9 tips on how to build a secure organization

In the age of digitization and informatization, there are unusual possibilities of automation and increasing efficiency of processes, which facilitate manufacturing of products or the service providing. However, these advantages also carry the risk of their misuse or compromise. Every organization must have the cybersecurity among its priorities, through which the organization is protected, allowing not only to carry out manufacturing activities or service providing, but also their improvement and development.  

The National Cyber Security Centre SK-CERT, therefore, gives you 9 basic tips on how to build a secure organization.

1. Application of security policy

Security rules must be not only documented, but also correctly applied and controlled. Many organizations have very good security policies, but their application and control are miserable. It is therefore necessary not only to have the rules written, but also to apply and control them in everyday work. Management’s commitment that the cybersecurity is a priority for the organization will be sufficiently fulfilled if security policies are properly applied.

2. Regular risk analysis

Identifying threats and vulnerabilities that affect our organization leads to the identification and assessment of risks that may harm the organization. This process is very important because it allows us to identify our priorities in the field of security and allocate investments where they are most needed. A risk analysis is a continuous, never-ending process. It needs to be carried out on a regular basis according to current threats and vulnerabilities.

3. Technological security

Various devices designed to protect your network or other devices will undoubtedly help to better secure your organization. These are mainly hardware components on the “perimeter” of the organization such as firewalls, IDS and IPS systems and so on. But security does not end at the technical level. Each device, starting from the firewall through the accounting server up to the end workstations, must be properly configured; your organization’s network should be segmented according to for example departments or activities performed; internal systems should not be visible from the Internet; each device should be regularly updated; employees working from home should use a VPN connection… there are too many technical measures and your organization should apply mainly the ones it really needs. However, how to find out which are really needed? For example, from the above risk analysis.  

4. Monitoring

Something is constantly happening in your network. Most network traffic is legitimate, but due to anomalies or violations of the rules set on the devices, we can detect a security incident in time, or prevent it by early intervention. All we need to do is to see the real-time information from the network traffic and evaluate it. Monitoring of your network as well as devices therein is an important step towards a secure organization.

5. Good access policy

Your organization’s systems and services are used by either your employees or external customers. Of course, not every user can access every system with the highest privileges. Therefore, it is essential that you apply correct access policies in your organization. This means that accesses and privileges in the systems must be configured individually for each user. Of course, it is necessary to require a strong password from the user, preferably a different one to each system, and also to apply multi-factor authentication where possible. Naturally, access rights to a user who does not work in your organization anymore or is no longer your customer are immediately revoked. Systems such as Radius, LDAP or Active Directory can help with better access management.

6. Third party security

Your suppliers are a key element for you, as the provision of your products or services may depend on them. However, they also can be a weak point through which an attacker can access your data. Therefore, it is important to pay attention to the security of the supplier too; and not only when choosing them, but also during signing contracts and subsequent relations.

7. Employees’ training

Your employees are your greatest assets – but also your vulnerability. Therefore, it is essential that you reduce the risk that may compromise your organization. The simplest but most effective way is a continuous training in the field of cybersecurity. Ensuring an initial training on cybersecurity and organisation’s security rules should be a matter of course, as all companies provide, for example, a safety at work training. Make regular cybersecurity trainings a repeatable standard. We strongly recommend organizing thematic trainings in response to current threats, such as phishing or ransomware. However, this is not the end of training. It is important that experts from IT and security services always have enough relevant information. Send them to trainings, conferences or workshops so that they can apply modern and best practices in your organization.

8. Communication with the external environment

Cyber​​security is mainly about communication and information sharing. Without the exchange of experience as well as data on threats, vulnerabilities and incidents, no cybersecurity entity can function. Therefore, communicate with the external environment, especially with professional associations, and also with your business partners as well as with the national cybersecurity authority. The more information you learn, the better you can protect your organization.

9. Continuous improvement

The topic of cybersecurity does not end with the first application of rules and the deployment of appropriate technology. Threats and vulnerabilities are constantly evolving and attackers are looking for new ways to infiltrate your organization. However, we have good news for you – protection and security methods are constantly improving too, but your own improvement is also necessary. Follow the news, support your employees in new security ideas and invest. Security may not be profitable, but it is a way to protect and increase the profit.

« Späť na zoznam