The British Secret Service isn’t quite so secret any more.
Recently, the Queen opened a new National Cyber Security Center in London, run by the Government Communications Headquarters (GCHQ).
Against the backdrop of international allegations of cyber-hacking and cyber-meddling in recent elections, the new center will oversee British efforts to prevent hackers from disrupting the national infrastructure, from hospitals to the electricity grid.
The GCHQ also gives businesses security advice ranging from tips on password policies to ways to ensure mobile workers don’t compromise security while on the move. Here are (double-“O”) seven lessons businesses on both sides of the Atlantic can learn from Her Majesty’s Secret Service:
1. “Least privilege” protocol
Ensure that employees have only the system access they need to do their jobs — don’t open up access to sensitive systems for employees at all grades.
2. Control removable media
An external device plugged into a network is a main route for malware to disrupt systems. Limit the use of external devices like USB memory sticks, particularly those brought in from home by employees.
3. Secure the doors
Ensure that old systems, network devices and sites are removed and decommissioned. Don’t allow hackers to access your network through a forgotten entry point.
4. Start-to-finish process
Have a clear process in place for deciding what network privileges and devices new employees can use, what happens when they change roles, and what happens when they leave. Revoke access and recover company devices and data as soon as workers depart. Note that this can be complex if they’ve used personal devices in the workplace.
5. Define “tolerable risk.”
What risk is your organization willing to take to get the job done? Can you allow your staff to use their own devices or take data files and documents home? It might help productivity, but you need to understand all the risks involved: devices getting lost, stolen, hacked or contaminated with malware.
If your staff doesn’t know the risks and legal requirements around data security, you’re inviting vulnerabilities. Explain the issues and train best practices.
7. Observe and report.
Encourage staff to be vigilant and report suspicious activity such as suspicious emails or unexpected changes to the systems they use.
The truth is that much of the threat around data security starts inside a business rather than outside, with malicious, accidental or ill-considered actions by employees allowing confidential information to be compromised.
The best defense is deploying data loss prevention (DLP) technology, which prevents unauthorized saving, copying, printing or emailing of sensitive files, to prevent accidental or criminal actions by insiders.
So, how does your organization stack up against these seven simple tips? Do you follow the basic advice of Her Majesty’s Secret Service?