Even though information technology security is a daily struggle for SMBs, it is usually underestimated.
However, many simple actions can be done to avoid losing or corrupting data.
The first principle is to give only the strictly required access to each user to meet the 3 essential security principles of information systems:
- • Confidentiality: information is used only by authorized personnel;
- • Integrity: data cannot be modified accidentally or voluntarily;
- • Availability: the system must operate within the required levels of service.
However, in reality, for companies and, in particular SMBs, there are recurring problems.
1) Too often employees and third-party users have access to data they do not need, which goes against the security requirements for the business. The tasks performed by the employee should determine the characteristics of their access to the company’s information system.
2) Most of the people accessing the system are employees and third-party users, however, privileged users, such as system administrators have a greater access to data and a greater ability to cause damage.
3) Sometimes users have administrative access of their workstation enabling them to install software which was not verified or accepted by the company’s security policy, which may be a breach of security.
To resolve these security problems, it is essential to put in place a structure which will protect your information and your users. Here is how.
1) Set up a security policy
The first step for a company is to put in place a security policy which embodies its security charter.
It is a way of formalizing the "acceptable" use of computer resources.
The security policy specifies precisely what employees are allowed to do and not do on their workstation. It covers topics such as personal emails, file downloads, software installation, the ownership of the information and website accesses which are authorized or forbidden.
2) Classifying data
When discussing data security, it goes without saying that data can be classified and that this classification must be done based on the sensibility and the criticality of the data.
- • The sensibility refers to the degree of confidentiality of the data and the risk of divulgation. It means specifying if the data must be classified as public, internal, confidential or secret.
- • The criticality refers to the integrity and the risk of alteration, as well as the ease and risk of destruction. The degree of criticality is then qualified as low, medium or high.
3) Establishing control to access data
This means establishing control to access data based on the audited rights of the person or the computer to access one or more data.
The access control is divided into three elements: authentication, authorization and traceability.
The first element ensures the identity of the requestor is known in Windows’ Active Directory, and that the identity can be proven by providing a password which only he should know.
The second level controls if the requestor is authorized to access the data. The authenticated user is not systematically authorized to access the resource, this needs to be established by an administrator.
The last element lets you collect information on the use of the data (connection duration, user’s IP address, etc.) which lets you audit access to the elements.
Traceability consists in tracking access to sensitive IT resources in order to fight against usurpations of rights. In the event of piracy, the information collected would be useful to determine the actions undertaken with malicious intent.
4) Control access for privileged users
System administrators have privileged accesses, they have user accounts that enable them to access the servers, the directories, applications and sensible data.
They also have nominative accounts, and possibly a number of accounts shared with other administrators which are protected by a simple password.
Having significant responsibility on information systems can also mean a significant risk for the company, whether by accident or maliciously, as was demonstrated by the Edward Snowden case.
This is why it is essential to proceed with a detailed audit and to setup the required controls to manage the identities and the accesses on the different resources and systems.
5) Limit the rights of users on their workstations
Windows 10 offers two types of user accounts, standard and administrator.
Users with a standard account can perform all current daily tasks and execute programs.
However, should you need to perform tasks that would alter the system, such as installing software, an administrator account is required.
For security reasons, you should limit to a standard account the rights of the users on their workstations.
Since one of the principal causes of data theft or attack is due to computer users, whether by negligence or maliciousness, it is imperative that companies, small or medium, give access to data based on the users’ need to know.
Furthermore this course of action must be complemented by a strict tightening of access rights on workstations as well as controls on the access of privileged users.
Finally, and above all else, your approach must be shared with your users, and spelled out in your security charter.
Do not miss out on our series of IT security recommendations in our next articles. Subscribe to the blog here.
Image credit: © chaiyapruek - Fotolia.com