Defense in Depth security tips from Ross Phillips
From proprietary formulas to customer data, information is the life blood of an organization. Keeping that information secure in an age of ever-evolving cyber-threats can present a challenge. Maintaining multi-layer security, or defense in depth, must become a strategic priority for any organization.
Start with prevention. The majority of cyber-security attacks would never occur if organizations kept current on patches. Add in regular security audits and a comprehensive defense in depth strategy that includes physical, technical and administrative controls. For smaller organizations, take advantage of security options provided with Office 365.
Patch Management is Key
Patches form a key element of cyber-security, allowing software makers to deliver fixes for known security gaps. Consider the WannaCry attack of 2017. Cyber-criminals exploited a known vulnerability in Microsoft Windows servers, crippling 400,000 computers. Nearly all of the victims had neglected to install a critical Windows 7 patch that addressed the vulnerability.
Create and enforce a reasonable patch policy to ensure that patches for operating systems and anti-virus software are applied without delay. Take a regular inventory of devices connected to the network to ensure that the patch policy addresses all devices and applicable software.
Conduct Regular Security Audits
A security audit assesses the security of an organization’s information system and highlights any vulnerabilities. This includes checking the physical systems, the networks and any exposure to the internet. It also includes an examination of data policies and procedures.
For example, one aspect of a security audit may include website penetration testing to attempt to locate and exploit weaknesses in the organization’s website. Another aspect may involve reviewing onboarding and offboarding procedures to ensure that employees are given appropriate access.
Guard the Castle with Defense in Depth
The term “defense in depth” actually began as a military term and is commonly known as a “castle approach.” Consider the many layers of defense employed to protect a medieval castle, from the moat and drawbridge to the outer wall, turrets and towers.
Likewise, effective defense of an organization’s information assets also involves multiple layers. These layers include:
- Physical Controls – Preventing physical access to computer equipment.
- Administrative Controls – Including well-defined policies and procedures for passwords, handling of sensitive personal and business data, and data access.
- Technical Controls – Firewalls, automated threat detection and prevention, anti-virus, domain name system (DNS) security, multi-factor authentication and more.
Another key aspect of a comprehensive defense in depth strategy includes end user training. Users should be taught to recognize social engineering techniques and to understand the value of personal identifying information. In addition, they should understand proper use of email and know the organization’s policies for handling of data. Training should be repeated at least annually.
Microsoft Built-in Features
Particularly for smaller organizations, Microsoft Office 365 built-in security features cover some key aspects of cyber-security. For instance, Office 365 offers three levels of email encryption. In addition, Microsoft has fully integrated the Windows Defender security suite into Windows 10, providing real-time protection against a variety of threats.
Leverage Security Expertise
The experts at Messaging Architects bring decades of experience in data management to the table. They can help your organization create an effective defense in depth strategy that includes patch management, comprehensive security audits and a full menu of security services. Take control of your cyber-security to safeguard critical information assets.
Ross Phillips began working with Messaging Architects (then NetMail) eleven years ago. Currently a solutions architect and implementation consultant, Phillips manages email migrations for companies of all sizes and across multiple industries. He is also passionate about security and recently completed his Certified Information Systems Security Professional (CISSP) certification.