• Chris Docherty

Information Security Best Practices

Information security (InfoSec) is the confidentiality, integrity, and availability of the data and information within your business. It's about protecting that information, so people who should have access do, but those who shouldn't, do not.


InfoSec is the ability to respond to threats on your information and of course, it's related to assets and people within your organisation. In this video, I am going to discuss the best practices for information security.



Firewalls

One of the first lines of defense associated to cyber-attacks is having a firewall in place, which will minimise the opportunity for a threat to occur.


It's important to recognise that some organisations are starting to use internal firewalls, so that they have additional barriers related to sensitive information.



Policies and Rules

It's also important that you have policies and rules within your business. While small businesses can often operate through word-of-mouth, that’s based on the knowledge that they have built over many years.


If it's a small number of people, the sharing of information can be quite simple. However, when it comes to cyber attacks and the protection of your data and information, it is really important that you have documented policies and rules - not just something that's word-of-mouth.


When you do this, you need to ensure that the people within your organisation sign-up to follow these rules and policies. When you hear about additional threats, you must update these policies and rules and ensure they are communicated to all people within your workplace.



Mobile Devices Risks

More and more companies are allowing people within their organisation to access information within their systems using their own devices, such as mobiles, tablets and smartphones. In this situation, you must ensure that there is proper practices, rules, and policies in place and that the employees have essential installation of security software in their devices.


You must ensure that they follow the same principles of accessing data on company systems, through the correct protocol - not recording information and saving information directly on their own devices. Likewise, you must try and enforce regular updates to the security software that they're using on their own devices. Try to ensure that they automate this, so that when new updates come, these are implemented as soon as possible.



Awareness and Communication

Within small to medium sized business, it's quite common for people to have multiple hats that they wear, and these hats have different responsibilities. Therefore, it's essential that employees who have access to networks in different areas understand the security rules.


This may form part of the induction process when someone joins the business. They should be aware of what they need to do if there is a potential situation, whether they are :

  • In the office

  • On a site environment

  • Working from home

It's really important that awareness and communication continues within an organisation and it's not something you do once, when someone joins the business. Cyber crime is growing rapidly and the threats are increasing all the time. Therefore, your means of protecting information must be enhanced.



Backup Data

While it's important that you try to prevent an attack, it's also important to recognise that attacks will happen. It may not be today or tomorrow, but ultimately most organisations will have some form of attack on them at some stage.


There are a multitude of different methods of how you can back up your data to localized cloud-based solutions. But you do not want to just rely on that backup data being 100% accurate, you want to check it periodically to ensure that the backup information is available when you need it. When this situation happens, you want to try and obtain the information you need as quickly as possible, so that you can try bring about some level of business continuity.




Multi-factor identification / Authentication

When humans are involved in business processes, regardless of how good policies and rules are, sometimes mistakes will happen - human error. To try and take away the human element of this, having something like multi-factor authentication, or identification is a good practice that will provide a strengthened barrier. As cyber criminals get more advanced, you want to try and adopt advanced technology that will help drive barriers of protection against these crimes.



Reporting Incidents

Small businesses can particularly be hit hard from incidents, such as:

  • Phishing scams

  • Ransomware attacks

  • Interrogations of data

To minimise the consequences of this, try to educate the people within your business to report incidents. Even if it is a mistake they made, it is better for this to be reported. Ensure this is communicated quickly so that containment action can be introduced, to try and protect others within the business and other data within the business.


It may also be good practice to share this information outside of the business so that you can help on the global message of what you're trying to do around protecting your data and information. It could have a benefit on the global trends that are related to attacks.



Response Plan

You don't want to wait until the attack has occurred, and then think about the activities and response you will have. If you have ever been in a business where this has occurred, then you will find that responding can be a very time consuming and expensive practice.


Therefore, one of the really good measures is to put in place is a response plan. This is to look at how you will respond when there is an attack or a serious incident and the methods that you will follow to try and get back to business as normal as quickly as possible.


Of course, you will also be able to put in additional protections and barriers. This might mean that your response plan has to bring in external support to assist you with putting these practices in place. But realistically, what you want to do as an organisation is not to have an impact in normal business practices.



Takeaways:

  1. Identify your critical information

  2. Identify your critical assets

  3. Identify potential threats / impacts

  4. Identify the controls you have and need

  5. Ensure everyone is responsible

  6. Have a plan to respond

  7. Keep on top of global threat


Check out other information security content here.

FQM Ltd Aberdeen: 

+44 1224 628 260

FQM Ltd Glasgow: 

+44 141 212 2112

Registered Address: 

FQM Ltd, The Barn, Townfoot Farm, Glasgow, G71 7RR.

FQM Ltd Perth: 

+44 141 212 2112

IMPORTANT LINKS