You want to be more responsible about IT security in your organization, but where do you start? May I suggest your first step be understanding these topics more thoroughly. This is list isn’t exhaustive. It’s only a beginning:
1. DNS and DNSSEC: The biggest games in cyber war are hitting DNS providers. DNS can be compromised in many simple ways, but Domain Name System Security Extensions (DNSSEC) thwarts these—at the cost of understanding how it works, how to deploy it and how it’s maintained. There are ways to understand if your own organization is threatened with DDoS attacks. Study them.
2. Email and malicious attachments: Statistically, these are the easiest way to have users unwittingly breach your organization’s best security—opening malicious mail attachments or clicking links inside emails that allow them to become infected with something evil.
3. Microsoft Group Policy Objects: If you have a single instance of Windows computers in your organization, the fastest way to bolt them down is to understand how Group Policy Objects (GPO) work and how to effectively deploy them. Good GPO implementations don’t grant immunity, but they slow down a lot of troubles.
4. Cloud Access Security Brokers: We all use the web as a resource, and apps on the web, a/k/a SaaS apps, are rife for abuse, misuse, data expropriation, and wicked problems. Cloud Access Security Broker (CASB) apps act as an interloper between your users and online resources to assert administrative controls on how data flows between your organization and online service and app providers. Understand CASB, and you’ll understand your organization’s potential communications vulnerabilities.
5. Mobile device and application management: Mobility means convenience but also removal of comforting control. Mobile device management (MDM) and mobile application management (MAM) assert administrative control over applications, data flows, security and single sign-on (SSO). And they usually offer flexibility for users of mobile devices. Whether phone, tablet or laptop, there are increasingly sophisticated MDM apps based in the cloud or on your premises to keep users from hurting themselves—and your organization.
6. Intruder data protection/intruder protection services: You don’t have to go it alone. Networks of mutual protection are evolving that allow high intelligence in terms of watching your network for weird behavior or sharing information about known bad actors. Some protection services amalgamate information and spread suspicious behavior information in near real-time information networks that can prevent you from being next on the list of victims.
7. Two-factor authentication: Two-factor authentication (2FA) decreases the odds that user accounts will be breached. Sometimes the second factor is a security question, sometimes a key like a Yubikey, sometimes a phone verification. The second step of 2FA needs to be consistent, but you have many choices. Understand when and why to use them, how to implement them, how much they cost, how users will manage them, how to train users and help desk support people, and how to gain best effectiveness from their use in the real world.
8. Tor: Browsers leave footprints, and there are organizations whose sole business model is to amalgamate data to track your organization’s users. Stop them with an onion router. Yes, Tor can be used for evil purposes, but the anonymity it provides is perhaps the best offered today. Train users on Tor precautions, and prepare for the effects on your networking infrastructure.
9. The Internet of Trash/Smart Thingies: As you read this, there are an untold number of IoT “smart devices” and microservices nodes inside your organization that will alternately eat your lunch and/or cut your costs—perhaps dramatically. They are, in any event, unavoidable. Your users find them fun, yet they’re unwitting carriers of bad code, network mayhem and surprises we haven’t seen yet. So, there needs to be a method of educating users, employees and contractors as to extreme possible hazards of the Internet of Trash—along with the long-term possible benefits of such devices.
10. Why the Electronic Frontier Foundation: A wide unclear boundary exists between those who use information for unintended purposes and those definitely engaged in evil-doing.
As your users, co-workers and employees are engaged in the real-world online living, they are tracked, their data and habits analyzed. And the information garnered isn't necessarily used in the user's best interests. When that information is misused or abused, users must battle the problems of things like identity theft and personal information compromise and deal with the aftermath. While they're doing that, they can't contribute fully to organizations where they work, volunteer, or for others that need their care. A privacy-enlightened user contributes towards both their own self-care, but also an organization's sense of teamwork and self control.
The Electronic Frontier Foundation does the heavy lifting towards establishing the boundaries of rights. We need the boundaries defined and adhered. Their success is your success.