Top 10 Basic Security Awareness Controls
Organizations of all sizes can implement some basic controls that require little capital and help their employees have cybersecurity awareness. This means that the organization and its employees understand risks and are on the lookout for things that seem unusual. In the security industry, if something seems odd or out of place, it probably is.
Here are some best practices:
▪ Do not use unprotected computers Data on computers needs to be protected with monitoring and encryption. Encrypted hard drives assist organizations with protecting the information contained on laptops and desktops from unauthorized access should the device be lost or stolen.
▪ Clean office policy Make sure to have clean work spaces in areas where customers and clients will have access. Keeping all confidential information, including passwords, in a secure location such as a locked drawer or filing cabinet will help prevent the potential loss of, or compromise to, the privacy of data.
▪ Mobile device security Always lock computers and mobile devices when they are not in use and maintain passwords for access to these devices. This will help maintain security of contacts and confidential information.
▪ Network and application passwords Password policies, both written and applied, are one way to keep information safe and available only to those who need it. Too many organizations allow this practice to be applied loosely, not requiring that passwords be changed often enough or not applying uniform password requirements across the organization.
▪ Be alert! Awareness means having a sense of what is right and wrong, applying that knowledge to all interactions (email, phone calls, requests, links, and attachments), and being alert to all potentially suspicious activity.
▪ Unknown devices IT departments are steadily blocking access to unknown devices that are plugged into computers through USB ports, as they are an area for potential attack by hackers. This should go for all devices that are plugged in or connected via Bluetooth to computers that house or have access to sensitive or confidential information.
▪ Unauthorized software Software that comes from an unknown source should not be downloaded and installed without the consent and assistance of the IT department/group. A best practice is to remove local administrative rights from individual users which would require an IT person to consent to installation of executable files that may contain viruses or malware.
▪ Terminated employees There is no greater threat to an organization than the human element and employee interaction with systems, networks, and applications. Ninety percent of all information technology reviews and audits completed will find that some terminated employees still have access to a network and applications.
▪ Risk assessments Knowing where the risks and uncertainties exist for an organization is essential to knowing how to combat them, and to identify where additional controls are needed. Completing a risk assessment, and having it updated regularly, should be top priority of all organizations.