Information security is defined in th Glossary of the US body NIST – National Institute of Standards and Technology – as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability”. Information security can be considered to be implemented through three different layers.
- Preventive security: behaviors are implemented and devices are used in order to mitigate risks to one’s systems and data.
- Predictive security: cyber threats are prevented through the proactive analysis of data available from various internal and external sources and through risk analysis to identify vulnerabilities, to reduce detection and response times to attacks.
- Reactive security: assuming that sooner or later an information incident will occur, containment and recovery measures are put in place to implement them to necessity, suffering less damage and for a shorter duration.
Companies that operate exclusively in the cloud, relying on a proven reliability provider, certainly have fewer burdens relating to data and system security. However, they cannot avoid implementing some fundamental preventive safety precautions, which are briefly listed here, regardless of the more complex predictive and reactive security, which must be implemented by relying on individuals with experience in the field and/or specialist platforms, to a greater extent the more the integrity and confidentiality of one’s data is indispensable, as well as their availability over time.
The adoption of technical and organizational measures for information security also responds to one of the requirements of the GDPR (EU Regulation 2016:679 on the protection of personal data).
- general precautions
- “clean desk”: do not leave confidential documents exposed
- jealously guard your passwords (possible use of a “password manager” through a proven reliability platform)
- use passwords with at least 8 characters, with uppercase and lowercase letters and punctuation marks
- renew passwords at least every 6 months (Note: minimum password requirements and expiration may be imposed by the system administrator)
- do not enter your personal data on the PC/device and in the company account
- use credentials strengthened by MFA (Multi Factor Access) for all access
- do not enter your personal data on the PC/device and in the company account
- do not use non-company channels for company communications and for saving company data
- be aware that the most frequent cyber attacks with data and system violations occur following the implementation of “phishing” (obtaining credentials and/or personal data by simulating reliable and known content inside messages coming from apparently known and reliable senders)
- do not continue browsing websites classified as “suspicious” by the antivirus
- protect the company network with an updated firewall; do not grant access to visitors other than for the use of the Internet
- educate new hires on information security and personal data protection
- upon termination of an employment relationship, arrange for the recovery of the devices and the closure of the assigned accounts
- precautions relating to your PC or other electronic device
- use anonymous administrative users, such as “root” (Unix), “Administrator” (Windows), or “admin”), only for specific situations
- use a screen saver, with screen lock, that shoots every 10 minutes at most
- ensure timely updating of the OS, the antivirus and the applications used
- use the same protections implemented on the PC on smartphones and tablets, knowing that the use of social media, messaging and downloaded apps involves even higher risks
- use a PIN or biometric authentication or geometric “sign” on smartphones and tablets to overcome the screen lock
- do not download applications onto the device that are not authorized by the company, both for reasons of possible copyright and IT security
- before handing over an electronic device to a third party (e.g. for maintenance), remove or encrypt confidential data
- do not leave mass storage media with unencrypted confidential data unattended
- protect your devices from theft and damage
- in case of alienation of devices and data storage supports, carry out the “secure deletion” of the contents or the physical destruction of the objects
- grant third parties, for support, remote access to your PC only for the time necessary for the intervention (using expiring passcodes)
- precaution relating to company accounts
- be aware that the violation of your company account could compromise the company’s activities
- limit account permissions only to operations relevant to the company role of the people to whom they are assigned (principle of “least privilege”)
- use only individual accounts (any shared accounts should have limited permissions and be subject to the control of the system administrator)
- use 2FA (“two-factor access”) where possible on each system, to prevent unauthorized access in case of password violation
- when using third-party PCs, access your account using the “incognito browsing” window, so that the account is closed when you exit the browser
- keep a running list of all assigned company accounts and remove those that are no longer intended to be used
- do not use your company email to transmit or receive sensitive personal information
- when sending confidential documents by email, activate the “confidential mode”, which allows you to set the deadline and passcode (via SMS)
- ensure that information relating to operations carried out on company accounts is traceable through a log file and that these are accessible only to designated personnel.
Once these precautions have been put into practice, companies and their collaborators gain awareness in managing this delicate matter. Wondersys, as a Cloud reseller and system integrator, can help you set up, organize and document reactive and proactive security measures. Each piece of this scheme contributes to creating a security framework towards the prevention of fraud and cyber attacks.