2. Create lists to reduce risk
Now that you’re aware of your assets and their relative risks, the next step is to mitigate those risks. There are certain things we should all know by now that we must be doing for every machine in our network: applying software updates in a timely fashion, making regular backups, encrypting sensitive data, using a reputable anti-malware program at the gateway and on endpoints, using firewalls and intrusion prevention software, and filtering email for unwanted or malicious content.
We should not stop with these basic techniques: by creating lists of systems and users that require varying levels of access we can reduce risk or mitigate damage. Inevitably, there will be machines on your network that must be handled with kid gloves, and there will be others that must be allowed a great degree of autonomy.
Likewise, some users may require wide-ranging access, while the needs of others may be more limited. While machines and users that require relatively unfettered access can create major security headaches, it’s possible to limit potential damage.
It’s important not to give any individual, system or part of your network any more access than is absolutely necessary to perform approved job functions. For example, you should carefully consider whether employees must have access to administrator-level access to their machines, or to areas of the network outside their own departments.
Some users will require different handling, depending on their role in your environment. Strong authentication and authorization can help you verify that users are who they say they are, and this identity can be checked against permission lists to determine what resources they are allowed to access.
Also, use more than simple usernames and passwords to verify your users’ identities, especially on machines with valuable or sensitive information. Two-factor authentication is now available on most online services, and can be easily added to your own login processes.
Finally, keep uncontrolled devices such as mobile devices or laptops brought by staff or students, and internet-connected “Smart” devices, in areas of your network that are unconnected to areas where sensitive data resides; e.g. payroll information, healthcare records, and research data. Keep the sensitive areas of the network segmented so that they are separate from each other, and an attacker cannot use a less-secured device in your environment to get to a more valuable area.
3. Gather support
Technological solutions can help mitigate some risks, but if you’re not addressing the way people interact with your network, your hard work may be all for naught.
Research shows that 52 percent of data breaches are the result of user error. If security methods cause too much hassle—if your users don’t understand what constitutes safe computing behavior or why it’s essential—they may thwart technological protections.
Security has gotten a bad reputation for being all about introducing impossible hurdles and of constantly looking over people’s shoulders. If you work with your users to see how they go about their daily tasks, you can tailor security measures to their needs so that those measures can enable users to safely do what they need to do. If done properly, it can even help users strengthen their privacy.
Once appropriate security measures are codified in an Acceptable Use Policy, you can start regularly training users about how to keep data and machines within the campus network secure. You wouldn’t explain the whole of geometry to a student once and then leave it at that. Likewise, it’s important to give security lessons to your users in digestible chunks and then build on important concepts over time (free resources exist).
Users are the eyes and ears of your network. By enlisting their help to distinguish between normal or anomalous behavior, and rewarding safer behavior, you can offer users more incentive to help improve your organization’s security. This, coupled with risk assessment and technological mitigation methods, can make a huge difference in your ability to fend off security disasters.