Twelve essential precautions to take for IT security
- Secure physical access to your premises
Of course the first rule of vigilance is to secure your premises, especially sensitive areas such as server hosting rooms for example. Set up access authorisations, digital codes, name badges, and so on.
- Formalise a security policy for your information system
An assessment of the impact on IT security is a prerequisite to any project connected to the information system.
Before launching any project connected to the information system, you have to assess its impact on IT security. Identify the rules for computer security in a written document accessible to all employees and make it evolve in line with the changes you make to your information system. List in this document all the vulnerabilities of and the potential threats to your IT operations.
- Back up your data
Your computer data is your information asset … back it up!
- Anticipate risks
To allow you to restart your business as soon as possible after an incident, write an emergency procedure which explains how your servers work. The data you have saved must be stored on dedicated servers, and be regularly backed up in turn. It is also imperative that you store your backup media in separate and highly protected premises. If you renew your equipment, obsolete computers must be physically destroyed or stripped of their hard drive. Also format your removable storage devices before repair, recycling or switching users.
- Secure desktop computers and laptops
To prevent any fraudulent use, set each employee’s computer to lock automatically in case of absence or inactivity. If a computer contains critical data, also install, a control system for the USB ports.
- Establish a process to create and delete user accounts
Create unique user accounts on all computers in your company, in order to trace users’ actions and to increase their sense of responsibility.
- Define a strict password policy
Logins and passwords are simple and effective security systems if you follow some basic rules. As with your credit card code, any computer password is always individual and confidential, and should not be recorded in any medium. For maximum security, it is best to renew your password regularly and it must contain at least 8 characters including letters, numbers and special characters. Finally, the system administrator should allocate the passwords to employees himself but compel them to change it on the first connection.
- Protect wireless and local networks
More and more malwares may harm your system today: viruses, Trojan horses, key loggers, spyware and worms. Rest assured safety features exist to help you limit your vulnerability to external attack: filtering routers, firewalls, etc. Be particularly careful to protect your email and your wireless and local networks.
- Restrict access rights
In your business, some data are more critical than others, some information is only handled by a restricted number of employees, some files are only one person’s responsibility, and so on. Therefore, make sure that access authorisations for each employee are appropriate for the position they hold.
- Protect yourself in relation to external suppliers
You must include a confidentiality clause in your IT sub-contracts. An employee of your company should supervise each service provider’s intervention and then also record it in a special register. In addition, it is mandatory to encrypt data which is considered sensitive by the law.
- Regularly test your backups
Regularly test the recoverability of your data in order to ensure a quick restart of your business after an incident.
- Increase your employees’ awareness of the IT risks
Several tools can be used to communicate these issues internally: training, memos, fact sheets, intranet tab, etc. We recommend you to draft an IT Charter to be signed by all your employees to identify best practices and to supervise the use of telephony, web and email.
- What to do in the event of a software incident (viruses, worms, rootshit, Trojan) ?
- Notify the business’ IT manager
- Isolate the infected computer from the rest of the network
- Run a scan that is to say, an analysis of the files with your anti-virus
- If the infection is not eradicated by the anti-virus, contact your IT service provider
- What to do in the event of a hardware incident (hard disk crash) ?
- Notify the business’ IT manager
- Check that the backup systems are fully active on the failed hard drive
- Back up the work in progress
- Do not turn the system off and call your IT service provider.