Is your network secure from the inside out? It might sound like a strange question. But before you respond, consider this:
Of that 60%, 44.5% were carried out by malicious insiders, with the remaining 15.5% happening by way of negligent insiders. Given that 50% of SMBs reported being the target of at least one cyber attack in that same year, the numbers have some telling lessons.
In layman’s terms, this means your SMB has roughly a 1-in-2 chance of being targeted by a cyber attack, and 3 out of 5 of such attacks will come from the inside.
Which is a roundabout way of saying you need a network security policy to minimize your exposure. Don’t worry, we know just how to start.
Here are 5 crucial components for a successful network security policy. Even if you’ve already got one, you’ll want to keep reading to make sure all your bases are covered.
Institute the principle of least privilege
The principle of least privilege essentially means that you limit each individual employee’s credential access to the minimum information required to do their job, and no more. If this seems intuitive, consider this:
This is cause for concern, and the statistics indicate that your business is more likely to be affected than not.
Disgruntled employees crop up. Sometimes you let employees go, too. Or they quit in protest of perceived poor treatment. When they go, what they take with them (or flat-out erase) can have massive implications for your company’s future.
By denying employees access to information above their needed access level, you can minimize the potential damage in the event they go rogue. This can have powerful implications for your business should you fall victim to a malicious insider.
Which brings up our next network security policy requirement …
Create protocols for revoking terminated employee credentials
There are far too many examples of this going wrong not to take it seriously. Anytime an employee leaves you should revoke that employee’s login credentials across your network.
You should not underestimate the importance of creating these protocols. They can mean the difference in downtime or business as usual when an employee with key access leaves the company.
Often, businesses have multiple logins to multiple platforms, programs or other resources that contain sensitive information. The first step to revoke access is developing a strategy for tracking login credentials on every employee, and even managing those logins with options like single sign-on (SSO).
Clearly outline the exact timeframe for access revocation as well as who will be responsible for carrying out the task as part of your network security policy. While you’re at it, consider options that enable you to track who accesses data, and when.
You also might want to consider requiring non-disclosure agreements from employees to protect yourself legally in the event that a rogue employee does access and share data with unauthorized persons.
Require password protection for all network-accessible devices
This one actually is obvious. That doesn’t mean it isn’t a valid concern that should take priority in your network security policy. In the growing world of BYOD, employees access sensitive data from more devices than ever before. Devices you didn’t choose and can’t control. And it should come as no surprise that devices get lost. A lot.
In the event any device is lost while logged into programs or databases with sensitive data, well … that data now belongs to the finder. Would you bet your network’s security on a stranger’s kindness? Probably not. And that goes for your work devices. Make sure to password protect them, too.
While you’re at it, create protocols that require employees to lock network-accessible devices anytime they step away as part of your network security policy.
Establish password complexity and update protocols
You need complex passwords to protect your network. And a quick look at the worst passwords of 2017, for example, will tell you that users don’t often create strong passwords on their own. And even when they do, they tend to reuse old passwords, essentially defeating the purpose.
A powerful part of your network security policy has to involve protocols for creating complex passwords as well as making your systems require quarterly updates. At a minimum, passwords should have a combination of capital and lowercase letters, numbers, and at least one symbol.
Deliver ongoing employee education on spoofing and phishing scams
Spoofing refers to a tactic where hackers create false email headers and sender addresses in order to trick the end user into mistakenly providing them network access.
Phishing emails and phone calls use a false pretense to trick an end user into granting inadvertent network access to hackers, who then upload malware onto the network through malicious links, attachments, and other tactics.
These kinds of attacks can vary from amateurish to highly sophisticated and anything in between. And hackers are refining their approach all the time.
That’s why your network security policy should require regular employee training and updates on the latest phishing and spoofing schemes, as well as how to spot them. Often, there are language details, design details and general “something doesn’t feel quite right” details employees can learn to pick up on to identify phishing or spoofed emails.
An ounce of prevention is worth a pound of cure, as the saying goes.
Conclusion: a network security policy is crucial
As strong as the above policies are, they’re just the start of what it really takes to protect your network. Hackers and data thieves are professionals. It makes sense to consult your own professionals to secure your network and help create an effective network security policy. In the meantime, starting right away on the strategies above can mean the difference in compromised data and a secure, thriving company network.