Even though IT security is a daily struggle for SMBs, it is still usually underestimated.
There are many simple actions can be done to avoid losing or corrupting corporate data.
The first principle is to only give the necessary required access to each user in order to meet the 3 essential security principles of information systems:
However, in reality, there are recurring problems, in particular for SMBs.
1) Too often employees and third-party users have access to data they do not need, which goes against the security requirements for the business. The tasks performed by the employee should determine the characteristics of their access to the company’s information system.
2) Most of the people accessing the system are employees and third-party users, however, privileged users, such as system administrators have a greater access to data and a greater ability to cause damage.
3) Sometimes users have administrative access of their workstation enabling them to install software which was not verified or accepted by the company’s security policy, which may be a breach of security.
To resolve these security problems, it is essential to put in place a structure which will protect your information and your users. Here is how.
1) Set up a security policy
The first step for a company is to put in place a security policy which embodies its security charter. It is a way of formalizing the "acceptable" use of computer resources.
The security policy specifies precisely what employees are allowed to do and not do on their workstation. It covers topics such as personal emails, file downloads, software installation, the ownership of the information and website accesses which are authorized or forbidden.
When discussing data security, it goes without saying that data can be classified and that this classification must be done based on the sensibility and the criticality of the data.
This means establishing control to access data based on the audited rights of the person or the computer to access one or more data.
The access control is divided into three elements: authentication, authorization and traceability.
The first element ensures the identity of the requestor is known in Windows’ Active Directory, and that the identity can be proven by providing a password which only he should know.
The second level controls if the requestor is authorized to access the data. The authenticated user is not systematically authorized to access the resource, this needs to be established by an administrator.
The last element lets you collect information on the use of the data (connection duration, user’s IP address, etc.) which lets you audit access to the elements.
Traceability consists in tracking access to sensitive IT resources in order to fight against usurpations of rights. In the event of piracy, the information collected would be useful to determine the actions undertaken with malicious intent.
System administrators have privileged accesses, they have user accounts that enable them to access the servers, the directories, applications and sensible data.
They also have nominative accounts, and possibly a number of accounts shared with other administrators which are protected by a simple password.
Having significant responsibility on information systems can also mean a significant risk for the company, whether by accident or maliciously, as was demonstrated by the Edward Snowden case.
This is why it is essential to proceed with a detailed audit and to setup the required controls to manage the identities and the accesses on the different resources and systems.
Windows 10 offers two types of user accounts, standard and administrator.
Users with a standard account can perform all current daily tasks and execute programs.
However, should you need to perform tasks that would alter the system, such as installing software, an administrator account is required.
For security reasons, you should limit to a standard account the rights of the users on their workstations.
Since one of the principal causes of data theft or attack is due to computer users, whether by negligence or maliciousness, it is imperative that companies, no matter their size, give access to data based on the users’ need to know.
Furthermore this course of action must be complemented by a strict tightening of access rights on workstations as well as controls on the access of privileged users.
Finally, and above all else, your approach must be shared with your users, and spelled out in your security charter.
Do not miss out on our series of IT security recommendations in our next articles. Subscribe to the blog here.
Image credit: © chaiyapruek - Fotolia.com
The right use of technology addresses business challenges and drives business growth in all areas of an enterprise. We hope this blog will offer insight into developing strategies and tactics to enable you to identify those key drivers of growth and keep pace with and anticipate the rapid technology change of today.