Corporate network security is more important and challenging than ever, but it is also easier than most businesses think if they focus on five key areas, according to Kaspersky Lab.
The security firm has published a guide for businesses on improving security through best practices in employee IT security hygiene, application patching, mobility, device protection and online behaviour.
According to the guide, the best cyber security protection for any business requires a mixture of enforcement and education.
While employees need to take more responsibility for their own safety than they may have done in the past, the guide notes there is a lot businesses can do to eliminate risky behaviour.
This includes requiring employees to use strong, unique passwords, with research showing 63% of employees currently use easy-to-guess passwords and 39% use the same password for all accounts.
The guide recommends businesses control size, complexity and repetitive use of passwords, as well as ensuring employees know the characteristics of phishing and potentially dangerous web addresses.
Employees should be encouraged not to open links from unknown sources, to open any links they are unsure about in a separate window and to check URLs for consistency.
No employee should be opening files from unknown sources – whether personal or work related – and this should be a key element of any company security policy, the guide said.
According to the guide, it is important to use education and systems control to turn best practice into a security policy that is adopted and followed by everybody in the business.
Software vulnerabilities
When it comes to business applications, the guide said failure to update software increases the risk of a security breach.
The majority of malware is designed to take advantage of vulnerabilities in applications, which means the longer they are left unpatched, the longer cyber criminals have to exploit those vulnerabilities.
According to Kaspersky Lab, in most cases a patch is already available, but has not been applied by the targeted company where attacks are launched through an application.
This means such attacks can be avoided with relative ease and companies should ensure they are taking measures to deploy all available patches.
Research shows around 49% of employees do not regularly patch or update software and operating systems, while 58% of businesses have not fully implemented application control systems.
As it is time consuming to research, prioritise and deploy patches, Kaspersky Lab recommends companies automate the process.
The guide also recommends deploying tools to spot and block unwanted applications and software and to enforce application policies.
Kaspersky Lab warns that just as web links, files and attachments can be used to transmit malware, so can physical devices such as USB memory sticks, SD cards or any device such as an MP3 player that has been in contact with infected network.
Research has shown that removable media such as USB drives and SD cards account for 30% of malware infections.
The guide advises businesses implement automated systems to prevent employees from doing risky things. It also states the importance of educating employees to exercise caution regarding removable media, meaning businesses can dramatically reduce the chances of malware infecting the network.
Protecting devices
Kaspersky Labs recommends businesses deploy systems to scan devices for malware and to control the types of device connecting to the company network and what they are allowed to do.
With the rise of mobile working, the guide says it is no longer enough for companies to apply security measures to just the hardware at the office. With the rise of bring your own device (BYOD), it is not enough to protect only company-owned devices.
The guide suggests mobile should be a central part of any business’s IT security policy. “By being proactive, you can help prevent data loss from sophisticated threats such as malware and simple mishaps such as losing a device,” it says.
Research shows almost a third of businesses have experienced lost or stolen staff mobiles, with a quarter knowing they lost data as a result.
Employees need to understand the importance of mobile security and of informing IT about all the devices they use, the report said. However, it recommends deploying systems to identify all mobile devices connecting to the corporate network and providing anti-malware and other security protection.
The report warns all data on unprotected Wi-Fi networks can be intercepted and data on the screen can be modified.
With 34% of public Wi-Fi users taking no specific measures to protect themselves, the guide recommends businesses ensure employees understand corporate data and email should only be accessed over a secure network.
Any employees using public Wi-Fi to access corporate data should do so only using a virtual private network (VPN) connection.
The guide also recommends companies separate corporate data from the user’s personal information so sensitive company information can be encrypted, making it impossible to read if the device is stolen.
It also means a company can delete the “corporate container” when necessary, such as when an employee leaves the company.
Social media threats
Finally, the guide states that, much like BYOD, social media sites are another example of how intermingling professional and private lives have serious repercussions for online security.
As well as being an opportunity for the spread of malware, the guide said social media sites help criminals collect information about potential targets.
The guide states it is important for employees to understand that even if their browsing is personal, the risks can affect the entire company. “By encouraging the right behaviours, you can implement a policy that keeps your network and data safe without impinging on the quality of employees’ work life,” it says.
Kaspersky Lab recommends businesses tell employees they must to check the origin of anything they download and to hover over links to check the URL matches the anchor text, especially if the site they lead to is unknown or untrusted.
Businesses also need to ensure their security policy covers employee conduct on social media sites to prevent them from sharing any personal or corporate sensitive information and to require employees to take responsibility for screening their contacts.
Security policies should also exclude sites that are not appropriate for work purposes, which can be enforced by deploying systems designed to blacklist categories of websites.
Businesses should also ensure employees are using the latest versions of web browsers to ensure the built-in security measures are up to date.
