Many businesses may need good security guidelines in the digital age. Good routines and practices are often deprioritized in a busy work environment. Unfortunately, the costs if an accident were to occur can be greater than the time it would take to review this internally in advance. Here are some good tips.
Internal IT Security in Business
Deploi manages digital infrastructures for several Norwegian businesses, including internal IT systems, websites, and online stores. We often advise these businesses on security. In this article, we will discuss how businesses should handle security internally.
Employees Taking Security Seriously
Those working in a business must prioritize security. Employees who do not take security seriously will always be one of the biggest security threats.
Best Practices
There are several good practices that most in the industry agree on:
- Do not click on links in emails or text messages. You should always be able to find a service from a provider through their website.
- So-called "phishing" involves pretending to be a customer or employee. It is important to be careful to verify that those you are in contact with, especially by phone or email, are the ones who should have the access or information they are asking for.
- Familiarize yourself with how internal systems "look" and behave normally. This makes it easier to identify abnormal behavior. If something is out of the ordinary, it should always be investigated.
Security in Transferring Sensitive Information
Sometimes you need to transfer sensitive information, such as passwords, encryption keys, private keys, or personal data. Always transfer this encrypted, and communicate passwords through another channel. For example, if you send encrypted data by email, send passwords by SMS or arrange a password at a physical meeting.
Communication channels such as email, SMS, and phone are not encrypted. This means that someone in between could listen to the information. Emails and SMS messages are often stored in the inbox after they are read.
Strong Passwords and Login Keys
Even if all software is up to date, an uninvited guest can still gain access to IT systems by guessing or obtaining passwords and login keys. It is important to have good and strong passwords and login keys. These should be stored securely. They should be stored encrypted or physically inaccessible to unauthorized personnel.
Correct Access
It is important that only those who really need access to something have it. This applies to employees, external parties, and former employees. Keep a register of who should have which access and check these regularly against changes in employees and external parties. Delete or restrict access when a person no longer needs it.
It is also important that the software only has the access it needs. This uses the buzzword "zero-trust." Just like for people, a register should be kept of what access software has, and these should be checked regularly against what is still necessary.