A series of good practices and good reflexes make it possible to significantly limit the risks, by multiplying the barriers and reducing the loopholes. Here are the 8 most important points:
Educate and train employees
Physically secure your IT facilities
Manage computer access to facilities
Secure Internet access
Watch for updates
Impose a secure password policy on your employees
Archive regularly and test for reliability
Detect and identify
Educate and train employees
They must know what information is sensitive in the eyes of the company, how to transfer information as securely as possible, how to communicate judiciously (especially on social networks), how to protect themselves viruses and malware and how to choose passwords, how to spot malicious websites, what are the most common social engineering traps used to try to gain access, and what to do if they see a problem . Contrary to popular belief, the bulk of IT security leaks are not due to technical failures but rather human ones. It is therefore relevant to establish an IT security charter and to remind employees of it regularly.
Physically secure your IT facilities (physical protection, access badges, etc.):
There is no point in virtually shielding external access to its system if the cybercriminal can more easily enter the company’s premises and install software on a PCs connected to the internal network.
Maintain an inventory of the various elements of your IT infrastructure.
Manage computer access to facilities (fixed, internal wifi and remote via VPN):
A precise policy must be established, defining who has access to what.
1. Security settings on PCs and mobile devices must not be freely modifiable by any user.
2. By default, free installation of software and peripherals should not be possible, apart from a defined list.
Attention must also be paid to immediately removing access from former employees, subcontractors, interns, etc.
Secure Internet access:
Antivirus software is essential, but must be combined with a firewall (incoming and outgoing web filtering) and a malware detection system.
1. By default, access to certain sites and services may be blocked (eg: Peer to Peer sites, sites offering pirated software or solutions to bypass security systems, sites for downloading illegal or protected content, etc.).
2. Tools to automatically scan any downloaded file and script, and to spot phishing are recommended (eg detection if the actual destination differs from the address of the link displayed). It is also strongly recommended to have a time-stamping tool and archiving the origin address of all accesses, both internal and external, to the networks. This tool must obviously itself be independently secured.
Watch for updates:
Security breaches are spotted very regularly. It is therefore necessary to systematically update your computer system,
1. At the level of servers, network equipment (routers, etc.), PCs and other terminals (smartphone, tablets), and whether it is the OS (operating system), web browsers, plug-ins of these browsers, and security software.
2. Obviously, you should only download updates from the publisher’s official source and be wary of links received in an email.
Classify your data and protect your sensitive information. We must avoid the mistake of focusing only on optimizing the security of its IT installations. This should only be a first barrier. The second must be the impossibility of having clear access to your data, which must be the heart to be protected.
Different encryption techniques must be used for sensitive data and be activated automatically (especially on USB keys, smartphones and internal backup media and cloud archiving system). Note that the secrecy of correspondence is not really guaranteed online.
It is actually safer to send a confidential business contract by post than by e-mail, and you should avoid storing it in “cloud” applications. So, if you have to send an international patent project to a lawyer before the official filing, it is better to go offline … for prevent yourself from cyber attack
Impose a secure password policy on your employees. 4 important rules:
1.The password must be strictly personal and not written
2.The password must be long (min 8 characters) and complex (not a word from the dictionary, not a date, but a combination of letters, numbers and special characters)
3. While it is humanly impossible to remember a different password for each service, the code must at least be different for each type of application, distinguishing professional and private activity (e.g. webbanking, private e-mail, e-mail).
4.professional email, cloud, private social network, corporate social network, etc.)
the password must change over time (eg: force a modification every quarter for access to the internal network).
Archive regularly and test for reliability:
A good practice is to separately back up programs (via a full image of the computer, ready to be reinstalled) from the data, to be encrypted. The backup policy should define what data should be backed up, for how long, who performs the copy, how and at what rate, where the storage is performed and who is responsible for it, who regularly tests whether the backups are potentially recoverable, and therefore usable, …
Detect and identify!
Invest in intrusion detection systems. Test regularly (or ask a specialized company to do periodic checks)