Step 1: Device Inventory
In short, you can’t protect what you don’t know you have.
At its most basic, this is a spreadsheet listing all of your organization’s computers, but creating a hardware inventory policy is a good idea as well.
The next step is to only allow authorized computers to connect to your networks - this is where the real payoff begins.
There are a number of ways you can restrict access, but two of the simplest are based on a computer’s physical hardware (MAC address) or by requiring the presence of a software “certificate” on any computer connecting to your network.
Step 2: Software Inventory
As with hardware, you want to make sure that only authorized software runs on your systems.
This is important not only from a security perspective, but also because it helps you honor your software license agreements.
The gold standard for software security is to use a configuration called “application whitelisting.” This technique allows only specified pieces of software to run.
Some users may find it frustrating initially, but it effectively prevents viruses and other malware from launching.
Step 3: Secure Configurations
You likely already own the capability to impose standard secure configurations across all computers in your business—Microsoft’s Active Directory Group Policy.
You can use Group Policy to enforce security settings for all Windows computers in your domain. It’s a great way to ensure consistency and to prevent users from circumventing “inconvenient” settings.
If you don't know how, ask your IT professional!
Step 4: Continuous Vulnerability Assessment and Remediation
I can’t over-emphasize how important it is to keep your computers patched properly.
Most malware gains a toehold in your system by leveraging a software vulnerability - you can read more on the risks of outdated technology here.
As important as this is, it’s also extremely difficult to implement without some expert technical assistance.
Here at Ntiva, we use a proprietary collection of scripts and tools to force patches out to our clients’ computers twice each week.
You can’t complete this step effectively, though, without first completing Steps 1 and 2.
Make sure you know all of the devices you need to manage and all of the software that needs patching!
The advantage of a system like ours is that you know automatically when a device does not patch. Still, you can make do by simply using Group Policy to force every computer to install updates on a regular basis.
If possible, force updates on third-party software as well.
Once you have established a system for pushing patches to all of your systems, you need to verify that the patches have installed properly.
The challenge for a small business is that vulnerability scanning requires specialized software, which can be costly and interpreting the scan results can be challenging without a technical background.
Talk with your technical team or IT consultant and ask them what scanners they can support.
Even better, look at broad-spectrum security appliances, such as Alien Vault’s USM Anywhere. These solutions will scan for vulnerabilities as well as review your system logs for signs of an attack.
You should scan at least once a quarter—more often and your tech team won’t have time to address the findings; less often and you run the risk of not catching a vulnerability quickly enough to stop an exploit.
Step 5: Controlled Use of Administrative Privileges
This one is free and easy to implement, although it may require a cultural shift at your organization.
It is an axiom of IT security that all users should have only the privileges needed for them to do their jobs and no more.
Viruses spread readily in an environment in which users have more access than absolutely necessary.
It may seem convenient to give someone local administrative rights on her computer, but those rights can put your entire organization at risk.
To the CIS First 5, I would add one bonus step: regular security training for all members of your organization.
The vast majority of attacks will reach you via email, so it is important that your users recognize a phishing email when they receive one.
You can teach employees to do this for free via tools like those offered by Duo and Cofense (formerly PhishMe). Most paid phishing/security tools provide educational material as well as the ability to track users’ performance over time, so you might want to consider this.
As people get better at recognizing phishing email, they will fall for fewer of these messages, dramatically reducing your vulnerability to attacks.
Need Additional Help?
If you're concerned you don't have the right cyber security in place, don't hesitate to reach out to us to schedule a complimentary cyber security consultation with one of our IT experts: