishaps, but few can. It's best to stay on top of security with a multilayered, multi-tiered approach. Vigilance is key and so is awareness.

In a few weeks, I'll introduce you to a way to alleviate a huge chunk of your security worries with a single solution. Stay tuned for that earth-shattering product information. Before that, tomorrow I'll offer up a list of 10 best practice guidelines that you can do as a consumer to prevent security mishaps. They will make you more aware and better prepared for your next encounter with internet malware.

*The latest infographics: Mobile Business Statistics For 2012, Forbes Magazine.

Related stories

Editorial standards