For the first moment of competition, we have had a need to know at least as much about our competitors as ourselves. Information has always had value. Information has helped smaller, weaker competitors prevail, as in the tale of David and Goliath. Shortly after recognizing the value of information, the need to keep one’s own knowledge and information private – secure and safe from unfriendly eyes – became an equal priority. Through all kinds of conquest, from military to sports to business, more and better information – the quicker, the better – is the difference between winning and losing battles, games, and fortunes.
As information evolved from pictures and symbols to words and numbers, from oral to written, and its transmission from courier to mail to electronic means, the need for accuracy, timeliness, safety, and security has always been there. With the increasing complexity of information transmission, however, it has become increasingly more difficult to ensure data accuracy, timeliness, safety, and security. Look at the proliferation and near-ubiquity of inexpensive, portable devices and the perceived need to remain “always connected”. Sometimes, we seem eager to reap the rewards without being cognizant of the risks.
Information security is an inconvenience to many of us, even when the organization makes it the top priority. Security takes time, adds complexity – in short, it’s a chore. Until something fatal happens to our data or those of our clients, we don’t concern ourselves with conventional wisdom or common sense, let alone follow best security practices.
What are best practices? Well, I did a tiny bit of researching one afternoon and from a half-dozen or so sources, this is what I came up with. Note that this is not an exhaustive list of security best practices but a list of common recommendations:
- Implement stronger password protection. This is defined in several ways but most sources concur that short, simple passwords invite trouble, as does using the same password for every app and website.
- Use multi-factor authentication. This is becoming more common but far too many websites (social media sites, for instance) haven’t caught up.
- Protect your valuable data with a multifaceted approach (anti-malware software, firewall, policy, behavior, etc.).
- Keep your applications, operating systems, protective software, firewalls, etc., up to date.
- Be careful where you store sensitive information, from financial data to customer data to passwords.
- Avoid, or at least be wary of, unsolicited emails or social media messages.
- Have and promote a healthy suspicion of new or unfamiliar websites. Don’t get lulled into a false sense of security even with the sites you know and use commonly.
- Implement an information disaster response and recovery plan (e.g., backing up data) and conduct response-and-recovery drills periodically.
To these eight keys to surviving cyber threats, add one that’s hardly mentioned in the literature, if at all. Have a third-party auditor regularly perform a careful, thorough, and detailed information security audit of your organization. IT audits not only help you evaluate your organization’s performance with respect to security objectives – they help you identify and act on opportunities for improvement.
Even if you aren’t concerned about complying with standards or regulations, you should know that IT auditing is a sound business practice and a valuable part of any multifaceted approach to IT security. It pays to anticipate trouble, be vigilant, and stay protected.
- “Six Steps to Keeping Your Data Safe”, Geek Squad, no date – http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx
- “Five Steps for Keeping Data Safe and Secure”, SmallBusinessComputing.com, 27 Feb 2009 –http://www.smallbusinesscomputing.com/article.php/3807596/Five-Steps-for-Keeping-Data-Safe-and-Secure.htm
- “5 Tips to Keep Your Data Secure on the Cloud”, CIO Magazine, 16 Dec 2013 – http://www.cio.com/article/2380182/cloud-security/5-tips-to-keep-your-data-secure-on-the-cloud.html
- “10 Ways to Keep Your Phone Safe”, U.S. News and World Report, Personal Finance, 13 Jan 2015 – http://money.usnews.com/money/personal-finance/articles/2015/01/13/10-ways-to-keep-your-phone-safe
- “Data Security”, Federal Trade Commission, no date – http://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security
- “ID Theft, Fraud, and Victims of Cybercrime”, StaySafeOnline.org, NCSA, no date – https://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/id-theft-and-fraud
 Depending on the number and degree of risks you face, as well as the size and complexity of your IT operations, you probably ought to have an IT audit conducted yearly, at a minimum. Consider auditing any time you reasonably suspect a problem.