Steps you can take today to improve your security posture
I’ve long said that security is inversely proportional to convenience. While I still believe that to be true, there are plenty of simple things you can do right now that will help to improve the overall security of your company without sacrificing productivity. Here are a few examples which I frequently share with my clients.
Keep a paper trail
Use an issue tracker and start the habit of filing a ticket for everything — this gives you the ability to look back at any point in time at what needed to be done, why it was done, and by whom.
- Building a new feature?
File a ticket and define the security considerations of it.
- Signing up for a new service?
File a ticket and list why you chose it and who has access to it.
- Standing up a new server?
File a ticket with details and verify that logging is enabled.
Secure your systems
A variety of free and paid services (GitHub, JIRA, AWS, Gmail, etc) make it incredibly easy to get things done, but it comes with the cost of maintaining lots of credentials and increasing your attack surface.
- Enable MFA/2FA on every system to add another layer of protection beyond strong passwords.
- Require a VPN to access your production network, corporate network, or other environments to cut off would-be attackers who may have a compromised password/credential.
- Limit admin-access on each system or service to those who need it day-to-day and lower the potential attack surface.
- Use password managers to store and share credentials between employees and teams to promote strong passwords.
- Encrypt data before sharing anything that’s sensitive inside or outside of your org. Email is not a secure communication method!
Secure your devices
Any device which has access to your business should be locked down in case of loss, theft, or attack.
- Install anti-virus/anti-malware software on every company laptop and workstation (yes, including the Macs).
- Encrypt the hard drive of every computer and mobile device to prevent data loss/theft.
- Enable secure remote-wipe on systems with admin-level access to remove sensitive material and access if they ever leave your possession.
- Enable automatic backups to prevent data loss and fight off ransomware.
Talk to a pro
This isn’t an exhaustive list and the efficacy of any security measure often depends on how your teams operate. We’d love the opportunity to provide a list that’s custom-tailored to your organization’s size and needs.
We’re here to help — let’s chat!
Eric Higgins started Brindle Consulting to provide organizations with a better approach to building their security programs.
Thanks to my friend Andy Chu for reviewing this post. He’s working on a new Unix shell called Oil.