5. Minding your mobile devices
Smartphones and tablets have a growing presence in the enterprise, and malware comes with them. Leading mobile computing players such as Google Android and Apple iOS have had their share of security issues, and we can only expect this to continue. System and network administrators have nowhere near the management capacities or security features on these mobile devices as they do on traditional desktop operating systems. Users can fall prey to downloading malicious code, phishing or social engineering much more easily on these mobile devices that lack the protections provided by a real desktop operating system's security protocols and hardened browser.
[Also read Social engineering: 3 mobile malware techniques]
Apple could do much more than assert that its software is secure and claim that it doesn't need anti-malware. Google, too, could offer more insight into what it allows in its much-less-walled marketplace. Truth be told, both companies need to strive for improvements in security terms. For now, third-party vendor-management suites for Android and iOS are providing greater manageability and increased security.
6. Good password policies or two-factor authentication
Cracking passwords isn't rocket science; the tools and knowledge exist and are freely available. As a result, your passwords and policies should be strong enough to stymie hackers. Whenever possible, your password policies should enforce password age, complexity and length requirements. This is as true for your corporate Web presence as it is for your network or VPN.
Two-factor authentication is often a good choice, but it can be prohibitively complex and costly. For those using traditional passwords, augmenting the browser with a password manager can help stop users from plastering their cubicles with sticky notes displaying sensitive passwords. Sad to say, I still see this happen all the time. For those managing these password nightmares, there are many password managers available, some native to the browsers themselves and others made by third parties. These include:
- and the open-source KeePass.
No matter where you use passwords, strong policies are always a smart idea.
7. Frequent, required user security training
While many organizations have embraced end user security training, it is far from universal. But users play a strong role in information security -- safer and more secure environments are created by well-trained users. End user security training should happen with some frequency, as the threats never stop evolving. At the very least, yearly training should revisit issues and update end users' skills in responding to current threats. A security-aware workforce can be a huge asset in the fight against today's multifarious threats.
8. Proper policy and procedures
Proper computer security policy will help users understand how they should and shouldn't use information resources.
Users should have to read, agree to and sign security policies. Procedures should be in place so users acknowledge their role in ensuring enterprise security. Policies and procedures should be reviewed during user training so users are aware of and properly engage them.
Wrapping these policies and procedures around regular end user training can create a user base that understands these security risks and how to properly respond to them.