Top 3 Things to do at a New Company for Security
As a new company that is being established, it is highly important you take into account your security measures. You should be doing several things when it comes to security, and I want to talk you through the top 3 things.
Know what you have — not just the laptops but all hardware, software, and, most importantly, the data. It’s not the price of a new laptop you should be worried about-It’s the cost of recovering from the loss of control of the data on that laptop if it’s stolen, lost, or hacked. Over time files and data tend to find their way into all corners within and sometimes outside your business. People make duplicate copies of files, folders, and databases in new folders or completely separate storage locations. With the advent of cloud and Software as a Service (SaaS) products (often with free versions available), the places your data can end up are only limited by your workforce’s imagination and the skill of SaaS product marketing teams. Do whatever you can now to establish good data handling, storage, and tracking practices for an early-stage company. Define the different levels of sensitive data you handle and how each will be maintained. Establish scheduled and recurring reviews to confirm that expectations are being met.
With internal and external people and systems accessing your systems and data from within and via the internet, being sure that whoever or whatever is granted access is who they should be is more important than ever. Access to your website you might be happy for anyone to see. But access to your source code repository, admin access to your applications, full edit rights access to the finance or HR files you want to be confident is only allowed after you have positively confirmed that it’s your VP of Engineering, your finance team, your HR Director as they claim to attempt to log in. Via LinkedIn, you can quickly learn the names of the finance office/team members for company X. A few guesses, and you can determine the email naming convention for the company. A password is harder to guess but not impossible. People are often tricked into giving up their passwords through social engineering attacks like email phishing. With those two pieces of information, an email address that, if not publicly available, is easily determined, and a password, something that can be guessed by a password cracking routine or captured through deception, an unauthorized user can gain access. By implementing Multi-Factor Authentication, adding at least one more element of identifying information, you complicate the process of gaining unauthorized access dramatically.
Make sure your people are aware of the threats, how to avoid opening the door for those threats, and how to detect a malicious attempt to compromise the security controls you work so hard to implement. Every employee, consultant, contractor, and partner of your business can be targeted to exploit weaknesses in your security program, so arm them with the knowledge to protect themselves and the company. Rather than emailing a once-a-year 40-page slide deck, mix up the delivery of cyber security tips and knowledge. A mix of short and catchy videos, newsletters, infographics, live briefings, interactive discussions, news bulletin emails, etc., delivered throughout the year will help make the information more exciting and fresh in the minds of your team.
Originally published at https://policyco.io on February 15, 2022.